Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4munRyMrBm.exe

Overview

General Information

Sample name:4munRyMrBm.exe
renamed because original name is a hash value
Original sample name:19b7b25564d95b2f1f3ed8904a5a1369445e9064c6e7e3ff4a058d5546cd38ea.exe
Analysis ID:1466968
MD5:72f322c11bdcf5920ee23f6fffa7d0a7
SHA1:7c93d6d0af8b5e333dbf2cb2e3df2943c7163103
SHA256:19b7b25564d95b2f1f3ed8904a5a1369445e9064c6e7e3ff4a058d5546cd38ea
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4munRyMrBm.exe (PID: 5660 cmdline: "C:\Users\user\Desktop\4munRyMrBm.exe" MD5: 72F322C11BDCF5920EE23F6FFFA7D0A7)
    • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1340 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6620 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • CasPol.exe (PID: 5324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.com", "Username": "gm@emisafe.ae", "Password": "T2@Gwt567"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.3327954890.00000000030EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3167f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x316f1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3177b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3180d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31877:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x318e9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3197f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a0f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.CasPol.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  5.2.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4munRyMrBm.exe", ParentImage: C:\Users\user\Desktop\4munRyMrBm.exe, ParentProcessId: 5660, ParentProcessName: 4munRyMrBm.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 1340, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4munRyMrBm.exe", ParentImage: C:\Users\user\Desktop\4munRyMrBm.exe, ParentProcessId: 5660, ParentProcessName: 4munRyMrBm.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 1340, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 74.208.5.2, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, Initiated: true, ProcessId: 5324, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49710
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4munRyMrBm.exe", ParentImage: C:\Users\user\Desktop\4munRyMrBm.exe, ParentProcessId: 5660, ParentProcessName: 4munRyMrBm.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 1340, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.com", "Username": "gm@emisafe.ae", "Password": "T2@Gwt567"}
                    Multi AV Scanner detection for submitted file
                    Source: 4munRyMrBm.exeReversingLabs: Detection: 70%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: 4munRyMrBm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rsi0_2_00007FF7C5C32740
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rdi0_2_00007FF7C5C60B00
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rsi0_2_00007FF7C5C609D0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rsi0_2_00007FF7C5C60980
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5BB1988
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5BB1988
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rsi0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rbx0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rsi0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push rdi0_2_00007FF7C5C32430
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 4x nop then push r140_2_00007FF7C5CBE3C0
                    Source: global trafficTCP traffic: 192.168.2.6:49710 -> 74.208.5.2:587
                    Source: Joe Sandbox ViewIP Address: 74.208.5.2 74.208.5.2
                    Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                    Source: global trafficTCP traffic: 192.168.2.6:49710 -> 74.208.5.2:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: smtp.ionos.com
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.ionos.com
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.geotrust.com0
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: 4munRyMrBm.exe, 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: 4munRyMrBm.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                    Source: 4munRyMrBm.exeString found in binary or memory: https://aka.ms/nativeaot-c
                    Source: 4munRyMrBm.exe, 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                    Source: 4munRyMrBm.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                    Source: 4munRyMrBm.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                    Source: CasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3327712733.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, SKTzxzsJw.cs.Net Code: rgMU
                    Source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, SKTzxzsJw.cs.Net Code: rgMU

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4munRyMrBm.exe.1cfbd800058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE1D800_2_00007FF7C5BE1D80
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE34800_2_00007FF7C5BE3480
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE46E00_2_00007FF7C5BE46E0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BB7EA00_2_00007FF7C5BB7EA0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC96600_2_00007FF7C5BC9660
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BCFE700_2_00007FF7C5BCFE70
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BB35A00_2_00007FF7C5BB35A0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE2DB00_2_00007FF7C5BE2DB0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC7DC00_2_00007FF7C5BC7DC0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE6D800_2_00007FF7C5BE6D80
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE25800_2_00007FF7C5BE2580
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE50600_2_00007FF7C5BE5060
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BD68600_2_00007FF7C5BD6860
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5C4C8800_2_00007FF7C5C4C880
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BDB8500_2_00007FF7C5BDB850
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BB6AA00_2_00007FF7C5BB6AA0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC3AC00_2_00007FF7C5BC3AC0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BBB2C00_2_00007FF7C5BBB2C0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BCD1F00_2_00007FF7C5BCD1F0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BD19300_2_00007FF7C5BD1930
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC2D000_2_00007FF7C5BC2D00
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BEE4B00_2_00007FF7C5BEE4B0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BDBC700_2_00007FF7C5BDBC70
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE54900_2_00007FF7C5BE5490
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC1C500_2_00007FF7C5BC1C50
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BDC3A00_2_00007FF7C5BDC3A0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BE63B00_2_00007FF7C5BE63B0
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BBBB600_2_00007FF7C5BBBB60
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BD13840_2_00007FF7C5BD1384
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_012293785_2_01229378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_01224A985_2_01224A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_01229C005_2_01229C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_0122CFE85_2_0122CFE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_01223E805_2_01223E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_012241C85_2_012241C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F56D85_2_061F56D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061FDCF05_2_061FDCF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061FBCE05_2_061FBCE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F9AC05_2_061F9AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F2AF85_2_061F2AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F8B905_2_061F8B90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F00405_2_061F0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F4FF85_2_061F4FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_061F32485_2_061F3248
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_01229BF85_2_01229BF8
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: String function: 00007FF7C5BBD7A0 appears 64 times
                    Source: 4munRyMrBm.exeBinary or memory string: OriginalFilename vs 4munRyMrBm.exe
                    Source: 4munRyMrBm.exe, 00000000.00000000.2078881785.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetCurrentDirectoryGetBytes.dllX vs 4munRyMrBm.exe
                    Source: 4munRyMrBm.exe, 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetCurrentDirectoryGetBytes.dllX vs 4munRyMrBm.exe
                    Source: 4munRyMrBm.exe, 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename464202a8-28ab-48ff-9bd0-c2ffd865bc06.exe4 vs 4munRyMrBm.exe
                    Source: 4munRyMrBm.exeBinary or memory string: OriginalFilenameSetCurrentDirectoryGetBytes.dllX vs 4munRyMrBm.exe
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4munRyMrBm.exe.1cfbd800058.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4munRyMrBm.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9963456329281184
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@1/1
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC2B30 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF7C5BC2B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3v3szqea.fmp.ps1Jump to behavior
                    Source: 4munRyMrBm.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 4munRyMrBm.exeReversingLabs: Detection: 70%
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeFile read: C:\Users\user\Desktop\4munRyMrBm.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\4munRyMrBm.exe "C:\Users\user\Desktop\4munRyMrBm.exe"
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfileJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 4munRyMrBm.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: 4munRyMrBm.exeStatic file information: File size 1919488 > 1048576
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 4munRyMrBm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: 4munRyMrBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 4munRyMrBm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 4munRyMrBm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 4munRyMrBm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 4munRyMrBm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 4munRyMrBm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: 4munRyMrBm.exeStatic PE information: section name: .managed
                    Source: 4munRyMrBm.exeStatic PE information: section name: hydrated
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_01229B40 push esp; retf 0521h5_2_01229BF1

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory allocated: 1CFB9130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6841Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2870Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 1249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2532Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15358
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3700Thread sleep count: 1249 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99867s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3700Thread sleep count: 2532 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99528s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99309s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99192s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98841s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98511s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -97969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BC2760 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF7C5BC2760
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99867Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99528Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99309Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99192Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98841Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98511Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 4munRyMrBm.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                    Source: CasPol.exe, 00000005.00000002.3330220158.0000000005F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BB7D00 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF7C5BB7D00
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5C10E9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7C5C10E9C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfileJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B5C008Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5C11544 cpuid 0_2_00007FF7C5C11544
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4munRyMrBm.exeCode function: 0_2_00007FF7C5BBE6D0 GetSystemTimeAsFileTime,0_2_00007FF7C5BBE6D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbd800058.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3327954890.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4munRyMrBm.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5324, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbd800058.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4munRyMrBm.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5324, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbdac0070.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbda4abe0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4munRyMrBm.exe.1cfbd800058.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3327954890.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4munRyMrBm.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5324, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    Access Token Manipulation                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                    Process Injection                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		36
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    4munRyMrBm.exe71%ReversingLabsWin64.Spyware.Negasteal

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
                    https://aka.ms/nativeaot-compatibilityY0%Avira URL Cloudsafe
                    https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
                    http://smtp.ionos.com0%Avira URL Cloudsafe
                    https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.ionos.com
                    		74.208.5.2
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://aka.ms/GlobalizationInvariantMode4munRyMrBm.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://smtp.ionos.comCasPol.exe, 00000005.00000002.3327954890.00000000030F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/4munRyMrBm.exe, 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/nativeaot-c4munRyMrBm.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibility4munRyMrBm.exe, 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityY4munRyMrBm.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityy4munRyMrBm.exefalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        74.208.5.2
                        		smtp.ionos.comUnited States
                        		8560ONEANDONE-ASBrauerstrasse48DEtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1466968
                        Start date and time:2024-07-03 15:54:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:4munRyMrBm.exe
                        renamed because original name is a hash value
                        Original Sample Name:19b7b25564d95b2f1f3ed8904a5a1369445e9064c6e7e3ff4a058d5546cd38ea.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@8/5@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 58%
                        • Number of executed functions: 70
                        • Number of non-executed functions: 50
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: 4munRyMrBm.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:54:53API Interceptor19x Sleep call for process: CasPol.exe modified
                        09:54:53API Interceptor17x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        74.208.5.2New PO -39850-1064 -2084-GEN101 -Order,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                          PO# 2011-0227160-0365-06-24,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                            Purchase Order #2024-030-AC2021,pdf.exeGet hashmaliciousAgentTeslaBrowse
                              rPO00140263___-Order.exeGet hashmaliciousAgentTeslaBrowse
                                file.exeGet hashmaliciousAgentTeslaBrowse
                                  PO 3652300336-2024-Inquiry-Project Order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    New Order PO#01354759 .exeGet hashmaliciousAgentTeslaBrowse
                                      HS44892321-T01.exeGet hashmaliciousAgentTeslaBrowse
                                        eTSdG7txZz.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                          CtL8aGCktL.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            smtp.ionos.comNew PO -39850-1064 -2084-GEN101 -Order,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                            • 74.208.5.2
                                            PO# 2011-0227160-0365-06-24,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                            • 74.208.5.2
                                            Purchase Order #2024-030-AC2021,pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            rPO00140263___-Order.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            file.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            PO 3652300336-2024-Inquiry-Project Order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            New Order PO#01354759 .exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            HS44892321-T01.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2
                                            eTSdG7txZz.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                            • 74.208.5.2
                                            CtL8aGCktL.exeGet hashmaliciousAgentTeslaBrowse
                                            • 74.208.5.2

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ONEANDONE-ASBrauerstrasse48DERR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                            • 217.160.223.34
                                            SOA 020724.exeGet hashmaliciousFormBookBrowse
                                            • 217.160.0.85
                                            http://www.doneck.comGet hashmaliciousUnknownBrowse
                                            • 217.160.0.83
                                            HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                            • 74.208.46.171
                                            Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exeGet hashmaliciousFormBookBrowse
                                            • 212.227.172.254
                                            Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exeGet hashmaliciousFormBookBrowse
                                            • 212.227.172.254
                                            Att00173994.exeGet hashmaliciousFormBookBrowse
                                            • 217.76.156.252
                                            https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
                                            • 212.227.67.33
                                            Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                            • 217.160.0.85
                                            https://www.asarco.com/Get hashmaliciousUnknownBrowse
                                            • 74.208.236.164

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:NlllulJnp/p:NllU
                                            MD5:BC6DB77EB243BF62DC31267706650173
                                            SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                            SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                            SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e.................................X..............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v5czuty.3sr.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3v3szqea.fmp.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lswi5yq0.wwv.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uo1kv32u.wya.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            Static File Info

                                            General

                                            File type:PE32+ executable (console) x86-64, for MS Windows
                                            Entropy (8bit):7.014633465311287
                                            TrID:
                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                            • Win64 Executable Console (202006/5) 47.64%
                                            • Win64 Executable (generic) (12005/4) 2.83%
                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                            • DOS Executable Generic (2002/1) 0.47%
                                            File name:4munRyMrBm.exe
                                            File size:1'919'488 bytes
                                            MD5:72f322c11bdcf5920ee23f6fffa7d0a7
                                            SHA1:7c93d6d0af8b5e333dbf2cb2e3df2943c7163103
                                            SHA256:19b7b25564d95b2f1f3ed8904a5a1369445e9064c6e7e3ff4a058d5546cd38ea
                                            SHA512:5a0f1741b654de6780f2eff6aa9b2cd265d68d54c96ce03a70b0699be326162a69864c9d7a385901bbea351717565d17a50150c1caedb0695e7acc0f0ad304cc
                                            SSDEEP:49152:BOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZzIrRo2ht1R1ZvkwZJ:wv85
                                            TLSH:1A95BE15E3E801A8E577EB34CA629333CAB1B8561730E58F069CD2451F73EA19B7B316
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.x...+...+...+^..*...+^..*...+^..*...+.b.+...+.b.*...+...+o..+n..*...+n..*...+...+...+n..*...+...*...+...*...+Rich...+.......

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x140060b78
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x140000000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x667A0914 [Tue Jun 25 00:02:28 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:0
                                            File Version Major:6
                                            File Version Minor:0
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:0
                                            Import Hash:8f2ed59ffaf0389477f5411c8b4c37fd

                                            Entrypoint Preview

                                            Instruction
                                            dec eax
                                            sub esp, 28h
                                            call 00007FBB98FB22E4h
                                            dec eax
                                            add esp, 28h
                                            jmp 00007FBB98FB1B37h
                                            int3
                                            int3
                                            jmp 00007FBB98FB2670h
                                            int3
                                            int3
                                            int3
                                            dec eax
                                            sub esp, 28h
                                            dec ebp
                                            mov eax, dword ptr [ecx+38h]
                                            dec eax
                                            mov ecx, edx
                                            dec ecx
                                            mov edx, ecx
                                            call 00007FBB98FB1CD2h
                                            mov eax, 00000001h
                                            dec eax
                                            add esp, 28h
                                            ret
                                            int3
                                            int3
                                            int3
                                            inc eax
                                            push ebx
                                            inc ebp
                                            mov ebx, dword ptr [eax]
                                            dec eax
                                            mov ebx, edx
                                            inc ecx
                                            and ebx, FFFFFFF8h
                                            dec esp
                                            mov ecx, ecx
                                            inc ecx
                                            test byte ptr [eax], 00000004h
                                            dec esp
                                            mov edx, ecx
                                            je 00007FBB98FB1CD5h
                                            inc ecx
                                            mov eax, dword ptr [eax+08h]
                                            dec ebp
                                            arpl word ptr [eax+04h], dx
                                            neg eax
                                            dec esp
                                            add edx, ecx
                                            dec eax
                                            arpl ax, cx
                                            dec esp
                                            and edx, ecx
                                            dec ecx
                                            arpl bx, ax
                                            dec edx
                                            mov edx, dword ptr [eax+edx]
                                            dec eax
                                            mov eax, dword ptr [ebx+10h]
                                            mov ecx, dword ptr [eax+08h]
                                            dec eax
                                            mov eax, dword ptr [ebx+08h]
                                            test byte ptr [ecx+eax+03h], 0000000Fh
                                            je 00007FBB98FB1CCDh
                                            movzx eax, byte ptr [ecx+eax+03h]
                                            and eax, FFFFFFF0h
                                            dec esp
                                            add ecx, eax
                                            dec esp
                                            xor ecx, edx
                                            dec ecx
                                            mov ecx, ecx
                                            pop ebx
                                            jmp 00007FBB98FB1CD6h
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            nop word ptr [eax+eax+00000000h]
                                            dec eax
                                            cmp ecx, dword ptr [00169919h]
                                            jne 00007FBB98FB1CD2h
                                            dec eax
                                            rol ecx, 10h
                                            test cx, FFFFh
                                            jne 00007FBB98FB1CC3h
                                            ret
                                            dec eax
                                            ror ecx, 10h
                                            jmp 00007FBB98FB1F57h
                                            int3

                                            Rich Headers

                                            Programming Language:
                                            • [IMP] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x1c6da00x58.rdata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1c6df80xf0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e80000x3b100.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d70000x107dc.pdata
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2240000x570.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x1a4fb00x54.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x1a51800x28.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a4e700x140.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x1590000x730.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x655d80x65600a83f1f68413cc5604ea156c8e93e3b1aFalse0.45910960619605423data6.657947877840493IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .managed0x670000xb1c880xb1e007b21ac36faefbbd8cf5ba1dba17ccad1False0.46262023453970486data6.453352722930797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            hydrated0x1190000x3f1300x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rdata0x1590000x6f8240x6fa000c62474608d4c8d7e91cac30417a50efFalse0.4840994190929451zlib compressed data6.509712991531217IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x1c90000xd4880x1800f9836cce0b2cf07524bb2892ecd5dfcaFalse0.20686848958333334data2.944302619462605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .pdata0x1d70000x107dc0x1080045a3194d8cdb409c1eb277bf8de8bbc5False0.4964044744318182data6.150240338049358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .rsrc0x1e80000x3b1000x3b2008cab0d040450e6a9309c9442c962af41False0.9963456329281184data7.997985741276216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x2240000x5700x6005545a2e51f7a2893c697b39a79ed20edFalse0.5950520833333334data5.168122039701614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            BINARY0x1e81300x3aa94data1.0003371123208311
                                            RT_VERSION0x222bc40x350data0.3785377358490566
                                            RT_MANIFEST0x222f140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            ADVAPI32.dllAdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
                                            bcrypt.dllBCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptDecrypt, BCryptDestroyKey, BCryptGenRandom
                                            KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
                                            ole32.dllCoWaitForMultipleHandles, CoGetApartmentType, CoCreateGuid, CoInitializeEx, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc
                                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr, modf, ceil
                                            api-ms-win-crt-heap-l1-1-0.dll_callnewh, free, _set_new_mode, calloc, malloc
                                            api-ms-win-crt-string-l1-1-0.dllstrcmp, wcsncmp, _stricmp, strcpy_s
                                            api-ms-win-crt-convert-l1-1-0.dllstrtoull
                                            api-ms-win-crt-runtime-l1-1-0.dllabort, _c_exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _register_thread_local_exe_atexit_callback, _initterm_e, exit, _exit, _initterm, __p___argc, __p___wargv, _cexit
                                            api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                                            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                            Exports

                                            NameOrdinalAddress
                                            DotNetRuntimeDebugHeader10x1401c9b90

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 15:54:55.037188053 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:55.042073011 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:55.042160034 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:55.561348915 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:55.562179089 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:55.567097902 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.099358082 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.099536896 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.099999905 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.100096941 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.104468107 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.228851080 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.237138033 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.242249012 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.368268013 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.368283033 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.368294954 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.368359089 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.371875048 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.376815081 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.500602007 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.516979933 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.521943092 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.645030975 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.645992994 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.650866032 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.774434090 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.775393009 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.780292988 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.934437990 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:56.934708118 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:56.939755917 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:57.062990904 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:57.073254108 CEST49710587192.168.2.674.208.5.2
                                            Jul 3, 2024 15:54:57.078650951 CEST5874971074.208.5.2192.168.2.6
                                            Jul 3, 2024 15:54:57.078752995 CEST49710587192.168.2.674.208.5.2

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 15:54:55.021450996 CEST6282053192.168.2.61.1.1.1
                                            Jul 3, 2024 15:54:55.030194998 CEST53628201.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 3, 2024 15:54:55.021450996 CEST192.168.2.61.1.1.10xf64bStandard query (0)smtp.ionos.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 3, 2024 15:54:55.030194998 CEST1.1.1.1192.168.2.60xf64bNo error (0)smtp.ionos.com74.208.5.2A (IP address)IN (0x0001)false

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Jul 3, 2024 15:54:55.561348915 CEST5874971074.208.5.2192.168.2.6220 perfora.net (mreueus002) Nemesis ESMTP Service ready
                                            Jul 3, 2024 15:54:55.562179089 CEST49710587192.168.2.674.208.5.2EHLO 065367
                                            Jul 3, 2024 15:54:56.099358082 CEST5874971074.208.5.2192.168.2.6250-perfora.net Hello 065367 [8.46.123.33]
                                            250-8BITMIME
                                            250-SIZE 141557760
                                            250 STARTTLS
                                            Jul 3, 2024 15:54:56.099536896 CEST49710587192.168.2.674.208.5.2STARTTLS
                                            Jul 3, 2024 15:54:56.099999905 CEST5874971074.208.5.2192.168.2.6250-perfora.net Hello 065367 [8.46.123.33]
                                            250-8BITMIME
                                            250-SIZE 141557760
                                            250 STARTTLS
                                            Jul 3, 2024 15:54:56.228851080 CEST5874971074.208.5.2192.168.2.6220 OK

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:09:54:50
                                            Start date:03/07/2024
                                            Path:C:\Users\user\Desktop\4munRyMrBm.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\4munRyMrBm.exe"
                                            Imagebase:0x7ff7c5bb0000
                                            File size:1'919'488 bytes
                                            MD5 hash:72F322C11BDCF5920EE23F6FFFA7D0A7
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2097877620.000001CFBD400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:09:54:51
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:09:54:51
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:09:54:51
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:09:54:52
                                            Start date:03/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                            Imagebase:0x9d0000
                                            File size:108'664 bytes
                                            MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3326932398.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3327954890.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3327954890.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:09:54:55
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff717f30000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:5.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:26.4%
                                              Total number of Nodes:932
                                              Total number of Limit Nodes:37
                                              execution_graph 15282 7ff7c5bc0d20 15283 7ff7c5bc0d3e 15282->15283 15284 7ff7c5bc0de1 15283->15284 15290 7ff7c5bbcf90 VirtualAlloc 15283->15290 15291 7ff7c5bb7d00 15321 7ff7c5bbccc0 FlsAlloc 15291->15321 15293 7ff7c5bb7e96 15294 7ff7c5bb7d0f 15294->15293 15334 7ff7c5bbca50 GetModuleHandleExW 15294->15334 15296 7ff7c5bb7d38 15335 7ff7c5bb52e0 15296->15335 15298 7ff7c5bb7d40 15298->15293 15343 7ff7c5bbdbe0 15298->15343 15302 7ff7c5bb7d76 15302->15293 15303 7ff7c5bb7d99 RtlAddVectoredExceptionHandler 15302->15303 15304 7ff7c5bb7db2 15303->15304 15305 7ff7c5bb7dac 15303->15305 15369 7ff7c5bbdf30 15304->15369 15307 7ff7c5bb7de7 15305->15307 15308 7ff7c5bbdf30 8 API calls 15305->15308 15309 7ff7c5bb7e3e 15307->15309 15352 7ff7c5bbe6d0 15307->15352 15308->15307 15360 7ff7c5bb1df0 15309->15360 15312 7ff7c5bb7e43 15312->15293 15372 7ff7c5bc1c50 15312->15372 15315 7ff7c5bb7e6f 15378 7ff7c5bbce20 15315->15378 15316 7ff7c5bb7e88 15381 7ff7c5bc1000 15316->15381 15319 7ff7c5bb7e7b RaiseFailFastException 15319->15316 15322 7ff7c5bbcce0 15321->15322 15323 7ff7c5bbce0e 15321->15323 15385 7ff7c5bc3ac0 15322->15385 15323->15294 15328 7ff7c5bbdf30 8 API calls 15329 7ff7c5bbcd12 15328->15329 15330 7ff7c5bbcd34 15329->15330 15331 7ff7c5bbcd3d GetCurrentProcess GetProcessAffinityMask 15329->15331 15333 7ff7c5bbcda8 15329->15333 15332 7ff7c5bbcd84 QueryInformationJobObject 15330->15332 15331->15330 15332->15333 15333->15294 15334->15296 15571 7ff7c5c10c40 15335->15571 15337 7ff7c5bb5334 15337->15298 15340 7ff7c5bb5302 15340->15337 15577 7ff7c5bc0ca0 15340->15577 15344 7ff7c5bc0ca0 InitializeCriticalSectionEx 15343->15344 15345 7ff7c5bb7d66 15344->15345 15345->15293 15346 7ff7c5bb36d0 15345->15346 15347 7ff7c5c10c40 _swprintf_c_l 3 API calls 15346->15347 15348 7ff7c5bb36ee 15347->15348 15349 7ff7c5bb378a 15348->15349 15601 7ff7c5bb76b0 15348->15601 15349->15302 15351 7ff7c5bb3720 15351->15302 15353 7ff7c5bbe6fb 15352->15353 15359 7ff7c5bbe7a6 15352->15359 15354 7ff7c5c10c40 _swprintf_c_l 3 API calls 15353->15354 15355 7ff7c5bbe71a 15354->15355 15356 7ff7c5bc0ca0 InitializeCriticalSectionEx 15355->15356 15357 7ff7c5bbe745 15356->15357 15358 7ff7c5bbe78e GetSystemTimeAsFileTime 15357->15358 15358->15359 15359->15309 15361 7ff7c5bb1e3c 15360->15361 15363 7ff7c5bb1e36 15360->15363 15362 7ff7c5bbdf30 8 API calls 15361->15362 15362->15363 15364 7ff7c5bb1eb3 15363->15364 15606 7ff7c5bb40f0 15363->15606 15364->15312 15366 7ff7c5bb1e98 15366->15364 15613 7ff7c5bbf700 15366->15613 15367 7ff7c5bb1ea8 15367->15312 15646 7ff7c5bbe140 15369->15646 15371 7ff7c5bbdf58 15371->15305 15373 7ff7c5bc1c99 15372->15373 15374 7ff7c5bb7e5b 15372->15374 15373->15374 15375 7ff7c5bc1cef GetEnabledXStateFeatures 15373->15375 15374->15315 15374->15316 15375->15374 15376 7ff7c5bc1d00 15375->15376 15376->15374 15377 7ff7c5bc1d46 GetEnabledXStateFeatures 15376->15377 15377->15374 15379 7ff7c5bbce34 15378->15379 15379->15379 15380 7ff7c5bbce3d GetStdHandle WriteFile 15379->15380 15380->15319 15382 7ff7c5bc101a _swprintf_c_l 15381->15382 15664 7ff7c5bbca50 GetModuleHandleExW 15382->15664 15384 7ff7c5bb7e8d 15533 7ff7c5bbd6d0 15385->15533 15387 7ff7c5bc3ade 15388 7ff7c5bbd6d0 8 API calls 15387->15388 15389 7ff7c5bc3b0b 15388->15389 15390 7ff7c5bbd6d0 8 API calls 15389->15390 15391 7ff7c5bc3b33 15390->15391 15392 7ff7c5bbd6d0 8 API calls 15391->15392 15393 7ff7c5bc3b5b 15392->15393 15394 7ff7c5bbd6d0 8 API calls 15393->15394 15395 7ff7c5bc3b88 15394->15395 15396 7ff7c5bbd6d0 8 API calls 15395->15396 15397 7ff7c5bc3bb0 15396->15397 15398 7ff7c5bbd6d0 8 API calls 15397->15398 15399 7ff7c5bc3bdd 15398->15399 15400 7ff7c5bbd6d0 8 API calls 15399->15400 15401 7ff7c5bc3c05 15400->15401 15402 7ff7c5bbd6d0 8 API calls 15401->15402 15403 7ff7c5bc3c2d 15402->15403 15404 7ff7c5bbd6d0 8 API calls 15403->15404 15405 7ff7c5bc3c55 15404->15405 15406 7ff7c5bbd6d0 8 API calls 15405->15406 15407 7ff7c5bc3c82 15406->15407 15408 7ff7c5bbd6d0 8 API calls 15407->15408 15409 7ff7c5bc3caf 15408->15409 15538 7ff7c5bbd7a0 15409->15538 15412 7ff7c5bbd7a0 18 API calls 15413 7ff7c5bc3d00 15412->15413 15414 7ff7c5bbd7a0 18 API calls 15413->15414 15415 7ff7c5bc3d2e 15414->15415 15416 7ff7c5bbd7a0 18 API calls 15415->15416 15417 7ff7c5bc3d57 15416->15417 15418 7ff7c5bbd7a0 18 API calls 15417->15418 15419 7ff7c5bc3d80 15418->15419 15420 7ff7c5bbd7a0 18 API calls 15419->15420 15421 7ff7c5bc3dae 15420->15421 15422 7ff7c5bbd7a0 18 API calls 15421->15422 15423 7ff7c5bc3ddc 15422->15423 15424 7ff7c5bbd7a0 18 API calls 15423->15424 15425 7ff7c5bc3e05 15424->15425 15426 7ff7c5bbd7a0 18 API calls 15425->15426 15427 7ff7c5bc3e2e 15426->15427 15428 7ff7c5bbd7a0 18 API calls 15427->15428 15429 7ff7c5bc3e57 15428->15429 15430 7ff7c5bbd7a0 18 API calls 15429->15430 15431 7ff7c5bc3e80 15430->15431 15432 7ff7c5bbd7a0 18 API calls 15431->15432 15433 7ff7c5bc3ea9 15432->15433 15434 7ff7c5bbd7a0 18 API calls 15433->15434 15435 7ff7c5bc3ed2 15434->15435 15436 7ff7c5bbd7a0 18 API calls 15435->15436 15437 7ff7c5bc3f00 15436->15437 15438 7ff7c5bbd7a0 18 API calls 15437->15438 15439 7ff7c5bc3f2e 15438->15439 15440 7ff7c5bbd7a0 18 API calls 15439->15440 15441 7ff7c5bc3f57 15440->15441 15442 7ff7c5bbd7a0 18 API calls 15441->15442 15443 7ff7c5bc3f80 15442->15443 15444 7ff7c5bbd7a0 18 API calls 15443->15444 15445 7ff7c5bc3fa9 15444->15445 15446 7ff7c5bbd7a0 18 API calls 15445->15446 15447 7ff7c5bc3fd2 15446->15447 15448 7ff7c5bbd7a0 18 API calls 15447->15448 15449 7ff7c5bc4000 15448->15449 15450 7ff7c5bbd7a0 18 API calls 15449->15450 15451 7ff7c5bc402e 15450->15451 15452 7ff7c5bbd7a0 18 API calls 15451->15452 15453 7ff7c5bc4057 15452->15453 15454 7ff7c5bbd7a0 18 API calls 15453->15454 15455 7ff7c5bc4080 15454->15455 15456 7ff7c5bbd7a0 18 API calls 15455->15456 15457 7ff7c5bc40a9 15456->15457 15458 7ff7c5bbd7a0 18 API calls 15457->15458 15459 7ff7c5bc40d2 15458->15459 15460 7ff7c5bbd7a0 18 API calls 15459->15460 15461 7ff7c5bc40fb 15460->15461 15462 7ff7c5bbd7a0 18 API calls 15461->15462 15463 7ff7c5bc4124 15462->15463 15464 7ff7c5bbd7a0 18 API calls 15463->15464 15465 7ff7c5bc414d 15464->15465 15466 7ff7c5bbd7a0 18 API calls 15465->15466 15467 7ff7c5bc4176 15466->15467 15468 7ff7c5bbd7a0 18 API calls 15467->15468 15469 7ff7c5bc419f 15468->15469 15470 7ff7c5bbd7a0 18 API calls 15469->15470 15471 7ff7c5bc41c8 15470->15471 15472 7ff7c5bbd7a0 18 API calls 15471->15472 15473 7ff7c5bc41f1 15472->15473 15474 7ff7c5bbd7a0 18 API calls 15473->15474 15475 7ff7c5bc421a 15474->15475 15476 7ff7c5bbd7a0 18 API calls 15475->15476 15477 7ff7c5bc4243 15476->15477 15478 7ff7c5bbd7a0 18 API calls 15477->15478 15479 7ff7c5bc426c 15478->15479 15480 7ff7c5bbd7a0 18 API calls 15479->15480 15481 7ff7c5bc4295 15480->15481 15482 7ff7c5bbd7a0 18 API calls 15481->15482 15483 7ff7c5bc42be 15482->15483 15484 7ff7c5bbd7a0 18 API calls 15483->15484 15485 7ff7c5bc42e7 15484->15485 15486 7ff7c5bbd7a0 18 API calls 15485->15486 15487 7ff7c5bc4310 15486->15487 15488 7ff7c5bbd7a0 18 API calls 15487->15488 15489 7ff7c5bc4339 15488->15489 15490 7ff7c5bbd7a0 18 API calls 15489->15490 15491 7ff7c5bc4362 15490->15491 15492 7ff7c5bbd7a0 18 API calls 15491->15492 15493 7ff7c5bc438b 15492->15493 15494 7ff7c5bbd7a0 18 API calls 15493->15494 15495 7ff7c5bc43b4 15494->15495 15496 7ff7c5bbd7a0 18 API calls 15495->15496 15497 7ff7c5bc43dd 15496->15497 15498 7ff7c5bbd7a0 18 API calls 15497->15498 15499 7ff7c5bc440b 15498->15499 15500 7ff7c5bbd7a0 18 API calls 15499->15500 15501 7ff7c5bc4439 15500->15501 15502 7ff7c5bbd7a0 18 API calls 15501->15502 15503 7ff7c5bc4467 15502->15503 15504 7ff7c5bbd7a0 18 API calls 15503->15504 15505 7ff7c5bc4495 15504->15505 15506 7ff7c5bbd7a0 18 API calls 15505->15506 15507 7ff7c5bc44c3 15506->15507 15508 7ff7c5bbd7a0 18 API calls 15507->15508 15509 7ff7c5bc44f1 15508->15509 15510 7ff7c5bbd7a0 18 API calls 15509->15510 15511 7ff7c5bc451a 15510->15511 15512 7ff7c5bbd7a0 18 API calls 15511->15512 15513 7ff7c5bc4548 15512->15513 15514 7ff7c5bbd7a0 18 API calls 15513->15514 15515 7ff7c5bc4571 15514->15515 15516 7ff7c5bbd7a0 18 API calls 15515->15516 15517 7ff7c5bc459a 15516->15517 15518 7ff7c5bbd7a0 18 API calls 15517->15518 15519 7ff7c5bc45c8 15518->15519 15520 7ff7c5bbd7a0 18 API calls 15519->15520 15521 7ff7c5bbcce5 15520->15521 15522 7ff7c5bc2760 GetSystemInfo 15521->15522 15523 7ff7c5bc27a4 15522->15523 15524 7ff7c5bc27a8 GetNumaHighestNodeNumber 15523->15524 15525 7ff7c5bc27ce GetCurrentProcess GetProcessGroupAffinity 15523->15525 15524->15525 15527 7ff7c5bc27b7 15524->15527 15526 7ff7c5bc27f9 GetLastError 15525->15526 15528 7ff7c5bc2804 15525->15528 15526->15528 15527->15525 15529 7ff7c5bc2826 15528->15529 15565 7ff7c5bc2540 GetLogicalProcessorInformationEx 15528->15565 15531 7ff7c5bc2890 GetCurrentProcess GetProcessAffinityMask 15529->15531 15532 7ff7c5bbccea 15529->15532 15531->15532 15532->15323 15532->15328 15534 7ff7c5bbd6f4 15533->15534 15535 7ff7c5bbd6f8 15534->15535 15536 7ff7c5bbdf30 8 API calls 15534->15536 15535->15387 15537 7ff7c5bbd724 15536->15537 15537->15387 15539 7ff7c5bbd8df 15538->15539 15540 7ff7c5bbd7ca 15538->15540 15543 7ff7c5bbdf30 8 API calls 15539->15543 15541 7ff7c5bbd7ef 15540->15541 15542 7ff7c5bbd7d7 strcmp 15540->15542 15545 7ff7c5bbd80f 15541->15545 15546 7ff7c5bbd7fc strcmp 15541->15546 15542->15541 15544 7ff7c5bbd7e7 15542->15544 15549 7ff7c5bbd8f6 15543->15549 15544->15412 15547 7ff7c5bbd82f 15545->15547 15548 7ff7c5bbd81c strcmp 15545->15548 15546->15544 15546->15545 15550 7ff7c5bbd84f 15547->15550 15551 7ff7c5bbd83c strcmp 15547->15551 15548->15544 15548->15547 15549->15544 15560 7ff7c5bbe0b0 15549->15560 15553 7ff7c5bbd873 15550->15553 15554 7ff7c5bbd85c strcmp 15550->15554 15551->15544 15551->15550 15555 7ff7c5bbd880 strcmp 15553->15555 15556 7ff7c5bbd897 15553->15556 15554->15544 15554->15553 15555->15544 15555->15556 15557 7ff7c5bbd8a4 strcmp 15556->15557 15558 7ff7c5bbd8bb 15556->15558 15557->15544 15557->15558 15558->15539 15559 7ff7c5bbd8c8 strcmp 15558->15559 15559->15539 15559->15544 15561 7ff7c5bbe0d4 15560->15561 15562 7ff7c5bbe0fe 15560->15562 15561->15562 15563 7ff7c5bbe0e0 _stricmp 15561->15563 15562->15544 15563->15561 15564 7ff7c5bbe115 strtoull 15563->15564 15564->15562 15566 7ff7c5bc2572 GetLastError 15565->15566 15567 7ff7c5bc272c 15565->15567 15566->15567 15568 7ff7c5bc2581 15566->15568 15567->15529 15568->15567 15569 7ff7c5bc259d GetLogicalProcessorInformationEx 15568->15569 15570 7ff7c5bc25c0 15569->15570 15570->15529 15579 7ff7c5c11544 15571->15579 15573 7ff7c5bb52f5 15573->15337 15574 7ff7c5bc0cc0 15573->15574 15575 7ff7c5bc0ca0 InitializeCriticalSectionEx 15574->15575 15576 7ff7c5bc0cfe 15575->15576 15576->15340 15578 7ff7c5c108bd InitializeCriticalSectionEx 15577->15578 15580 7ff7c5c1155e malloc 15579->15580 15581 7ff7c5c11568 15580->15581 15582 7ff7c5c1154f 15580->15582 15581->15573 15582->15580 15583 7ff7c5c1156e 15582->15583 15584 7ff7c5c11579 15583->15584 15588 7ff7c5c119a4 15583->15588 15592 7ff7c5c119c4 15584->15592 15589 7ff7c5c119b2 std::bad_alloc::bad_alloc 15588->15589 15596 7ff7c5c126d0 15589->15596 15591 7ff7c5c119c3 15593 7ff7c5c119d2 std::bad_alloc::bad_alloc 15592->15593 15594 7ff7c5c126d0 Concurrency::cancel_current_task 2 API calls 15593->15594 15595 7ff7c5c1157f 15594->15595 15595->15573 15597 7ff7c5c126ef 15596->15597 15598 7ff7c5c12718 RtlPcToFileHeader 15597->15598 15599 7ff7c5c1273a RaiseException 15597->15599 15600 7ff7c5c12730 15598->15600 15599->15591 15600->15599 15602 7ff7c5c10c40 _swprintf_c_l 3 API calls 15601->15602 15603 7ff7c5bb76ce 15602->15603 15604 7ff7c5bc0ca0 InitializeCriticalSectionEx 15603->15604 15605 7ff7c5bb7700 15603->15605 15604->15605 15605->15351 15607 7ff7c5bb4102 15606->15607 15608 7ff7c5bb413d 15607->15608 15620 7ff7c5bc0b30 CreateEventW 15607->15620 15608->15366 15610 7ff7c5bb4114 15610->15608 15621 7ff7c5bbcf20 CreateThread 15610->15621 15612 7ff7c5bb4133 15612->15366 15615 7ff7c5bbf717 15613->15615 15614 7ff7c5bbf71f 15614->15367 15615->15614 15616 7ff7c5c10c40 _swprintf_c_l 3 API calls 15615->15616 15618 7ff7c5bbf751 15616->15618 15619 7ff7c5bbf7e5 15618->15619 15624 7ff7c5bc53b0 15618->15624 15619->15367 15620->15610 15622 7ff7c5bbcf4f 15621->15622 15623 7ff7c5bbcf55 SetThreadPriority ResumeThread FindCloseChangeNotification 15621->15623 15622->15612 15623->15612 15625 7ff7c5bc53e3 _swprintf_c_l 15624->15625 15629 7ff7c5bc5409 _swprintf_c_l 15625->15629 15630 7ff7c5bc64f0 15625->15630 15627 7ff7c5bc5400 15628 7ff7c5bc0ca0 InitializeCriticalSectionEx 15627->15628 15627->15629 15628->15629 15629->15618 15629->15629 15639 7ff7c5bc2ab0 15630->15639 15632 7ff7c5bc6512 15633 7ff7c5bc651a 15632->15633 15642 7ff7c5bc29e0 15632->15642 15633->15627 15635 7ff7c5bc6538 15638 7ff7c5bc6543 _swprintf_c_l 15635->15638 15645 7ff7c5bc2a90 VirtualFree 15635->15645 15637 7ff7c5bc665e 15637->15627 15638->15627 15640 7ff7c5bc2ad5 VirtualAlloc 15639->15640 15641 7ff7c5bc2af4 GetCurrentProcess VirtualAllocExNuma 15639->15641 15640->15641 15641->15632 15643 7ff7c5bc2a1e GetCurrentProcess VirtualAllocExNuma 15642->15643 15644 7ff7c5bc29fb VirtualAlloc 15642->15644 15643->15635 15644->15635 15645->15637 15649 7ff7c5bbe176 15646->15649 15650 7ff7c5c10c20 15649->15650 15651 7ff7c5c10c29 15650->15651 15652 7ff7c5bbe21a 15651->15652 15653 7ff7c5c10ed0 IsProcessorFeaturePresent 15651->15653 15652->15371 15654 7ff7c5c10ee8 15653->15654 15659 7ff7c5c110c8 RtlCaptureContext 15654->15659 15660 7ff7c5c110e2 RtlLookupFunctionEntry 15659->15660 15661 7ff7c5c110f8 RtlVirtualUnwind 15660->15661 15662 7ff7c5c10efb 15660->15662 15661->15660 15661->15662 15663 7ff7c5c10e9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15662->15663 15664->15384 15665 7ff7c5bcc75f 15666 7ff7c5bcc764 15665->15666 15673 7ff7c5bf1540 15666->15673 15668 7ff7c5bcc86d 15669 7ff7c5bcc898 15668->15669 15681 7ff7c5be4530 15668->15681 15685 7ff7c5bd3ff0 15669->15685 15672 7ff7c5bcc902 15674 7ff7c5bf1559 15673->15674 15678 7ff7c5bf1569 15673->15678 15674->15668 15675 7ff7c5bf16ab SwitchToThread 15675->15678 15676 7ff7c5bf15b9 SwitchToThread 15676->15678 15677 7ff7c5bf16b7 15677->15668 15678->15675 15678->15676 15678->15677 15679 7ff7c5bf1660 SwitchToThread 15678->15679 15680 7ff7c5bf1676 SwitchToThread 15678->15680 15679->15678 15680->15678 15682 7ff7c5be454e 15681->15682 15684 7ff7c5be45b9 _swprintf_c_l 15681->15684 15682->15684 15690 7ff7c5bc2c80 VirtualAlloc 15682->15690 15684->15669 15686 7ff7c5be4530 2 API calls 15685->15686 15687 7ff7c5bd4025 _swprintf_c_l 15686->15687 15688 7ff7c5bf1540 4 API calls 15687->15688 15689 7ff7c5bd4175 15688->15689 15689->15672 15689->15689 15691 7ff7c5bc2ccc 15690->15691 15692 7ff7c5bc2cbb 15690->15692 15691->15684 15692->15691 15693 7ff7c5bc2cc0 VirtualUnlock 15692->15693 15693->15691 15694 7ff7c5be3480 15695 7ff7c5be34bd 15694->15695 15697 7ff7c5be34e7 15694->15697 15698 7ff7c5bc2140 15695->15698 15699 7ff7c5bc222f GlobalMemoryStatusEx 15698->15699 15700 7ff7c5bc2177 GetCurrentProcess 15698->15700 15703 7ff7c5bc2198 15699->15703 15701 7ff7c5bc2190 15700->15701 15701->15699 15701->15703 15702 7ff7c5c10c20 8 API calls 15704 7ff7c5bc2308 15702->15704 15703->15702 15704->15697 15705 7ff7c5bce9fa 15706 7ff7c5bcea09 15705->15706 15708 7ff7c5bcea67 15706->15708 15709 7ff7c5be7820 15706->15709 15710 7ff7c5be7960 15709->15710 15718 7ff7c5be7860 15709->15718 15711 7ff7c5c10c20 8 API calls 15710->15711 15712 7ff7c5be79cd 15711->15712 15712->15708 15713 7ff7c5be78ce EnterCriticalSection 15713->15718 15714 7ff7c5be790f LeaveCriticalSection 15716 7ff7c5bc29e0 3 API calls 15714->15716 15715 7ff7c5be7a0b LeaveCriticalSection 15715->15710 15715->15718 15716->15718 15717 7ff7c5be79ea EnterCriticalSection 15717->15715 15718->15710 15718->15713 15718->15714 15718->15715 15718->15717 15720 7ff7c5be7a4e EnterCriticalSection LeaveCriticalSection 15718->15720 15721 7ff7c5bc2a70 VirtualFree 15718->15721 15720->15718 15721->15718 15722 7ff7c5bb5f12 15723 7ff7c5bb5f20 15722->15723 15726 7ff7c5c54ce0 15723->15726 15724 7ff7c5bc0fb7 15727 7ff7c5c54cf9 15726->15727 15730 7ff7c5c54de0 15727->15730 15729 7ff7c5c54d09 15729->15724 15731 7ff7c5c54e19 15730->15731 15734 7ff7c5c54df6 15730->15734 15735 7ff7c5c54e80 15731->15735 15733 7ff7c5c54e2d 15733->15729 15734->15729 15738 7ff7c5c54ea2 15735->15738 15736 7ff7c5c54fe6 15739 7ff7c5bb47e0 26 API calls 15736->15739 15737 7ff7c5c54f02 15737->15733 15738->15736 15738->15737 15742 7ff7c5bb47e0 15738->15742 15740 7ff7c5c54ff9 15739->15740 15743 7ff7c5bb489b 15742->15743 15748 7ff7c5c55a60 15743->15748 15749 7ff7c5c55a72 15748->15749 15752 7ff7c5c55b20 15749->15752 15765 7ff7c5bb72b0 15752->15765 15754 7ff7c5c55c8c 15797 7ff7c5bb3f20 15754->15797 15755 7ff7c5c55c57 15755->15754 15793 7ff7c5c556e0 15755->15793 15757 7ff7c5c55b9f 15757->15755 15785 7ff7c5bb73f0 15757->15785 15766 7ff7c5bb72fb 15765->15766 15767 7ff7c5bb7340 15766->15767 15768 7ff7c5bb7300 15766->15768 15771 7ff7c5bbe7d0 4 API calls 15767->15771 15772 7ff7c5bb735a 15767->15772 15770 7ff7c5bb731a 15768->15770 15800 7ff7c5bbe7d0 15768->15800 15806 7ff7c5bb6700 15770->15806 15771->15772 15773 7ff7c5bb7376 15772->15773 15774 7ff7c5bb738b 15772->15774 15776 7ff7c5bb6eb0 2 API calls 15773->15776 15777 7ff7c5bb6eb0 2 API calls 15774->15777 15779 7ff7c5bb7382 15776->15779 15777->15779 15781 7ff7c5bb733e 15779->15781 15782 7ff7c5bbe7d0 4 API calls 15779->15782 15783 7ff7c5bb73c2 15781->15783 15819 7ff7c5bb6090 15781->15819 15782->15781 15783->15757 15786 7ff7c5bb7432 15785->15786 15848 7ff7c5bb6aa0 15786->15848 15788 7ff7c5bb7441 15789 7ff7c5bb7462 15788->15789 15790 7ff7c5bbe7d0 4 API calls 15788->15790 15791 7ff7c5bb6090 2 API calls 15789->15791 15792 7ff7c5bb7473 15789->15792 15790->15789 15791->15792 15792->15757 15794 7ff7c5c55714 15793->15794 15877 7ff7c5bb3c90 15794->15877 15796 7ff7c5c55751 15796->15754 15798 7ff7c5bb3f55 15797->15798 15799 7ff7c5bb3f48 RaiseFailFastException 15797->15799 15799->15798 15801 7ff7c5bbe87c 15800->15801 15803 7ff7c5bbe80b 15800->15803 15801->15770 15803->15801 15805 7ff7c5bbe844 15803->15805 15825 7ff7c5bbe4f0 15803->15825 15805->15801 15833 7ff7c5bbe890 15805->15833 15808 7ff7c5bb671d _swprintf_c_l 15806->15808 15807 7ff7c5bb68e1 15814 7ff7c5bb6eb0 15807->15814 15808->15807 15809 7ff7c5bb68c0 15808->15809 15810 7ff7c5bb68a9 RaiseFailFastException 15808->15810 15811 7ff7c5bb68b8 15808->15811 15809->15807 15813 7ff7c5bbe7d0 4 API calls 15809->15813 15810->15809 15842 7ff7c5bb70f0 15811->15842 15813->15807 15815 7ff7c5bb6f10 15814->15815 15816 7ff7c5bb6ec2 15814->15816 15815->15781 15816->15815 15817 7ff7c5bb6090 2 API calls 15816->15817 15818 7ff7c5bb6eeb 15817->15818 15818->15781 15820 7ff7c5bb60b0 15819->15820 15821 7ff7c5bb60a8 15819->15821 15820->15783 15821->15820 15822 7ff7c5bb6126 15821->15822 15823 7ff7c5bb6119 RaiseFailFastException 15821->15823 15822->15820 15824 7ff7c5bb6141 RaiseFailFastException 15822->15824 15823->15822 15824->15820 15829 7ff7c5bbe514 15825->15829 15826 7ff7c5c10c40 _swprintf_c_l 3 API calls 15827 7ff7c5bbe584 15826->15827 15828 7ff7c5c10c40 _swprintf_c_l 3 API calls 15827->15828 15831 7ff7c5bbe63c 15827->15831 15830 7ff7c5bbe5af 15828->15830 15829->15826 15829->15830 15830->15831 15837 7ff7c5bbca30 GetCurrentThreadId 15830->15837 15831->15805 15834 7ff7c5bbe8ca 15833->15834 15835 7ff7c5bbe8f4 15834->15835 15838 7ff7c5bbe320 15834->15838 15835->15801 15837->15831 15839 7ff7c5bbe34a _swprintf_c_l 15838->15839 15840 7ff7c5c10c40 _swprintf_c_l malloc RtlPcToFileHeader RaiseException 15839->15840 15841 7ff7c5bbe371 15839->15841 15840->15841 15841->15835 15844 7ff7c5bb7103 15842->15844 15843 7ff7c5bb7243 RaiseFailFastException 15843->15844 15844->15843 15845 7ff7c5bb71c2 RaiseFailFastException 15844->15845 15846 7ff7c5bb71d8 RaiseFailFastException 15844->15846 15847 7ff7c5bb7271 15844->15847 15845->15844 15846->15844 15847->15809 15859 7ff7c5bb6ada 15848->15859 15849 7ff7c5bb6b50 RaiseFailFastException 15849->15859 15850 7ff7c5bb6dc8 15851 7ff7c5bb6700 8 API calls 15850->15851 15857 7ff7c5bb6dce 15850->15857 15851->15857 15852 7ff7c5bb6e9a 15852->15788 15853 7ff7c5bb6e1c 15855 7ff7c5bb70f0 3 API calls 15853->15855 15854 7ff7c5bb6e0d RaiseFailFastException 15854->15857 15855->15857 15856 7ff7c5bb6ca4 RaiseFailFastException 15856->15859 15857->15852 15858 7ff7c5bb6090 2 API calls 15857->15858 15861 7ff7c5bb6e73 15858->15861 15859->15849 15859->15850 15859->15853 15859->15854 15859->15856 15859->15857 15862 7ff7c5bb6090 2 API calls 15859->15862 15863 7ff7c5bb6d7b RaiseFailFastException 15859->15863 15864 7ff7c5bb6d91 RaiseFailFastException 15859->15864 15865 7ff7c5bbe7d0 4 API calls 15859->15865 15866 7ff7c5bb6320 15859->15866 15861->15788 15862->15859 15863->15859 15864->15859 15865->15859 15867 7ff7c5bb6377 15866->15867 15868 7ff7c5bb634d 15866->15868 15870 7ff7c5bb64e6 15867->15870 15874 7ff7c5bb63a4 15867->15874 15869 7ff7c5bbe7d0 4 API calls 15868->15869 15869->15867 15871 7ff7c5bb64ec RaiseFailFastException 15870->15871 15872 7ff7c5bb64f9 15870->15872 15871->15872 15873 7ff7c5bb6090 2 API calls 15872->15873 15876 7ff7c5bb64d1 15873->15876 15875 7ff7c5bb6090 2 API calls 15874->15875 15875->15876 15876->15859 15878 7ff7c5bb3caa _swprintf_c_l 15877->15878 15881 7ff7c5bbcfc0 RtlCaptureContext 15878->15881 15882 7ff7c5c10c20 8 API calls 15881->15882 15883 7ff7c5bb3cb9 15882->15883 15883->15796 15884 7ff7c5bb1cb0 15885 7ff7c5bb1ce0 15884->15885 15886 7ff7c5bb1d78 15885->15886 15889 7ff7c5bc8939 15885->15889 15893 7ff7c5bc899b 15885->15893 15890 7ff7c5bc893d 15889->15890 15891 7ff7c5bc88fa 15889->15891 15890->15891 15909 7ff7c5bcb470 15890->15909 15891->15886 15896 7ff7c5bc89bc 15893->15896 15894 7ff7c5bc8a25 15919 7ff7c5bf3070 15894->15919 15895 7ff7c5bc8aa7 15902 7ff7c5bc8970 15895->15902 15933 7ff7c5bced80 15895->15933 15896->15894 15896->15895 15899 7ff7c5bc89fe GetTickCount64 15896->15899 15899->15894 15901 7ff7c5bc8a12 15899->15901 15901->15895 15929 7ff7c5bf3140 15902->15929 15903 7ff7c5bc88fa 15903->15886 15904 7ff7c5bc8b09 15904->15903 15908 7ff7c5bcb470 3 API calls 15904->15908 15906 7ff7c5bc8a49 15906->15895 15906->15902 15907 7ff7c5bc8a83 GetTickCount64 15906->15907 15907->15895 15907->15901 15908->15903 15910 7ff7c5bcb4a2 15909->15910 15914 7ff7c5bcb513 15909->15914 15911 7ff7c5bcb4e6 SwitchToThread 15910->15911 15910->15914 15916 7ff7c5bc2990 15910->15916 15911->15910 15913 7ff7c5bcb5f5 15913->15891 15914->15913 15915 7ff7c5bcb5f0 DebugBreak 15914->15915 15915->15913 15917 7ff7c5bc2994 SleepEx 15916->15917 15918 7ff7c5bc299d 15916->15918 15917->15918 15918->15910 15920 7ff7c5bf3090 15919->15920 15921 7ff7c5bf312a 15919->15921 15922 7ff7c5bc2140 10 API calls 15920->15922 15921->15906 15923 7ff7c5bf30b7 15922->15923 15924 7ff7c5bf311a 15923->15924 15941 7ff7c5bc83d0 15923->15941 15924->15906 15930 7ff7c5bf3156 15929->15930 15931 7ff7c5bf318d 15930->15931 15952 7ff7c5bc2cf0 WaitForSingleObject 15930->15952 15931->15902 15934 7ff7c5bcee1b 15933->15934 15935 7ff7c5bcedb7 15933->15935 15934->15934 15940 7ff7c5bc8ae3 15934->15940 15953 7ff7c5befe80 15934->15953 15935->15934 15936 7ff7c5bc2990 SleepEx 15935->15936 15937 7ff7c5bcedf5 15936->15937 15937->15934 15939 7ff7c5bdc120 3 API calls 15937->15939 15939->15934 15940->15902 15940->15903 15940->15904 15942 7ff7c5bc83e8 15941->15942 15951 7ff7c5bc2cf0 WaitForSingleObject 15942->15951 15955 7ff7c5befeb7 15953->15955 15956 7ff7c5bf010a _swprintf_c_l 15955->15956 15957 7ff7c5be03e0 15955->15957 15956->15934 15961 7ff7c5be0402 15957->15961 15958 7ff7c5be0455 15959 7ff7c5be051c 15958->15959 15963 7ff7c5be2580 15958->15963 15959->15955 15961->15958 15962 7ff7c5be04d9 EnterCriticalSection LeaveCriticalSection 15961->15962 15962->15958 15964 7ff7c5be2599 15963->15964 15966 7ff7c5be25a6 15963->15966 15967 7ff7c5bd5740 15964->15967 15966->15959 15968 7ff7c5bd5804 15967->15968 15969 7ff7c5bd5780 15967->15969 15968->15966 15969->15968 15973 7ff7c5bd5640 EnterCriticalSection 15969->15973 15972 7ff7c5bd5640 7 API calls 15972->15968 15974 7ff7c5bd56b1 15973->15974 15975 7ff7c5bd56c7 LeaveCriticalSection 15974->15975 15976 7ff7c5bd5719 LeaveCriticalSection 15974->15976 15977 7ff7c5bc29e0 3 API calls 15975->15977 15979 7ff7c5bd5725 15976->15979 15978 7ff7c5bd56f8 15977->15978 15978->15979 15980 7ff7c5bd56fc EnterCriticalSection 15978->15980 15979->15968 15979->15972 15980->15976 15981 7ff7c5bb4070 15986 7ff7c5bb7580 15981->15986 15983 7ff7c5bb4082 15992 7ff7c5c55460 15983->15992 15987 7ff7c5bb75a6 15986->15987 15991 7ff7c5bb75c4 15987->15991 15999 7ff7c5bbc8a0 FlsGetValue 15987->15999 15989 7ff7c5bb75bc 15990 7ff7c5bb26b0 6 API calls 15989->15990 15990->15991 15991->15983 16002 7ff7c5bb3200 15992->16002 15994 7ff7c5c55481 16018 7ff7c5c41a00 15994->16018 15997 7ff7c5c55486 16021 7ff7c5bb41d0 15997->16021 16026 7ff7c5bb41a0 15997->16026 16000 7ff7c5bbc8ba RaiseFailFastException 15999->16000 16001 7ff7c5bbc8c8 FlsSetValue 15999->16001 16000->16001 16003 7ff7c5bb322f 16002->16003 16004 7ff7c5bb325e 16002->16004 16003->16004 16005 7ff7c5bb32ef 16003->16005 16008 7ff7c5bb32d6 16003->16008 16013 7ff7c5bb32b7 16003->16013 16014 7ff7c5bb3298 16003->16014 16004->15994 16006 7ff7c5bb330f 16005->16006 16007 7ff7c5bb32f6 16005->16007 16011 7ff7c5bb3335 16006->16011 16030 7ff7c5bb30c0 GetLastError 16006->16030 16010 7ff7c5bbce20 2 API calls 16007->16010 16009 7ff7c5bb7580 9 API calls 16008->16009 16009->16005 16012 7ff7c5bb3302 RaiseFailFastException 16010->16012 16011->15994 16012->16006 16013->16008 16017 7ff7c5bb32c9 RaiseFailFastException 16013->16017 16016 7ff7c5bb32a0 Sleep 16014->16016 16016->16013 16016->16016 16017->16008 16033 7ff7c5c41b50 16018->16033 16020 7ff7c5c41a10 16020->15997 16023 7ff7c5bb41e0 16021->16023 16022 7ff7c5bb41ec WaitForSingleObjectEx 16022->16023 16025 7ff7c5bb4224 16022->16025 16023->16022 16024 7ff7c5bb4215 16023->16024 16024->15997 16025->15997 16027 7ff7c5bb41b6 16026->16027 16028 7ff7c5bc0b91 SetEvent 16027->16028 16029 7ff7c5bc0b8a 16027->16029 16028->15997 16029->15997 16031 7ff7c5bb30e4 SetLastError 16030->16031 16034 7ff7c5c41b7c 16033->16034 16035 7ff7c5c41bee 16034->16035 16036 7ff7c5c41bc2 CoInitializeEx 16034->16036 16035->16020 16037 7ff7c5c41bd9 16036->16037 16038 7ff7c5c41bdd 16037->16038 16041 7ff7c5c41bf0 16037->16041 16038->16035 16045 7ff7c5c41c70 16038->16045 16040 7ff7c5c41c4e 16042 7ff7c5bb47e0 26 API calls 16040->16042 16041->16035 16041->16040 16043 7ff7c5bb47e0 26 API calls 16041->16043 16044 7ff7c5c41c6e 16042->16044 16043->16040 16047 7ff7c5c41c96 16045->16047 16046 7ff7c5c41cd7 16046->16035 16047->16046 16048 7ff7c5c41cc9 CoUninitialize 16047->16048 16048->16046 16049 7ff7c5be2670 16050 7ff7c5be268d 16049->16050 16071 7ff7c5bc29a0 VirtualAlloc 16050->16071 16052 7ff7c5be26b3 16074 7ff7c5bc2740 InitializeCriticalSection 16052->16074 16054 7ff7c5be26fd 16055 7ff7c5be2b23 16054->16055 16075 7ff7c5bf2dc0 16054->16075 16057 7ff7c5be272c _swprintf_c_l 16070 7ff7c5be296a 16057->16070 16085 7ff7c5be2380 16057->16085 16059 7ff7c5be28ff 16060 7ff7c5bc2ab0 3 API calls 16059->16060 16061 7ff7c5be2939 16060->16061 16061->16070 16089 7ff7c5be2b50 16061->16089 16063 7ff7c5be295b 16064 7ff7c5be295f 16063->16064 16066 7ff7c5be298e 16063->16066 16144 7ff7c5bc2a90 VirtualFree 16064->16144 16066->16070 16106 7ff7c5bf59f0 16066->16106 16072 7ff7c5bc29c1 VirtualFree 16071->16072 16073 7ff7c5bc29d9 16071->16073 16072->16052 16073->16052 16074->16054 16076 7ff7c5bf2def 16075->16076 16077 7ff7c5bf2e12 16076->16077 16078 7ff7c5bf2e1c 16076->16078 16084 7ff7c5bf2e47 16076->16084 16145 7ff7c5bc2b30 16077->16145 16080 7ff7c5bc2ab0 3 API calls 16078->16080 16082 7ff7c5bf2e2d 16080->16082 16082->16084 16156 7ff7c5bc2a90 VirtualFree 16082->16156 16084->16057 16087 7ff7c5be239f 16085->16087 16088 7ff7c5be23bb 16087->16088 16157 7ff7c5bc2020 16087->16157 16088->16059 16090 7ff7c5be2b85 16089->16090 16091 7ff7c5be2b89 16090->16091 16100 7ff7c5be2ba3 16090->16100 16092 7ff7c5c10c20 8 API calls 16091->16092 16093 7ff7c5be2b9b 16092->16093 16093->16063 16094 7ff7c5be2bee EnterCriticalSection 16094->16100 16095 7ff7c5be2c7f 16099 7ff7c5c10c20 8 API calls 16095->16099 16096 7ff7c5be2c2e LeaveCriticalSection 16098 7ff7c5bc29e0 3 API calls 16096->16098 16097 7ff7c5be2d39 LeaveCriticalSection 16097->16095 16103 7ff7c5be2d4e 16097->16103 16098->16100 16102 7ff7c5be2d10 16099->16102 16100->16094 16100->16095 16100->16096 16100->16097 16101 7ff7c5be2d18 EnterCriticalSection 16100->16101 16101->16097 16102->16063 16103->16095 16105 7ff7c5be2d73 EnterCriticalSection LeaveCriticalSection 16103->16105 16164 7ff7c5bc2a70 VirtualFree 16103->16164 16105->16103 16165 7ff7c5bf5930 16106->16165 16109 7ff7c5be1d80 16110 7ff7c5be1de8 16109->16110 16142 7ff7c5be1e11 16110->16142 16169 7ff7c5bc1f60 16110->16169 16111 7ff7c5be2344 16183 7ff7c5bc1ec0 CloseHandle 16111->16183 16112 7ff7c5be2350 16114 7ff7c5be2365 16112->16114 16115 7ff7c5be2359 16112->16115 16114->16070 16184 7ff7c5bc1ec0 CloseHandle 16115->16184 16118 7ff7c5be1e52 16119 7ff7c5bc1f60 4 API calls 16118->16119 16118->16142 16120 7ff7c5be1e68 _swprintf_c_l 16119->16120 16121 7ff7c5bc2140 10 API calls 16120->16121 16120->16142 16122 7ff7c5be2176 16121->16122 16123 7ff7c5bc1f60 4 API calls 16122->16123 16124 7ff7c5be21ee 16123->16124 16127 7ff7c5bc1f60 4 API calls 16124->16127 16141 7ff7c5be2230 16124->16141 16125 7ff7c5be22f0 16179 7ff7c5bc1ec0 CloseHandle 16125->16179 16126 7ff7c5be22fc 16129 7ff7c5be2305 16126->16129 16130 7ff7c5be2311 16126->16130 16131 7ff7c5be2204 16127->16131 16180 7ff7c5bc1ec0 CloseHandle 16129->16180 16133 7ff7c5be2326 16130->16133 16134 7ff7c5be231a 16130->16134 16131->16141 16174 7ff7c5bc1ee0 16131->16174 16137 7ff7c5be232f 16133->16137 16133->16142 16181 7ff7c5bc1ec0 CloseHandle 16134->16181 16182 7ff7c5bc1ec0 CloseHandle 16137->16182 16138 7ff7c5be221a 16140 7ff7c5bc1f60 4 API calls 16138->16140 16138->16141 16140->16141 16141->16125 16141->16126 16141->16142 16142->16111 16142->16112 16143 7ff7c5be22cf 16142->16143 16143->16070 16144->16070 16146 7ff7c5bc2bf6 GetLargePageMinimum 16145->16146 16147 7ff7c5bc2b5e LookupPrivilegeValueW 16145->16147 16150 7ff7c5bc2c16 VirtualAlloc 16146->16150 16151 7ff7c5bc2c33 GetCurrentProcess VirtualAllocExNuma 16146->16151 16148 7ff7c5bc2c2f 16147->16148 16149 7ff7c5bc2b7a GetCurrentProcess OpenProcessToken 16147->16149 16154 7ff7c5c10c20 8 API calls 16148->16154 16149->16148 16152 7ff7c5bc2bb1 AdjustTokenPrivileges GetLastError CloseHandle 16149->16152 16150->16148 16151->16148 16152->16148 16153 7ff7c5bc2beb 16152->16153 16153->16146 16153->16148 16155 7ff7c5bc2c66 16154->16155 16155->16082 16156->16084 16158 7ff7c5bc2028 16157->16158 16159 7ff7c5bc2041 GetLogicalProcessorInformation 16158->16159 16163 7ff7c5bc206d 16158->16163 16160 7ff7c5bc2062 GetLastError 16159->16160 16161 7ff7c5bc2074 16159->16161 16160->16161 16160->16163 16162 7ff7c5bc20b1 GetLogicalProcessorInformation 16161->16162 16161->16163 16162->16163 16163->16088 16164->16103 16166 7ff7c5bf5949 16165->16166 16168 7ff7c5be2b02 16165->16168 16167 7ff7c5bf5960 GetEnabledXStateFeatures 16166->16167 16166->16168 16167->16168 16168->16109 16170 7ff7c5c10c40 _swprintf_c_l 3 API calls 16169->16170 16171 7ff7c5bc1f86 16170->16171 16172 7ff7c5bc1f8e CreateEventW 16171->16172 16173 7ff7c5bc1fb0 16171->16173 16172->16173 16173->16118 16175 7ff7c5c10c40 _swprintf_c_l 3 API calls 16174->16175 16176 7ff7c5bc1f06 16175->16176 16177 7ff7c5bc1f0e CreateEventW 16176->16177 16178 7ff7c5bc1f2e 16176->16178 16177->16178 16178->16138 16179->16126 16180->16130 16181->16133 16182->16142 16183->16112 16184->16114 16185 7ff7c5bcb310 16186 7ff7c5bcb31b 16185->16186 16187 7ff7c5bcb320 16186->16187 16194 7ff7c5bbdaf0 16186->16194 16189 7ff7c5bcb359 16190 7ff7c5bc2320 14 API calls 16189->16190 16191 7ff7c5bcb3ab 16190->16191 16192 7ff7c5bc4610 18 API calls 16191->16192 16193 7ff7c5bcb3b7 16192->16193 16195 7ff7c5bbdafd 16194->16195 16198 7ff7c5bb7b00 16195->16198 16199 7ff7c5bb7b42 16198->16199 16200 7ff7c5bb7b66 FlushProcessWriteBuffers 16199->16200 16201 7ff7c5bb7b83 16200->16201 16202 7ff7c5bb7c69 16201->16202 16204 7ff7c5bb7bf9 SwitchToThread 16201->16204 16205 7ff7c5bb2c00 16201->16205 16204->16201 16206 7ff7c5bb2c27 16205->16206 16207 7ff7c5bb2c07 16205->16207 16206->16201 16207->16206 16208 7ff7c5bbcac1 LoadLibraryExW GetProcAddress 16207->16208 16221 7ff7c5bbcbc4 16207->16221 16210 7ff7c5bbcaf5 GetCurrentProcess 16208->16210 16211 7ff7c5bbcbad GetProcAddress 16208->16211 16209 7ff7c5bbcc25 SuspendThread 16212 7ff7c5bbcc33 GetThreadContext 16209->16212 16213 7ff7c5bbcc89 16209->16213 16218 7ff7c5bbcb0a _swprintf_c_l 16210->16218 16211->16221 16214 7ff7c5bbcc80 ResumeThread 16212->16214 16215 7ff7c5bbcc53 16212->16215 16216 7ff7c5c10c20 8 API calls 16213->16216 16214->16213 16215->16214 16217 7ff7c5bbcc99 16216->16217 16217->16201 16218->16211 16219 7ff7c5bbcb41 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 16218->16219 16219->16211 16220 7ff7c5bbcc19 16219->16220 16220->16209 16220->16213 16221->16209 16221->16213 16222 7ff7c5bbcc0e GetLastError 16221->16222 16222->16220 16223 7ff7c5bce731 16226 7ff7c5bce750 16223->16226 16224 7ff7c5bce832 16251 7ff7c5be7780 16224->16251 16226->16224 16227 7ff7c5bce7b2 16226->16227 16237 7ff7c5bce6f2 16227->16237 16240 7ff7c5bcf3d0 16227->16240 16229 7ff7c5bce8d4 16231 7ff7c5bced80 12 API calls 16229->16231 16230 7ff7c5bce839 16232 7ff7c5bf3070 14 API calls 16230->16232 16239 7ff7c5bce888 16230->16239 16234 7ff7c5bce8ec 16231->16234 16235 7ff7c5bce86b 16232->16235 16233 7ff7c5bce7ff 16234->16237 16235->16237 16238 7ff7c5be7780 GetTickCount64 16235->16238 16235->16239 16236 7ff7c5bf3140 WaitForSingleObject 16236->16237 16237->16233 16237->16236 16238->16239 16239->16227 16239->16229 16239->16237 16241 7ff7c5bcf412 16240->16241 16242 7ff7c5bcf4a6 16241->16242 16243 7ff7c5bcf4f7 16241->16243 16245 7ff7c5bcf4e5 16241->16245 16246 7ff7c5bcf4b5 SwitchToThread 16242->16246 16243->16245 16247 7ff7c5bc83d0 WaitForSingleObject 16243->16247 16250 7ff7c5bcf4ed 16245->16250 16255 7ff7c5bf16f0 16245->16255 16248 7ff7c5bcf4c3 16246->16248 16247->16248 16248->16245 16249 7ff7c5bdc120 3 API calls 16248->16249 16249->16245 16250->16237 16252 7ff7c5be77c2 16251->16252 16253 7ff7c5be779e 16251->16253 16252->16253 16254 7ff7c5be77e6 GetTickCount64 16252->16254 16253->16230 16254->16253 16258 7ff7c5bcc260 16255->16258 16257 7ff7c5bf172a 16257->16245 16259 7ff7c5bcc2aa 16258->16259 16260 7ff7c5bf1540 4 API calls 16259->16260 16264 7ff7c5bcc381 16259->16264 16265 7ff7c5bcc3bb _swprintf_c_l 16260->16265 16261 7ff7c5be4530 2 API calls 16262 7ff7c5bcc5a3 16261->16262 16263 7ff7c5bd3ff0 6 API calls 16262->16263 16262->16264 16263->16264 16264->16257 16265->16261 16265->16262 16266 7ff7c5bc9d8d 16267 7ff7c5bc9d99 16266->16267 16284 7ff7c5bdc090 16267->16284 16270 7ff7c5bc9dcd 16288 7ff7c5bc2930 QueryPerformanceCounter 16270->16288 16273 7ff7c5bc9dee 16274 7ff7c5bbdaf0 22 API calls 16273->16274 16277 7ff7c5bc9e3e 16274->16277 16275 7ff7c5bc9f4d 16276 7ff7c5bdc090 SwitchToThread 16275->16276 16278 7ff7c5bc9fd5 16276->16278 16277->16275 16290 7ff7c5bc2930 QueryPerformanceCounter 16277->16290 16281 7ff7c5bc9ff8 16278->16281 16291 7ff7c5bc2980 SetEvent 16278->16291 16292 7ff7c5bbd440 16281->16292 16283 7ff7c5bca029 16285 7ff7c5bc9daf 16284->16285 16287 7ff7c5bdc0af 16284->16287 16285->16270 16289 7ff7c5bc2970 ResetEvent 16285->16289 16286 7ff7c5bdc0f1 SwitchToThread 16286->16287 16287->16285 16287->16286 16288->16273 16290->16275 16293 7ff7c5bb40e0 16292->16293 16294 7ff7c5bbd448 16292->16294 16295 7ff7c5bc0b91 SetEvent 16293->16295 16296 7ff7c5bc0b8a 16293->16296 16294->16283 16295->16283 16296->16283 16297 7ff7c5bcf54d 16298 7ff7c5bf16f0 6 API calls 16297->16298 16300 7ff7c5bcf52b 16298->16300 16299 7ff7c5bf16f0 6 API calls 16299->16300 16300->16299 16301 7ff7c5bcf631 16300->16301 16302 7ff7c5c626c0 16303 7ff7c5bb3200 16 API calls 16302->16303 16304 7ff7c5c626e0 16303->16304 16315 7ff7c5bb3a10 16304->16315 16308 7ff7c5c62706 16327 7ff7c5bb4390 16308->16327 16310 7ff7c5c62739 16336 7ff7c5c54c50 16310->16336 16313 7ff7c5c62718 16313->16310 16332 7ff7c5c62a10 16313->16332 16314 7ff7c5c62746 16316 7ff7c5c10c40 _swprintf_c_l 3 API calls 16315->16316 16317 7ff7c5bb3a2a 16316->16317 16318 7ff7c5c62860 16317->16318 16323 7ff7c5c6289c 16318->16323 16319 7ff7c5c62986 16326 7ff7c5c62993 16319->16326 16349 7ff7c5c63980 16319->16349 16321 7ff7c5c62977 16324 7ff7c5bb4390 26 API calls 16321->16324 16323->16319 16323->16321 16344 7ff7c5bb39a0 16323->16344 16324->16319 16326->16308 16328 7ff7c5bb4399 16327->16328 16329 7ff7c5bb47e0 26 API calls 16328->16329 16330 7ff7c5bb43de 16328->16330 16331 7ff7c5c55990 16329->16331 16330->16313 16333 7ff7c5c62a38 16332->16333 16335 7ff7c5c62a68 16333->16335 16357 7ff7c5c62c20 16333->16357 16335->16313 16338 7ff7c5c54c5a 16336->16338 16337 7ff7c5c54c5f 16337->16314 16338->16337 16339 7ff7c5bb47e0 26 API calls 16338->16339 16341 7ff7c5c54c84 16339->16341 16340 7ff7c5c54c9f 16340->16314 16341->16340 16342 7ff7c5bb47e0 26 API calls 16341->16342 16343 7ff7c5c54cc4 16342->16343 16353 7ff7c5bbecb0 16344->16353 16347 7ff7c5c10c40 _swprintf_c_l 3 API calls 16348 7ff7c5bb39ca 16347->16348 16348->16323 16350 7ff7c5c63991 16349->16350 16351 7ff7c5bb47e0 26 API calls 16350->16351 16352 7ff7c5c639a4 16351->16352 16354 7ff7c5bbecdc 16353->16354 16356 7ff7c5bb39af 16353->16356 16355 7ff7c5c10c40 _swprintf_c_l 3 API calls 16354->16355 16354->16356 16355->16356 16356->16347 16358 7ff7c5bb4390 26 API calls 16357->16358 16360 7ff7c5c62c66 16358->16360 16359 7ff7c5c62d6f 16359->16335 16360->16359 16362 7ff7c5bb1f50 16360->16362 16363 7ff7c5bb1f96 16362->16363 16366 7ff7c5bb1cb0 16363->16366 16365 7ff7c5bb1fa6 16365->16360 16367 7ff7c5bb1ce0 16366->16367 16368 7ff7c5bb1d78 16367->16368 16369 7ff7c5bc899b 27 API calls 16367->16369 16370 7ff7c5bc8939 3 API calls 16367->16370 16368->16365 16369->16368 16370->16368 16371 7ff7c5c601c0 16372 7ff7c5c601d5 16371->16372 16373 7ff7c5bb4390 26 API calls 16372->16373 16374 7ff7c5c601eb 16373->16374 16377 7ff7c5c5d320 16374->16377 16378 7ff7c5c5d34d 16377->16378 16381 7ff7c5ca33b0 16378->16381 16380 7ff7c5c5d373 16384 7ff7c5ca33df 16381->16384 16382 7ff7c5ca34a4 16382->16380 16383 7ff7c5ca3493 16398 7ff7c5ca3700 16383->16398 16384->16382 16384->16383 16387 7ff7c5ca37e0 16384->16387 16393 7ff7c5ca380a 16387->16393 16388 7ff7c5ca38e5 16391 7ff7c5bb4390 26 API calls 16388->16391 16390 7ff7c5ca38d9 16390->16388 16395 7ff7c5ca38e0 16390->16395 16392 7ff7c5ca38ff 16391->16392 16394 7ff7c5bb4390 26 API calls 16392->16394 16393->16388 16397 7ff7c5ca3911 16393->16397 16402 7ff7c5c54540 16393->16402 16394->16397 16396 7ff7c5bb47e0 26 API calls 16395->16396 16396->16397 16397->16383 16399 7ff7c5ca3740 16398->16399 16401 7ff7c5ca376a 16398->16401 16407 7ff7c5caa110 16399->16407 16401->16382 16403 7ff7c5c545c9 16402->16403 16405 7ff7c5c5454c 16402->16405 16403->16402 16404 7ff7c5bb47e0 26 API calls 16403->16404 16406 7ff7c5c54609 16403->16406 16404->16403 16405->16390 16406->16390 16408 7ff7c5c54c50 26 API calls 16407->16408 16409 7ff7c5caa12f 16408->16409 16409->16401

                                              Executed Functions

                                              Function 00007FF7C5BC2760 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC276F
                                              • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27AD
                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27D9
                                              • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27EA
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27F9
                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC2890
                                              • GetProcessAffinityMask.KERNEL32 ref: 00007FF7C5BC28A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                              • String ID:
                                              • API String ID: 580471860-0
                                              • Opcode ID: 45801e776555b8e194c9aa2d1e16ed710466e2a1524dc6a719c278de692efd2d
                                              • Instruction ID: a0265ed556f580824374aceaee1a9fefb1157cb92e3a70ebd297be23348bb6f0
                                              • Opcode Fuzzy Hash: 45801e776555b8e194c9aa2d1e16ed710466e2a1524dc6a719c278de692efd2d
                                              • Instruction Fuzzy Hash: 51513A71A18B4686EA40AF16A4842B9EBA1FF88FA0FC44032D98D47364DF2EF544C764
                                              Function 00007FF7C5BB7D00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00007FF7C5BBCCC0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C5BB7D0F,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BBCCCB
                                                • Part of subcall function 00007FF7C5BBCCC0: QueryInformationJobObject.KERNEL32 ref: 00007FF7C5BBCD9E
                                                • Part of subcall function 00007FF7C5BBCA50: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF7C5BB7D38,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BBCA61
                                              • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7C5BB7D99
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BB7E83
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
                                              • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                                              • API String ID: 2052584837-2841289747
                                              • Opcode ID: f2b9abe9ea48f1f248b00dabf98db4d072048249cb7df99e1d28330ab400daa0
                                              • Instruction ID: 385f51516ae8b66d8b5abba5a6952c6565e08d9ccfaa942e97bb62fc67a1e9da
                                              • Opcode Fuzzy Hash: f2b9abe9ea48f1f248b00dabf98db4d072048249cb7df99e1d28330ab400daa0
                                              • Instruction Fuzzy Hash: B4417D72E08A4285E614BF2098422B9EB91AF41FA4FC85031ED4D1769ADFAFF805C374
                                              Function 00007FF7C5C11544 Relevance: 3.2, APIs: 2, Instructions: 199COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 260 7ff7c5c11544-7ff7c5c1154d 261 7ff7c5c1155e-7ff7c5c11566 malloc 260->261 262 7ff7c5c11568-7ff7c5c1156d 261->262 263 7ff7c5c1154f-7ff7c5c11559 call 7ff7c5c14da1 261->263 266 7ff7c5c1155b 263->266 267 7ff7c5c1156e-7ff7c5c11572 263->267 266->261 268 7ff7c5c1157a-7ff7c5c115d9 call 7ff7c5c119c4 267->268 269 7ff7c5c11574-7ff7c5c11579 call 7ff7c5c119a4 267->269 274 7ff7c5c115db-7ff7c5c115f8 268->274 275 7ff7c5c11636 268->275 269->268 276 7ff7c5c115fa-7ff7c5c115ff 274->276 277 7ff7c5c11622-7ff7c5c11634 274->277 278 7ff7c5c1163d-7ff7c5c1164d 275->278 276->277 281 7ff7c5c11601-7ff7c5c11606 276->281 277->278 279 7ff7c5c1164f-7ff7c5c1166c 278->279 280 7ff7c5c116b4-7ff7c5c116e3 278->280 282 7ff7c5c11679-7ff7c5c1167c 279->282 283 7ff7c5c1166e-7ff7c5c11672 279->283 284 7ff7c5c11700-7ff7c5c11704 280->284 285 7ff7c5c116e5-7ff7c5c116fa 280->285 281->277 286 7ff7c5c11608-7ff7c5c11610 281->286 287 7ff7c5c11697-7ff7c5c1169f 282->287 288 7ff7c5c1167e-7ff7c5c11694 282->288 283->282 289 7ff7c5c1170a-7ff7c5c1171e 284->289 290 7ff7c5c11835-7ff7c5c11849 284->290 285->284 286->275 291 7ff7c5c11612-7ff7c5c11620 286->291 287->280 292 7ff7c5c116a1-7ff7c5c116b1 287->292 288->287 293 7ff7c5c1181a-7ff7c5c1181f 289->293 294 7ff7c5c11724-7ff7c5c1172c 289->294 291->275 291->277 292->280 293->290 295 7ff7c5c11821-7ff7c5c1182a 293->295 294->293 296 7ff7c5c11732-7ff7c5c11751 294->296 295->290 297 7ff7c5c1182c 295->297 298 7ff7c5c117b0 296->298 299 7ff7c5c11753-7ff7c5c11783 296->299 297->290 300 7ff7c5c117b7-7ff7c5c117bb 298->300 299->300 301 7ff7c5c11785-7ff7c5c1178d 299->301 302 7ff7c5c117c9-7ff7c5c117ce 300->302 303 7ff7c5c117bd-7ff7c5c117c2 300->303 301->298 304 7ff7c5c1178f-7ff7c5c117ae 301->304 302->293 305 7ff7c5c117d0-7ff7c5c117d8 302->305 303->302 304->300 305->293 306 7ff7c5c117da-7ff7c5c1180d 305->306 306->293 307 7ff7c5c1180f-7ff7c5c11813 306->307 307->293
                                              APIs
                                              • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7C5C10C49,?,?,?,?,00007FF7C5BBE371,?,?,?,00007FF7C5BBE8F4,00000000,00000020,?), ref: 00007FF7C5C1155E
                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C5C11574
                                                • Part of subcall function 00007FF7C5C119A4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C5C119AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                              • String ID:
                                              • API String ID: 205171174-0
                                              • Opcode ID: 27e6cda894de4fa0304efac44748c012d57ffdf58763d5e7702285d7d28e6379
                                              • Instruction ID: 50f18cec87cf6a5d864db1799d615d75557e840ccb291cf28e4440205589cbb3
                                              • Opcode Fuzzy Hash: 27e6cda894de4fa0304efac44748c012d57ffdf58763d5e7702285d7d28e6379
                                              • Instruction Fuzzy Hash: E2818272E0874349F724AF25E881279BBA0EB14BB4F948679DA2D877D4DF3E95408720
                                              Function 00007FF7C5BE3480 Relevance: .4, Instructions: 397COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CurrentProcess
                                              • String ID:
                                              • API String ID: 2050909247-0
                                              • Opcode ID: f0dfdf7af6af81cb248c0b7d5687ff178028e7272b22a3959eccb5cdaccec322
                                              • Instruction ID: 2393cb354c949ce394375b26a82f7b4ae9696f076f6797b6e0e7dd96a151320e
                                              • Opcode Fuzzy Hash: f0dfdf7af6af81cb248c0b7d5687ff178028e7272b22a3959eccb5cdaccec322
                                              • Instruction Fuzzy Hash: AD02BE71E0874686FA15AF25A881638FBA1AF45FA5FD88635C40E13361DF7FB481C7A0
                                              Function 00007FF7C5BE1D80 Relevance: .3, Instructions: 316COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e39a6d2a229733a357ef1439a5aa976bf2a0c87c5cc00d6ed37d4a0b7744e069
                                              • Instruction ID: 252de5c3194893fefa142ff1c7ed1080cac2de57db454f48f3dc81330c37e79c
                                              • Opcode Fuzzy Hash: e39a6d2a229733a357ef1439a5aa976bf2a0c87c5cc00d6ed37d4a0b7744e069
                                              • Instruction Fuzzy Hash: 1FF1B461D1DF4745F602FF24A9912B5E7A1BF95FA0FD88336E40E112A2EF6E74908360
                                              Function 00007FF7C5BC2320 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                              • String ID: @$@$@
                                              • API String ID: 2645093340-1177533131
                                              • Opcode ID: 24ec87d12b26eb49bf664ef79eb868f4d5178a434dc5e340da1fb202b067f73e
                                              • Instruction ID: 3b95d2b244a3a8a53114196fc3eff761cdd01926d798836dd5d14ce202c0f1f2
                                              • Opcode Fuzzy Hash: 24ec87d12b26eb49bf664ef79eb868f4d5178a434dc5e340da1fb202b067f73e
                                              • Instruction Fuzzy Hash: 37412032608AC186EB719F11E4547AAF7A0FB84B70F884235DBAD47AD8DF3DE4458B14
                                              Function 00007FF7C5BBCCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C5BB7D0F,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BBCCCB
                                                • Part of subcall function 00007FF7C5BC2760: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC276F
                                                • Part of subcall function 00007FF7C5BC2760: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27AD
                                                • Part of subcall function 00007FF7C5BC2760: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27D9
                                                • Part of subcall function 00007FF7C5BC2760: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27EA
                                                • Part of subcall function 00007FF7C5BC2760: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5BBCCEA), ref: 00007FF7C5BC27F9
                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C5BB7D0F,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BBCD3D
                                              • GetProcessAffinityMask.KERNEL32 ref: 00007FF7C5BBCD50
                                              • QueryInformationJobObject.KERNEL32 ref: 00007FF7C5BBCD9E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                                              • String ID: PROCESSOR_COUNT
                                              • API String ID: 1701933505-4048346908
                                              • Opcode ID: df59b9fccf507002a6fc365712127db3b91d70bddeca77e829d668f229e319f7
                                              • Instruction ID: 004413651309de67326b668b69493f3d4a402b76122355c904d98c052f261e8c
                                              • Opcode Fuzzy Hash: df59b9fccf507002a6fc365712127db3b91d70bddeca77e829d668f229e319f7
                                              • Instruction Fuzzy Hash: 2D31B635A08A4382EB54FF54D4822B9EB61EF90B64FC40031DA8D47695DF7EF408C7A4
                                              Function 00007FF7C5BB3200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7C5BB32F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ExceptionFailFastRaise$Sleep
                                              • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                              • API String ID: 3706814929-926682358
                                              • Opcode ID: f0ad88474fe839b686b509391016526058ed6e238c5a0b46c6db29e8ccb78c36
                                              • Instruction ID: 9c0181d9e56d7b60a45a41549ac1a38b2d7f80e31004d3f8f93ff014d6e13037
                                              • Opcode Fuzzy Hash: f0ad88474fe839b686b509391016526058ed6e238c5a0b46c6db29e8ccb78c36
                                              • Instruction Fuzzy Hash: CE414A32A09A42C6EBA0BF19E480379B7A0AF04FA4F844039CE0D43395DF7FE545C2A4
                                              Function 00007FF7C5BBCF20 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                              • String ID:
                                              • API String ID: 2150560229-0
                                              • Opcode ID: 4a56b605204c313bed2949cdee0fbdf40efa17fe1b8a4b6ea1de50fcfb5e3b56
                                              • Instruction ID: 4dc650ec37378bbf54b39c0e809a7f84d61e53fc062b7c01227d5b8721264f87
                                              • Opcode Fuzzy Hash: 4a56b605204c313bed2949cdee0fbdf40efa17fe1b8a4b6ea1de50fcfb5e3b56
                                              • Instruction Fuzzy Hash: F2E06DB5A1570282EB18AF21A8183399350BFD8F95F884134DE4E073A0EE3E91558A14
                                              Function 00007FF7C5BC2140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 175 7ff7c5bc2140-7ff7c5bc2171 176 7ff7c5bc222f-7ff7c5bc224c GlobalMemoryStatusEx 175->176 177 7ff7c5bc2177-7ff7c5bc2192 GetCurrentProcess call 7ff7c5c108c3 175->177 179 7ff7c5bc22d2-7ff7c5bc22d5 176->179 180 7ff7c5bc2252-7ff7c5bc2255 176->180 177->176 188 7ff7c5bc2198-7ff7c5bc21a0 177->188 181 7ff7c5bc22d7-7ff7c5bc22db 179->181 182 7ff7c5bc22de-7ff7c5bc22e1 179->182 184 7ff7c5bc22c1-7ff7c5bc22c4 180->184 185 7ff7c5bc2257-7ff7c5bc2262 180->185 181->182 186 7ff7c5bc22e3-7ff7c5bc22e8 182->186 187 7ff7c5bc22eb-7ff7c5bc22ee 182->187 191 7ff7c5bc22c6 184->191 192 7ff7c5bc22c9-7ff7c5bc22cc 184->192 189 7ff7c5bc2264-7ff7c5bc2269 185->189 190 7ff7c5bc226b-7ff7c5bc227c 185->190 186->187 193 7ff7c5bc22f8-7ff7c5bc231b call 7ff7c5c10c20 187->193 195 7ff7c5bc22f0 187->195 196 7ff7c5bc21a2-7ff7c5bc21a8 188->196 197 7ff7c5bc220a-7ff7c5bc220f 188->197 198 7ff7c5bc2280-7ff7c5bc2291 189->198 190->198 191->192 192->193 194 7ff7c5bc22ce-7ff7c5bc22d0 192->194 199 7ff7c5bc22f5 194->199 195->199 200 7ff7c5bc21b1-7ff7c5bc21c5 196->200 201 7ff7c5bc21aa-7ff7c5bc21af 196->201 205 7ff7c5bc2221-7ff7c5bc2224 197->205 206 7ff7c5bc2211-7ff7c5bc2214 197->206 203 7ff7c5bc2293-7ff7c5bc2298 198->203 204 7ff7c5bc229a-7ff7c5bc22ae 198->204 199->193 210 7ff7c5bc21c9-7ff7c5bc21da 200->210 201->210 212 7ff7c5bc22b2-7ff7c5bc22be 203->212 204->212 205->193 209 7ff7c5bc222a 205->209 207 7ff7c5bc2216-7ff7c5bc2219 206->207 208 7ff7c5bc221b-7ff7c5bc221e 206->208 207->205 208->205 209->199 213 7ff7c5bc21e3-7ff7c5bc21f7 210->213 214 7ff7c5bc21dc-7ff7c5bc21e1 210->214 212->184 215 7ff7c5bc21fb-7ff7c5bc2207 213->215 214->215 215->197
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CurrentGlobalMemoryProcessStatus
                                              • String ID: @
                                              • API String ID: 3261791682-2766056989
                                              • Opcode ID: 28461a306fc3374e589f1644d5753cbf3d64b28f9de3a6a1dcdcbb79d88f20ec
                                              • Instruction ID: 0efc293edd42f254686d7279f196e1723198f3f0a0920ad972fe2505384fb731
                                              • Opcode Fuzzy Hash: 28461a306fc3374e589f1644d5753cbf3d64b28f9de3a6a1dcdcbb79d88f20ec
                                              • Instruction Fuzzy Hash: D041E161A09F4641E956DE369110339DA52AF49FE0F588631DD8F6A744FF3EF4818620
                                              Function 00007FF7C5BC899B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Count64Tick
                                              • String ID: D)
                                              • API String ID: 1927824332-848725745
                                              • Opcode ID: b9fe4c2506f08c6a26c8c4dd7f3f4db5274bf5845df2519089e1e6bba78dcdb3
                                              • Instruction ID: e267216e8a43850993a323c03df23c1c55eaabb7050d2d9be254b065021bb08d
                                              • Opcode Fuzzy Hash: b9fe4c2506f08c6a26c8c4dd7f3f4db5274bf5845df2519089e1e6bba78dcdb3
                                              • Instruction Fuzzy Hash: EB416A32A08B4295FB61BF25E484279EB90AF00FA4F984432E94E477A5DE3FF4418374
                                              Function 00007FF7C5BC29E0 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7C5BC6538,?,?,0000000B,00007FF7C5BC5400,?,?,00000000,00007FF7C5BBF7C1), ref: 00007FF7C5BC2A07
                                              • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7C5BC6538,?,?,0000000B,00007FF7C5BC5400,?,?,00000000,00007FF7C5BBF7C1), ref: 00007FF7C5BC2A27
                                              • VirtualAllocExNuma.KERNEL32 ref: 00007FF7C5BC2A48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: AllocVirtual$CurrentNumaProcess
                                              • String ID:
                                              • API String ID: 647533253-0
                                              • Opcode ID: 625f1e7399fc93da6f37fa1e0330fb08ecf441602bb64bf0d621cc29f3cf2d2c
                                              • Instruction ID: 1c5a5d734585737dc6b1fa4588b6417aafba5df2b90c89fc528ad7a036b1bb60
                                              • Opcode Fuzzy Hash: 625f1e7399fc93da6f37fa1e0330fb08ecf441602bb64bf0d621cc29f3cf2d2c
                                              • Instruction Fuzzy Hash: 7BF0AF71B0869182EB209F06F440219E760AB89FE4F884138EF8C17B58DB3ED5818B04
                                              Function 00007FF7C5BC29A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Virtual$AllocFree
                                              • String ID:
                                              • API String ID: 2087232378-0
                                              • Opcode ID: df8486f038e79b547ccdb021daa754100f3a5205bbaa03da553d2b0464387378
                                              • Instruction ID: 80c735884ffe4e0a5b86d2a38f684764d1df4fd2e1aaca594f31879517204837
                                              • Opcode Fuzzy Hash: df8486f038e79b547ccdb021daa754100f3a5205bbaa03da553d2b0464387378
                                              • Instruction Fuzzy Hash: 39E01234F167018AFB58BF13A886665A6516F9DF11FC48038C40D47790DE2FA65ADF60
                                              Function 00007FF7C5C41B50 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF7C5C41A10,?,?,00000030), ref: 00007FF7C5C41BC9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 90758f69fcf1388e0b70db958e236ce2b2d0b74138699664a50d809a000787a9
                                              • Instruction ID: 327ef974e76bb2856be4a85870e7fb5f7bbc09d3f5b9877ff48c2f1245e462cc
                                              • Opcode Fuzzy Hash: 90758f69fcf1388e0b70db958e236ce2b2d0b74138699664a50d809a000787a9
                                              • Instruction Fuzzy Hash: 2531E123E08A0355FB21BF51E8407BDE2616F80FA4F840032DE4D1B796DE6EA881C360
                                              Function 00007FF7C5BB26B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                                              • String ID:
                                              • API String ID: 2131581837-0
                                              • Opcode ID: 8a906362c82a65a07e00605dfb93312dc942a46eb36c422177fca489e41fede8
                                              • Instruction ID: bcb7d17ed1cae6b94188c2820d29c52968152612f8194354bad818906ffbecae
                                              • Opcode Fuzzy Hash: 8a906362c82a65a07e00605dfb93312dc942a46eb36c422177fca489e41fede8
                                              • Instruction Fuzzy Hash: 5F118C72908B8282EB24EF25A40419AB720FB45BB0F844338EBBE177D6DF79D0028700
                                              Function 00007FF7C5BC2A70 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: 466d4d9c988fe849325ae7168e876d2e859bac2774cb7984135f3943153e00f4
                                              • Instruction ID: 434d718f0bcf62ea45e6a1af2cbe92c86112c3e9d9855f812a2dde4fe6cc32ba
                                              • Opcode Fuzzy Hash: 466d4d9c988fe849325ae7168e876d2e859bac2774cb7984135f3943153e00f4
                                              • Instruction Fuzzy Hash: 1FB01220F16201C6E3043B237CC274802142B45F12FC40038C608A1290CD1E81E51F10

                                              Non-executed Functions

                                              Function 00007FF7C5BC2D00 Relevance: 123.1, Strings: 98, Instructions: 569COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
                                              • API String ID: 0-1379766591
                                              • Opcode ID: aea8e211407e160569e901d7ffe0990671890cbd52ae028845b6437f3ac61894
                                              • Instruction ID: 0bcb96ea8f0848fe181f3fcb4a2b00eda024165e1e4b33af6bde7881ca69cec2
                                              • Opcode Fuzzy Hash: aea8e211407e160569e901d7ffe0990671890cbd52ae028845b6437f3ac61894
                                              • Instruction Fuzzy Hash: 6E425F61608F5681FB20AF15F890AAAA3A5FF55FE8FC11132D98D07A24DF3ED206C754
                                              Function 00007FF7C5BC3AC0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: strcmp
                                              • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                              • API String ID: 1004003707-1492036319
                                              • Opcode ID: 36b66872262398e0886a26fc236604f32fdc404a408f84d1ed38b3fdaa7ebc27
                                              • Instruction ID: 9d4213fab97abdfeeef7fe1960f6587402731bf2922b6f00a9cdfaf2ad6823b5
                                              • Opcode Fuzzy Hash: 36b66872262398e0886a26fc236604f32fdc404a408f84d1ed38b3fdaa7ebc27
                                              • Instruction Fuzzy Hash: 7662BF64D0EF8794FA00FF65A8D00B2ABA1AF59FA0FC44076C45D47266DE2EA159C3F1
                                              Function 00007FF7C5BC2B30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                              • String ID: SeLockMemoryPrivilege
                                              • API String ID: 1752251271-475654710
                                              • Opcode ID: c8564b734ccbaacaf3b0576976fb44c3c840db276b6d24103a14a80d5a63f89b
                                              • Instruction ID: 1277faefbc52d9d545a3f7ac9cd679084b73a019150bc9e3ac596c34e1ee5f25
                                              • Opcode Fuzzy Hash: c8564b734ccbaacaf3b0576976fb44c3c840db276b6d24103a14a80d5a63f89b
                                              • Instruction Fuzzy Hash: D0317671A09B4286F720AF61F454367E7A1EB84FA4F804035EA8E47754DE3EE4458760
                                              Function 00007FF7C5BB6AA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON
                                              Download Yara Rule
                                              APIs
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7C5BB7441), ref: 00007FF7C5BB6B58
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7C5BB7441), ref: 00007FF7C5BB6CAB
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7C5BB7441), ref: 00007FF7C5BB6D83
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7C5BB7441), ref: 00007FF7C5BB6D99
                                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7C5BB7441), ref: 00007FF7C5BB6E15
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ExceptionFailFastRaise
                                              • String ID: [ KeepUnwinding ]
                                              • API String ID: 2546344036-400895726
                                              • Opcode ID: f7ede3c50903ac8ce56ed10b7c6191f6e45cf248f9fd1a0be10d847b8a15258f
                                              • Instruction ID: f1096f0708cae723ba917723dbcdff16cf2c9d32b5fec45b151a93d175e6b114
                                              • Opcode Fuzzy Hash: f7ede3c50903ac8ce56ed10b7c6191f6e45cf248f9fd1a0be10d847b8a15258f
                                              • Instruction Fuzzy Hash: 7AB1D232A09B4385EB64EF25D0412A9BBA1FB04F68F980136CE4D47398CF7BE841C364
                                              Function 00007FF7C5BE2DB0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: SwitchThread
                                              • String ID:
                                              • API String ID: 115865932-0
                                              • Opcode ID: 8f1152a98ca86780c3dea1b552b037fca8d312a9376a4e9feeb8efa9e59e16c1
                                              • Instruction ID: 912fb058151c667d6bb43a1336c10caf58e47f7f38895745ad0322f3e09091f7
                                              • Opcode Fuzzy Hash: 8f1152a98ca86780c3dea1b552b037fca8d312a9376a4e9feeb8efa9e59e16c1
                                              • Instruction Fuzzy Hash: C0B18D71A09B4286EB50AF64D8802B9F7A0FF45FA4F884635DA1D47395DFBEF4448360
                                              Function 00007FF7C5BCD1F0 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID: @
                                              • API String ID: 3168844106-2766056989
                                              • Opcode ID: dd6d6a4e8923a7622559a3daf65e3807cab09e7ddf14f4fc5c8b3e1e00e80d67
                                              • Instruction ID: 91a1ea11d02d373b2ba8f2e0f5adaedffdb84bfe32873248362789f0528728cb
                                              • Opcode Fuzzy Hash: dd6d6a4e8923a7622559a3daf65e3807cab09e7ddf14f4fc5c8b3e1e00e80d67
                                              • Instruction Fuzzy Hash: 04917D25A0CB9285FB50BF15E8803B5EBA0AF54FA8FD80175C90D4B6A5DF3EF44087A4
                                              Function 00007FF7C5BEE4B0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: SwitchThread
                                              • String ID:
                                              • API String ID: 115865932-0
                                              • Opcode ID: ab3dbcbadd1195aceb4dc0df65fd692d4c75df09f4a02271c42bf330f8f5443f
                                              • Instruction ID: d3615e0b8b5685dd8c70309d0c5e429d49e035c9869aca20d482a01116869ebf
                                              • Opcode Fuzzy Hash: ab3dbcbadd1195aceb4dc0df65fd692d4c75df09f4a02271c42bf330f8f5443f
                                              • Instruction Fuzzy Hash: A6E18236A09B9186EB60DF15E4403B9BBA0FB44FA4F884131EA9D47789DFBDE441C760
                                              Function 00007FF7C5BC1C50 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7C5BB7E5B,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BC1CEF
                                              • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7C5BB7E5B,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BC1D4C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: EnabledFeaturesState
                                              • String ID:
                                              • API String ID: 1557480591-0
                                              • Opcode ID: 4d09a7d10696eb70978a5361604ff01ff8ee2d975502abada3cc5e0683543bbf
                                              • Instruction ID: d51538b91975333c2c0d6e0c8f12b5ddc357c46437a8a763bfbd8abe618d97a8
                                              • Opcode Fuzzy Hash: 4d09a7d10696eb70978a5361604ff01ff8ee2d975502abada3cc5e0683543bbf
                                              • Instruction Fuzzy Hash: F251C532F0C62306FF6C5C5D946A77586875BAA771F858538DA4EA32C1CD3FF8024668
                                              Function 00007FF7C5BDC3A0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 5372820b8d61e945878c808cb8805ea97cbf8da8ac7b2002d2442fc1065395d5
                                              • Instruction ID: e2ae0a059c6f5924cf6306c8aeacaf82632f94aa0b3db923dfef40626c06606e
                                              • Opcode Fuzzy Hash: 5372820b8d61e945878c808cb8805ea97cbf8da8ac7b2002d2442fc1065395d5
                                              • Instruction Fuzzy Hash: 2741A222B18B4281EB24AF25D980179EBA0FF54FE4F881036DE4D17B59DF3EE0108760
                                              Function 00007FF7C5BE46E0 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 0ee841b0041fd07083ad09a55eb67601aaff04cff13fea96335e112a1605f71b
                                              • Instruction ID: 7bb0862b7ddad099b2bd88117d720d59095c81fd6fff9c074b47c4ae38a4e669
                                              • Opcode Fuzzy Hash: 0ee841b0041fd07083ad09a55eb67601aaff04cff13fea96335e112a1605f71b
                                              • Instruction Fuzzy Hash: 1D42A332A19B8686EA11AF15E840679FBA0FB45FB4F894231CA6D437D5CF7EE450C360
                                              Function 00007FF7C5BCFE70 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ?
                                              • API String ID: 0-1684325040
                                              • Opcode ID: eb064bc1408a134021f5762006dc8a98f6b1344e3b1c1bba0f6a4c98f7415e32
                                              • Instruction ID: 6aea0940c724753bc90fce47e0d05a9571e5338fe37aa3651d007fdf7285d443
                                              • Opcode Fuzzy Hash: eb064bc1408a134021f5762006dc8a98f6b1344e3b1c1bba0f6a4c98f7415e32
                                              • Instruction Fuzzy Hash: 4312D332A09B8A82EA14EF11E4446B9BB64FB55FA4F944231DE5E43798EF3EE041C750
                                              Function 00007FF7C5BBBB60 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0
                                              • API String ID: 0-4108050209
                                              • Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                              • Instruction ID: 62098f5925bededef2f8a3daea64aadf25cc68b435e9a2377a8f0ad4c682a13d
                                              • Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                              • Instruction Fuzzy Hash: CFD1DEB3B10B4987E728AF29A4056697AA2F754FE8F540235CE5D07B98CF7DD810CB40
                                              Function 00007FF7C5BBE6D0 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7C5BB7E3E,?,?,?,?,?,?,00007FF7C5BB1C00), ref: 00007FF7C5BBE79C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Time$FileSystem
                                              • String ID:
                                              • API String ID: 2086374402-0
                                              • Opcode ID: 7ca8872239c204e6e32301002e54c372050f198ab9c510d1783ce9453263a9db
                                              • Instruction ID: f58e33002de6a31f9efff129bdad40d0868e341de4055c1d47ef8220edd439dd
                                              • Opcode Fuzzy Hash: 7ca8872239c204e6e32301002e54c372050f198ab9c510d1783ce9453263a9db
                                              • Instruction Fuzzy Hash: 98213031D2CB5386F750EF25A8C0269B7A0BB48BA0F904135E94C83769DF7EE440C751
                                              Function 00007FF7C5BE5490 Relevance: 1.0, Instructions: 950COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d1ca32a77bf3ac060d029b3f37de5584d1341d29a97027b49ec2ff34f1220e0
                                              • Instruction ID: 70ed645acdf2e635164d42937e083515b9500224e5265865f5d763c051fdcb84
                                              • Opcode Fuzzy Hash: 3d1ca32a77bf3ac060d029b3f37de5584d1341d29a97027b49ec2ff34f1220e0
                                              • Instruction Fuzzy Hash: 1492E761B18B4685EA01FF15A9806B8E795BF44FE4FC84236D80E533A2DF7FE4418760
                                              Function 00007FF7C5BE63B0 Relevance: .7, Instructions: 655COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02b1ad4ab20bfa8643531b44ce1abecbdb13974695cdd098e113f0528ef77cbf
                                              • Instruction ID: 36d0019df07ba094addbd5c2d37f25a59af5cf5a77ddc07dc9d3ed453a0f799c
                                              • Opcode Fuzzy Hash: 02b1ad4ab20bfa8643531b44ce1abecbdb13974695cdd098e113f0528ef77cbf
                                              • Instruction Fuzzy Hash: F952B132B08B4686EB10DF65E4401ADBBB1FB44BA8B984536DE4E57B58CF7EE841C710
                                              Function 00007FF7C5BE6D80 Relevance: .6, Instructions: 574COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 682f8704a4cd320b1df5fe49dbd43fa57fbd70317c3501b9b4593f4467cd6572
                                              • Instruction ID: d749ae5020f3a5980071a86c6750d12c656ba9dd8fbda3352c6ab83866e25daa
                                              • Opcode Fuzzy Hash: 682f8704a4cd320b1df5fe49dbd43fa57fbd70317c3501b9b4593f4467cd6572
                                              • Instruction Fuzzy Hash: 6632B632B09B8686EB10DFA5D4402BCBBB5EB04FE8B884535DE1E17788DE79E455C360
                                              Function 00007FF7C5BD6860 Relevance: .4, Instructions: 431COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc34d1225eea2875a0b725fa0f8db207bf965f41219ae361d99d9ec02d6a9fa6
                                              • Instruction ID: 93b607bd4188145e5bec5d681570f56e6741779131dfcb9522e93d3b47e0c2b0
                                              • Opcode Fuzzy Hash: dc34d1225eea2875a0b725fa0f8db207bf965f41219ae361d99d9ec02d6a9fa6
                                              • Instruction Fuzzy Hash: 501241E2615B9681EE559F19C084368ABA0FF18FB4F989235CE6C073D8DF6ED490C350
                                              Function 00007FF7C5C4C880 Relevance: .4, Instructions: 430COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62520b32a1776006d55512af80ac8e0ed9ea9f0ad031f078303fc6a319a57c75
                                              • Instruction ID: bbdcba78a2fe2866f89a4d2d287b9d624ec5a02c6ddfc801a2cd3ad85d7c6c35
                                              • Opcode Fuzzy Hash: 62520b32a1776006d55512af80ac8e0ed9ea9f0ad031f078303fc6a319a57c75
                                              • Instruction Fuzzy Hash: 7AF14863F2855382F7385F189801B79A253EFB1B64F98C234DB5E066E8EF3EA5418350
                                              Function 00007FF7C5BD1930 Relevance: .4, Instructions: 412COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12da843875923fdc3eafda57ca72649bed6bc1ea7f40d8fdbfd8baac54bfade6
                                              • Instruction ID: c5a0d75df6b9f9300e767d0395975565dfa8ca33bc0cbf9a0432699b3c63e841
                                              • Opcode Fuzzy Hash: 12da843875923fdc3eafda57ca72649bed6bc1ea7f40d8fdbfd8baac54bfade6
                                              • Instruction Fuzzy Hash: 4F02B072A19B8686EA14EF55D4806B8BBA0AB45FB4F844331DA3D477D9CF3EE441C320
                                              Function 00007FF7C5BD1384 Relevance: .4, Instructions: 357COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuery
                                              • String ID:
                                              • API String ID: 2783962273-0
                                              • Opcode ID: 0046277a4a63688f8226c38b0a832a454e8e1dc3ef7b8787d107a71e26a4fca3
                                              • Instruction ID: 5cfd72fadad36c88223b760636b43ceeff687223518a08ae0fb15b14b6c13804
                                              • Opcode Fuzzy Hash: 0046277a4a63688f8226c38b0a832a454e8e1dc3ef7b8787d107a71e26a4fca3
                                              • Instruction Fuzzy Hash: A6029366A1AB4245FA51EF24E590374ABA0AF49FA8F944335CD4E133A5DF3FE481C360
                                              Function 00007FF7C5BBB2C0 Relevance: .3, Instructions: 320COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                              • Instruction ID: 93d60f59679810729f8d5f4f2bf68ebb2a850fce206466c3dc1f9f184cb598e9
                                              • Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                              • Instruction Fuzzy Hash: 38D18AB3614B8883DB599F25E084AA87BA9F358FD8F944035DE0E0BB44DF39D644C764
                                              Function 00007FF7C5C32430 Relevance: .3, Instructions: 270COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89128956560b79819419b146d30ab2dade3c9b4a793a2fb0d04a89bb812f0baf
                                              • Instruction ID: 30530fe0329b0cb3e9cf9b5f2157a6ee8f21fd898fb03f481265a8824bfb52d7
                                              • Opcode Fuzzy Hash: 89128956560b79819419b146d30ab2dade3c9b4a793a2fb0d04a89bb812f0baf
                                              • Instruction Fuzzy Hash: 1A617125E2804794ED28BF22EC550F4D6256F56FE0FD42031EE1E57363EE9EE8158368
                                              Function 00007FF7C5BC7DC0 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a5daeb43570b4afd4445f940d7c48c5abcaba4c72eaa1ed16e83e212e647b85
                                              • Instruction ID: 572bdc0f08d43c1514fb3daf30fadfced7039796a7ce7a7c756f9ab9fed1d776
                                              • Opcode Fuzzy Hash: 3a5daeb43570b4afd4445f940d7c48c5abcaba4c72eaa1ed16e83e212e647b85
                                              • Instruction Fuzzy Hash: 04D1AF32A09B8692E760EF54E880379B7A4FB45FA8F940136D94E47391EF3EF4458364
                                              Function 00007FF7C5C60B00 Relevance: .3, Instructions: 256COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5d97b2ee4cf179bc4efdbce6b8c0359fec989a8c2a2af27bcf7251089b9314c
                                              • Instruction ID: eb3c9bb5d674beb979e11a54f07a5b4eb78451330413bfaf179982ba71910766
                                              • Opcode Fuzzy Hash: c5d97b2ee4cf179bc4efdbce6b8c0359fec989a8c2a2af27bcf7251089b9314c
                                              • Instruction Fuzzy Hash: CA713963B181A646E7319E25940056DF761FB84FA4F988231DF4D63742DE3EE981CB50
                                              Function 00007FF7C5BDB850 Relevance: .3, Instructions: 254COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f3baeb11f508d9df96f7dec6d674138a29e73c9ff3c206315f0f1c2669d3fcb
                                              • Instruction ID: 6f71b174dc6fe40207d1345399dbb3986d1885dad35f27c2262ec7fdbf1f4392
                                              • Opcode Fuzzy Hash: 7f3baeb11f508d9df96f7dec6d674138a29e73c9ff3c206315f0f1c2669d3fcb
                                              • Instruction Fuzzy Hash: 5AC19032A19B4682EA04AF15E880638FBA4FB45FB4F844235C96D477E5DF3EE451C760
                                              Function 00007FF7C5BE5060 Relevance: .2, Instructions: 249COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb4f35875fc796b0f3ddd2d634b66067a0974921a0bb6a5596afbdc2a062e503
                                              • Instruction ID: 0fccb6c714db98f60384003e1cdf29210bdabfc31901f608d383fa7f11d86869
                                              • Opcode Fuzzy Hash: fb4f35875fc796b0f3ddd2d634b66067a0974921a0bb6a5596afbdc2a062e503
                                              • Instruction Fuzzy Hash: 81C18E32A19B4682EA00AF15E980578F7A4FB45FB4F884235C96E477E6CF7EE451C360
                                              Function 00007FF7C5BB7EA0 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                              • Instruction ID: e36471d6ce955d76d377eeea781a83283af671885e19785a8e632a39a1cd79dd
                                              • Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                              • Instruction Fuzzy Hash: 4C910DB3A10B5987DB18DF29D84122877A1F748FE8F605239DE6D03B98DB79D811CB80
                                              Function 00007FF7C5CBE3C0 Relevance: .2, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52e6792593e42a436b6ae11b0d1b1c1b071753a908ee3dc58b69619f9021869d
                                              • Instruction ID: 0d2c4842efa712912773ecd65025902276d4a1122733bc29640483c5bdaf4ff6
                                              • Opcode Fuzzy Hash: 52e6792593e42a436b6ae11b0d1b1c1b071753a908ee3dc58b69619f9021869d
                                              • Instruction Fuzzy Hash: 40410A62E1908399EA28BF13EC410F9DA516F45FE0FC44031EE0E87763DE5EE9469350
                                              Function 00007FF7C5BC9660 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1520ecc627e78f6f296a930b5ad1567f454733ec3bf030dcbb6867c4c223546e
                                              • Instruction ID: 8c70c5389bb37af41a1b8151a00ebb30b53a3b8ef5b63dcd16c4e1bff1f5bff0
                                              • Opcode Fuzzy Hash: 1520ecc627e78f6f296a930b5ad1567f454733ec3bf030dcbb6867c4c223546e
                                              • Instruction Fuzzy Hash: E2413861E29B0A41F905AF36A581674D6529F5AFF0EA8C732D92F337D1EF2E70804264
                                              Function 00007FF7C5BDBC70 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d01d92c36cf49476ab487aa00d9e6613e9ef98e3604ac2f9606348045db3d20f
                                              • Instruction ID: a4c9baeb904e0fad2a9871d7ea9ed1ad9c27107b721c0be9113ad1a84d1d934e
                                              • Opcode Fuzzy Hash: d01d92c36cf49476ab487aa00d9e6613e9ef98e3604ac2f9606348045db3d20f
                                              • Instruction Fuzzy Hash: 3C415911B06B4E42EA159F365012579D652BF5AFD4F9CCB32D90E27798EF3EF0418610
                                              Function 00007FF7C5C609D0 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                                              • Instruction ID: e19708635f354d6a64efd614dbf241f3727af71838f7b46ef519f03677225510
                                              • Opcode Fuzzy Hash: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                                              • Instruction Fuzzy Hash: 6D21F773F0668686D728AF15E4401AEE232FF88B98F549234DB8C6774ADE3CC941C700
                                              Function 00007FF7C5BE2580 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6ce15b705df1a525a362b136f320cd7ebac4ee5d2a4b91d5a0a8bc25f3be7d2
                                              • Instruction ID: 58a42a587180de9702378f3f5baf20aea37dedfec65dd5c1b078234a3e920bec
                                              • Opcode Fuzzy Hash: a6ce15b705df1a525a362b136f320cd7ebac4ee5d2a4b91d5a0a8bc25f3be7d2
                                              • Instruction Fuzzy Hash: DA21FF33B1865142FBA4AF29A2D167D9750EF8AB90FC82170EE0D03E4ADD1ED4828B00
                                              Function 00007FF7C5BB35A0 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ExceptionFailFastRaise$Sleep
                                              • String ID:
                                              • API String ID: 3706814929-0
                                              • Opcode ID: d20306b9d74ff1c3dcfd4b0331d8a064e7e4a167fcad3e41ad7a5e05a6cf805d
                                              • Instruction ID: 9f594fc665b42328d366d28491c79f63761e0621eaba8ff03bd7532f8e69feb5
                                              • Opcode Fuzzy Hash: d20306b9d74ff1c3dcfd4b0331d8a064e7e4a167fcad3e41ad7a5e05a6cf805d
                                              • Instruction Fuzzy Hash: C321F923B2894652FB30AF5AE454B7BE651EB84BA4FC05031EF4E42A95DD3ED049C724
                                              Function 00007FF7C5C60980 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                                              • Instruction ID: f7725c6ddcad794cf6734e7c2478fcd568dcebe162af7fa5923b94a1f00ffef0
                                              • Opcode Fuzzy Hash: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                                              • Instruction Fuzzy Hash: 7C117373F0554687DB289F15E4401AAE362FB98B58F549634DB8CAB759EE3CC9818700
                                              Function 00007FF7C5C32740 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c44ee67dbf9f67c1e434d495dd4b733789a52c765f804b90257bffb2e3415de3
                                              • Instruction ID: 3e1cbf8b394d6c809cf017372beb562b1c1de2d42fb5f2f9bd39badaa986a2bf
                                              • Opcode Fuzzy Hash: c44ee67dbf9f67c1e434d495dd4b733789a52c765f804b90257bffb2e3415de3
                                              • Instruction Fuzzy Hash: 92F09022E2510785EE28FF12F8810F5E625AF45FA0FD41034DE1E4B762EE6EE885C764
                                              Function 00007FF7C5BB1988 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eeb3dce78a153ba1edd1c80c40559a8acc38b22b0dbc9acbb58384ec871d3ce3
                                              • Instruction ID: ff7bd2ccaa21435ba8750ecc31f31a7c794eabbd3481a9760bddaed3e3d07f2d
                                              • Opcode Fuzzy Hash: eeb3dce78a153ba1edd1c80c40559a8acc38b22b0dbc9acbb58384ec871d3ce3
                                              • Instruction Fuzzy Hash: FDF08C29E2804795FE28FF22EC510B8D2656F5AFA0FC42031EA1E57662ED4EE4048368
                                              Function 00007FF7C5BB2C00 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                              • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                              • API String ID: 2652322181-269241671
                                              • Opcode ID: 66f69495e65e7569fab1ee3eca8218c4ab18840aceecc73612b5da8ed725d5cc
                                              • Instruction ID: ff075e4421ee3e99366f79a13f8d6c483f5bd409c98f172cf79ce7ff3b423aae
                                              • Opcode Fuzzy Hash: 66f69495e65e7569fab1ee3eca8218c4ab18840aceecc73612b5da8ed725d5cc
                                              • Instruction Fuzzy Hash: D251B331A08B4381EA64EF25E4942B9A3A1EF98FB0F801235DD5E47794DF7EE405C7A4
                                              Function 00007FF7C5BB2C07 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                              • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                              • API String ID: 2652322181-269241671
                                              • Opcode ID: b037745baa6da5cfcea9aa83ba2a3fcd93fe532d42f2725a16f9f08e5f2abdaf
                                              • Instruction ID: 9b19cc77ea757bb371746c0f41a549a2d1c075632d1807fa859526f9703c8a05
                                              • Opcode Fuzzy Hash: b037745baa6da5cfcea9aa83ba2a3fcd93fe532d42f2725a16f9f08e5f2abdaf
                                              • Instruction Fuzzy Hash: 07519331A08B4381EA64EF25E4942BAB7A1EF98FA0F801135DD4E47794DF7EE405C7A4
                                              Function 00007FF7C5BBD7A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD7DE
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD806
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD826
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD846
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD866
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD88A
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD8AE
                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBD8D2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: strcmp
                                              • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                                              • API String ID: 1004003707-945519297
                                              • Opcode ID: 197e38a6a36c6bb4220fbaead1b9f78f8d00f9fc7e04546cb49c79d4988069bc
                                              • Instruction ID: 5d75c7d390a347ca13568a218e27fc8a7fde2792cfd9de518ca43c7619315b7b
                                              • Opcode Fuzzy Hash: 197e38a6a36c6bb4220fbaead1b9f78f8d00f9fc7e04546cb49c79d4988069bc
                                              • Instruction Fuzzy Hash: FB413A10E08A4285F650BF1AA9802B5A7A5AF01FF4FC40371DD7D176E9DF6EE802C365
                                              Function 00007FF7C5BBC770 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                              • String ID: InitializeContext2$kernel32.dll
                                              • API String ID: 4102459504-3117029998
                                              • Opcode ID: e791e0fb30132a61e3eb76e2c6bd5a731507cf279460a0ad6db0f489b497e7d6
                                              • Instruction ID: f8f15b9bf684415ba6b306e7c81fb92721795b0ded9677c3c7e15064d9cb13c3
                                              • Opcode Fuzzy Hash: e791e0fb30132a61e3eb76e2c6bd5a731507cf279460a0ad6db0f489b497e7d6
                                              • Instruction Fuzzy Hash: 3B313C71A09B4782EA50EF55A880279E790BF84BB0F840435DD4D43764EFBDE485C764
                                              Function 00007FF7C5BB2FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                              • String ID:
                                              • API String ID: 510365852-3916222277
                                              • Opcode ID: 8c5fb5fdf14bd89dc3e7208a8daac008362ad8f2fc794ba5c5d9c6ad877a9deb
                                              • Instruction ID: 67b16600dfa0b567397aac47a0e08d062ff508e1b6e0ad0fb00700e8eb1e75e0
                                              • Opcode Fuzzy Hash: 8c5fb5fdf14bd89dc3e7208a8daac008362ad8f2fc794ba5c5d9c6ad877a9deb
                                              • Instruction Fuzzy Hash: E3119F72A08B828AD760FF15A4401DAB760FB41BB4F540334EABE0B6D6CF79D5428B40
                                              Function 00007FF7C5BE7820 Relevance: 7.6, APIs: 6, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: c82e06a03de42449a7ba80127898683a8803fd9b600b0a4570787e3761562b1d
                                              • Instruction ID: 33a1d141c0a1d685bc5d64544b294e1c556c361a387c87de5cbbcb7ecfdfeb30
                                              • Opcode Fuzzy Hash: c82e06a03de42449a7ba80127898683a8803fd9b600b0a4570787e3761562b1d
                                              • Instruction Fuzzy Hash: E1616725A09F8684EA50AF11EC802B6F7A0FF85FA4FD91132D98D03765DF7EE04583A0
                                              Function 00007FF7C5BE2B50 Relevance: 7.6, APIs: 6, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: 44bef8495cdef40b8672efc79568375178212e5ab7a7096ebbe9f915a94060e6
                                              • Instruction ID: f14959d70c0996fa4dbab0bb2fa7be8d63107442c81126c76cb5b8bd08422997
                                              • Opcode Fuzzy Hash: 44bef8495cdef40b8672efc79568375178212e5ab7a7096ebbe9f915a94060e6
                                              • Instruction Fuzzy Hash: 71512C25908F8681EA60AF10E8803B6F7A4EF85B65FC90136CA8D13765DF7EE05587A0
                                              Function 00007FF7C5BB3A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ExceptionFailFastRaise
                                              • String ID: Process is terminating due to StackOverflowException.
                                              • API String ID: 2546344036-2200901744
                                              • Opcode ID: 9d7b98e1c26a9380dc8d41e070e364fbb808deaa013c945634dfd4d3c0b2d453
                                              • Instruction ID: a84e3ccb0000e496890777b8ca42c1ae4c90a5b211f5f5ab1ea0ab529d48feac
                                              • Opcode Fuzzy Hash: 9d7b98e1c26a9380dc8d41e070e364fbb808deaa013c945634dfd4d3c0b2d453
                                              • Instruction Fuzzy Hash: F5519322B09B4291EF64AF19D4803B9ABA0EF48FB0F944431DE1E47795DF6EE495C318
                                              Function 00007FF7C5BF1540 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: SwitchThread
                                              • String ID:
                                              • API String ID: 115865932-0
                                              • Opcode ID: d00efbbb26263cc08ad4df3913b4dcfaa6276e0511a9266e1d0ba80b3ed15afd
                                              • Instruction ID: 73894840d0fbe148628a6973b61ba3280e88d6c2c4cdd8aec8e8bcb40901a228
                                              • Opcode Fuzzy Hash: d00efbbb26263cc08ad4df3913b4dcfaa6276e0511a9266e1d0ba80b3ed15afd
                                              • Instruction Fuzzy Hash: 76418036B0964685EF64AE25D040679FB90EB40FF4F988A39DA4F467C9DE3EE4408760
                                              Function 00007FF7C5BBC8E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BB3141), ref: 00007FF7C5BBC914
                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BB3141), ref: 00007FF7C5BBC91E
                                              • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BB3141), ref: 00007FF7C5BBC93D
                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BB3141), ref: 00007FF7C5BBC951
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ErrorLastMultipleWait$HandlesObjects
                                              • String ID:
                                              • API String ID: 2817213684-0
                                              • Opcode ID: 3f11a659937ca2a9d2f58ed7fb8769b284d6cf253c5c6821f0f42326241e4d41
                                              • Instruction ID: c1157192d114fbc0f7d889afe29eeb0be0bf85d3a8219fa8c09807d708ee5bc4
                                              • Opcode Fuzzy Hash: 3f11a659937ca2a9d2f58ed7fb8769b284d6cf253c5c6821f0f42326241e4d41
                                              • Instruction Fuzzy Hash: AC115E31B0875682E7249F16B44112AF761FB94FA0F944139EADD43BD9CF7EE8008B94
                                              Function 00007FF7C5C111A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                              • String ID:
                                              • API String ID: 2933794660-0
                                              • Opcode ID: e16cdb098a0731bbeee2597424cfc557f813577fc17a189862b511b9686622a6
                                              • Instruction ID: b907b763581fb46f09383a1d4ca60688a6fc9e0bec449d3fc8c2aeff57392b6d
                                              • Opcode Fuzzy Hash: e16cdb098a0731bbeee2597424cfc557f813577fc17a189862b511b9686622a6
                                              • Instruction Fuzzy Hash: F1111C32B14F068AEB00DF60E8942A873A4FB59B68F840A31DA6D877A4DF7DD1548350
                                              Function 00007FF7C5C126D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5C119E3), ref: 00007FF7C5C12720
                                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C5C119E3), ref: 00007FF7C5C12761
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: ExceptionFileHeaderRaise
                                              • String ID: csm
                                              • API String ID: 2573137834-1018135373
                                              • Opcode ID: 0ffc842e3cd9d8863173c70d516709e896315b3aa4b438e39af49301c1c78a26
                                              • Instruction ID: bb9f5c1b058f265a63ebc4e5d68ee0aaac304d72e2c65e3d5ba392384e686236
                                              • Opcode Fuzzy Hash: 0ffc842e3cd9d8863173c70d516709e896315b3aa4b438e39af49301c1c78a26
                                              • Instruction Fuzzy Hash: E5111C36618B8182EB219F25E44026AB7F5FB88B94F984234DF8C07758DF3DD551CB40
                                              Function 00007FF7C5BBE0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF7C5BBD913,?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBE0EB
                                              • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF7C5BBD913,?,?,?,00007FF7C5BC3CD7,?,?,?,?,00007FF7C5BBCCE5), ref: 00007FF7C5BBE128
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: _stricmpstrtoull
                                              • String ID: HeapVerify
                                              • API String ID: 4031153986-2674988305
                                              • Opcode ID: 76587d0a3d7f317c46cd9241e9b139c3ad74e0b9b9e742cb6b28ded029d14747
                                              • Instruction ID: d3ee0fd753fae1a3052623304f27484b16caab962708c186b5ec9d66698077e1
                                              • Opcode Fuzzy Hash: 76587d0a3d7f317c46cd9241e9b139c3ad74e0b9b9e742cb6b28ded029d14747
                                              • Instruction Fuzzy Hash: E001B571A09B42CAE720AF12E881079F764FB54FA0FD48131EA4E03B19CF3DE441C654
                                              Function 00007FF7C5BD5640 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7C5BD57BF,?,?,?,00007FF7C5BE2F8B), ref: 00007FF7C5BD568D
                                              • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7C5BD57BF,?,?,?,00007FF7C5BE2F8B), ref: 00007FF7C5BD56E2
                                              • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7C5BD57BF,?,?,?,00007FF7C5BE2F8B), ref: 00007FF7C5BD56FF
                                              • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7C5BD57BF,?,?,?,00007FF7C5BE2F8B), ref: 00007FF7C5BD571C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2104626947.00007FF7C5BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C5BB0000, based on PE: true
                                              • Associated: 00000000.00000002.2104600148.00007FF7C5BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104777484.00007FF7C5CC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2104818065.00007FF7C5D09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105337248.00007FF7C5D84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2105455790.00007FF7C5D87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c5bb0000_4munRyMrBm.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: ad55377d83b4b74353e94ee15f9b33d570ebc32928df28f8f5bbd4a112773d4f
                                              • Instruction ID: 3a1fa926cabb6e86530cb54f7035f30ba9a1f68c05a729166dbf97a2b5d97a2e
                                              • Opcode Fuzzy Hash: ad55377d83b4b74353e94ee15f9b33d570ebc32928df28f8f5bbd4a112773d4f
                                              • Instruction Fuzzy Hash: D921A361A18F4681FA00AF21AD902B9A794EF05FF4FD51235D96D076DACF2EE149C390

                                              Execution Graph

                                              Execution Coverage:12.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:19
                                              Total number of Limit Nodes:4
                                              execution_graph 26252 1220848 26253 122084e 26252->26253 26254 122091b 26253->26254 26256 122137f 26253->26256 26257 1221383 26256->26257 26258 1221480 26257->26258 26260 1227090 26257->26260 26258->26253 26261 122709a 26260->26261 26262 12270b4 26261->26262 26265 61fcf5f 26261->26265 26270 61fcf70 26261->26270 26262->26257 26267 61fcf85 26265->26267 26266 61fd19a 26266->26262 26267->26266 26268 61fd5b8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26267->26268 26269 61fd5c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26267->26269 26268->26267 26269->26267 26271 61fcf85 26270->26271 26272 61fd19a 26271->26272 26273 61fd5b8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26271->26273 26274 61fd5c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26271->26274 26272->26262 26273->26271 26274->26271

                                              Executed Functions

                                              Function 01229C00 Relevance: 2.8, Instructions: 2796COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abbdb5a7dfe8f77c6a121a44dfc105d1626fbd91b0563e46701ea117bf4db553
                                              • Instruction ID: f08c6c0359876c5b69ef810d264d8ecb77139aa0d7897306a18f1301cb741a1d
                                              • Opcode Fuzzy Hash: abbdb5a7dfe8f77c6a121a44dfc105d1626fbd91b0563e46701ea117bf4db553
                                              • Instruction Fuzzy Hash: A463D831D10B1A8ADB11EF68C88469DF7B1FF99300F55D69AE44877221EB70AAD4CF81
                                              Function 0122CFE8 Relevance: 2.3, Instructions: 2307COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 741813ea23d2ef3fb0ac0d6287a34555592cdecc7a777125304ebcb97d4d9925
                                              • Instruction ID: 6c9c8685843acff62fc03a4fec8d0eea3f5ba6cb3e0b4d98c8d19a77bed78a4d
                                              • Opcode Fuzzy Hash: 741813ea23d2ef3fb0ac0d6287a34555592cdecc7a777125304ebcb97d4d9925
                                              • Instruction Fuzzy Hash: FC332E31D1071A9EDB11EF68C8806ADF7B1FF99300F55C79AE458A7211EB70AAC5CB81
                                              Function 01229BF8 Relevance: 2.3, Instructions: 2302COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b533786396cbff97efa1aefd38c305aae25a4eff010ff3f84293fcbf08effa27
                                              • Instruction ID: 8e33089cac179959007d7a233f4fa1752e547168d24a578298ccd38104cede9f
                                              • Opcode Fuzzy Hash: b533786396cbff97efa1aefd38c305aae25a4eff010ff3f84293fcbf08effa27
                                              • Instruction Fuzzy Hash: 1143D631D10B1A8ADB11EF68C884699F7B1FF99300F55D79AE44877221EB70AAD4CF81
                                              Function 01223E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1845 1223e80-1223ee6 1847 1223f30-1223f32 1845->1847 1848 1223ee8-1223ef3 1845->1848 1850 1223f34-1223f8c 1847->1850 1848->1847 1849 1223ef5-1223f01 1848->1849 1851 1223f03-1223f0d 1849->1851 1852 1223f24-1223f2e 1849->1852 1859 1223fd6-1223fd8 1850->1859 1860 1223f8e-1223f99 1850->1860 1853 1223f11-1223f20 1851->1853 1854 1223f0f 1851->1854 1852->1850 1853->1853 1856 1223f22 1853->1856 1854->1853 1856->1852 1861 1223fda-1223ff2 1859->1861 1860->1859 1862 1223f9b-1223fa7 1860->1862 1869 1223ff4-1223fff 1861->1869 1870 122403c-122403e 1861->1870 1863 1223fca-1223fd4 1862->1863 1864 1223fa9-1223fb3 1862->1864 1863->1861 1866 1223fb7-1223fc6 1864->1866 1867 1223fb5 1864->1867 1866->1866 1868 1223fc8 1866->1868 1867->1866 1868->1863 1869->1870 1872 1224001-122400d 1869->1872 1871 1224040-122408e 1870->1871 1880 1224094-12240a2 1871->1880 1873 1224030-122403a 1872->1873 1874 122400f-1224019 1872->1874 1873->1871 1875 122401b 1874->1875 1876 122401d-122402c 1874->1876 1875->1876 1876->1876 1878 122402e 1876->1878 1878->1873 1881 12240a4-12240aa 1880->1881 1882 12240ab-122410b 1880->1882 1881->1882 1889 122411b-122411f 1882->1889 1890 122410d-1224111 1882->1890 1892 1224121-1224125 1889->1892 1893 122412f-1224133 1889->1893 1890->1889 1891 1224113 1890->1891 1891->1889 1892->1893 1896 1224127-122412a call 1220aa8 1892->1896 1894 1224143-1224147 1893->1894 1895 1224135-1224139 1893->1895 1898 1224157-122415b 1894->1898 1899 1224149-122414d 1894->1899 1895->1894 1897 122413b-122413e call 1220aa8 1895->1897 1896->1893 1897->1894 1903 122416b-122416f 1898->1903 1904 122415d-1224161 1898->1904 1899->1898 1902 122414f-1224152 call 1220aa8 1899->1902 1902->1898 1907 1224171-1224175 1903->1907 1908 122417f 1903->1908 1904->1903 1906 1224163 1904->1906 1906->1903 1907->1908 1909 1224177 1907->1909 1910 1224180 1908->1910 1909->1908 1910->1910
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V.m
                                              • API String ID: 0-4037683661
                                              • Opcode ID: 0070ae22efecf0d6051385e3a5c3d222fc6f5f7b99053aef9bda1c44c5688fc6
                                              • Instruction ID: 0a71a7cf7842269781761c99cdc809e77daf177cb94d4394dbc0be282de44424
                                              • Opcode Fuzzy Hash: 0070ae22efecf0d6051385e3a5c3d222fc6f5f7b99053aef9bda1c44c5688fc6
                                              • Instruction Fuzzy Hash: D9918F70E1025AAFDF14DFA9D8817DDBBF2BF88304F248129E505A7254DB789845CB81
                                              Function 01229378 Relevance: .6, Instructions: 616COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a27d6ae4d2f7fd3924ccd51f4dad19116bf33136461627ca46c58b1721c616ed
                                              • Instruction ID: f677259d3925678c214a71aaa728905e4f3017fa89abd13038998e3907d527ba
                                              • Opcode Fuzzy Hash: a27d6ae4d2f7fd3924ccd51f4dad19116bf33136461627ca46c58b1721c616ed
                                              • Instruction Fuzzy Hash: 3D329E74A102259FDF14CF68D9846AEBBB2EF88314F148529E909EB391DB75DC81CB90
                                              Function 01224A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97c26f82875cef294c956c4f97b5a17279ea4993b0abbc5602673d63ffc03109
                                              • Instruction ID: 3fe4e8e9d2dcfc36544c8802e7bf9513f6da8831bac2b016e85cde3725b350b3
                                              • Opcode Fuzzy Hash: 97c26f82875cef294c956c4f97b5a17279ea4993b0abbc5602673d63ffc03109
                                              • Instruction Fuzzy Hash: C2B17E70E1026A9FDF10DFA9C8917ADBBF2AF88714F148129E915E7394EB749841CB81
                                              Function 01224810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 442 1224810-122489c 445 12248e6-12248e8 442->445 446 122489e-12248a9 442->446 447 12248ea-1224902 445->447 446->445 448 12248ab-12248b7 446->448 455 1224904-122490f 447->455 456 122494c-122494e 447->456 449 12248da-12248e4 448->449 450 12248b9-12248c3 448->450 449->447 451 12248c7-12248d6 450->451 452 12248c5 450->452 451->451 454 12248d8 451->454 452->451 454->449 455->456 457 1224911-122491d 455->457 458 1224950-1224995 456->458 459 1224940-122494a 457->459 460 122491f-1224929 457->460 466 122499b-12249a9 458->466 459->458 461 122492b 460->461 462 122492d-122493c 460->462 461->462 462->462 464 122493e 462->464 464->459 467 12249b2-1224a0f 466->467 468 12249ab-12249b1 466->468 475 1224a11-1224a15 467->475 476 1224a1f-1224a23 467->476 468->467 475->476 477 1224a17-1224a1a call 1220aa8 475->477 478 1224a33-1224a37 476->478 479 1224a25-1224a29 476->479 477->476 480 1224a47-1224a4b 478->480 481 1224a39-1224a3d 478->481 479->478 483 1224a2b-1224a2e call 1220aa8 479->483 486 1224a5b 480->486 487 1224a4d-1224a51 480->487 481->480 485 1224a3f 481->485 483->478 485->480 489 1224a5c 486->489 487->486 488 1224a53 487->488 488->486 489->489
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V.m$\V.m
                                              • API String ID: 0-794918365
                                              • Opcode ID: a44f678de095477ca6cad5b47b84aa4e710ad038331f884f2907bc4f6107a983
                                              • Instruction ID: 57ca379327cf62f477141b6da1e2907c1f28feee29421508400d07bf3d46e4be
                                              • Opcode Fuzzy Hash: a44f678de095477ca6cad5b47b84aa4e710ad038331f884f2907bc4f6107a983
                                              • Instruction Fuzzy Hash: D271AF70E1029ADFDF10DFA9C89079EBBF2BF88714F148129E515A7254EB749841CF85
                                              Function 01224807 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 490 1224807-122489c 493 12248e6-12248e8 490->493 494 122489e-12248a9 490->494 495 12248ea-1224902 493->495 494->493 496 12248ab-12248b7 494->496 503 1224904-122490f 495->503 504 122494c-122494e 495->504 497 12248da-12248e4 496->497 498 12248b9-12248c3 496->498 497->495 499 12248c7-12248d6 498->499 500 12248c5 498->500 499->499 502 12248d8 499->502 500->499 502->497 503->504 505 1224911-122491d 503->505 506 1224950-1224962 504->506 507 1224940-122494a 505->507 508 122491f-1224929 505->508 513 1224969-1224995 506->513 507->506 509 122492b 508->509 510 122492d-122493c 508->510 509->510 510->510 512 122493e 510->512 512->507 514 122499b-12249a9 513->514 515 12249b2-1224a0f 514->515 516 12249ab-12249b1 514->516 523 1224a11-1224a15 515->523 524 1224a1f-1224a23 515->524 516->515 523->524 525 1224a17-1224a1a call 1220aa8 523->525 526 1224a33-1224a37 524->526 527 1224a25-1224a29 524->527 525->524 528 1224a47-1224a4b 526->528 529 1224a39-1224a3d 526->529 527->526 531 1224a2b-1224a2e call 1220aa8 527->531 534 1224a5b 528->534 535 1224a4d-1224a51 528->535 529->528 533 1224a3f 529->533 531->526 533->528 537 1224a5c 534->537 535->534 536 1224a53 535->536 536->534 537->537
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V.m$\V.m
                                              • API String ID: 0-794918365
                                              • Opcode ID: 94d30bbddd288b223ef927bacbf01c49f9d3f62ddb84a0acbd4c31068e0904e8
                                              • Instruction ID: 91da37bba9e24fb2a1f887530031df8cc50f4bb83b865ebd233e37a784317c4d
                                              • Opcode Fuzzy Hash: 94d30bbddd288b223ef927bacbf01c49f9d3f62ddb84a0acbd4c31068e0904e8
                                              • Instruction Fuzzy Hash: 0E718B70E2029ADFDF10DFA9C88079EBBF1BF88714F148129E515A7254EB749841CF95
                                              Function 061FE188 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1738 61fe188-61fe193 1739 61fe1bd-61fe1dc call 61fd55c 1738->1739 1740 61fe195-61fe1bc call 61fd550 1738->1740 1746 61fe1de-61fe1e1 1739->1746 1747 61fe1e2-61fe201 1739->1747 1750 61fe208-61fe232 1747->1750 1752 61fe234-61fe241 1750->1752 1754 61fe247-61fe2d4 GlobalMemoryStatusEx 1752->1754 1755 61fe243-61fe246 1752->1755 1758 61fe2dd-61fe305 1754->1758 1759 61fe2d6-61fe2dc 1754->1759 1759->1758
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3330599163.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61f0000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba71c91b23f4d77647e49cc178dda552e141c763f664e8aeb9d4fb7d56dd9f87
                                              • Instruction ID: 7b86b670a7b2f5e730e5ea68c2cbf2fcc5d1ad18ddef62f6c8d9d77512fbce55
                                              • Opcode Fuzzy Hash: ba71c91b23f4d77647e49cc178dda552e141c763f664e8aeb9d4fb7d56dd9f87
                                              • Instruction Fuzzy Hash: 79412272D183969FCB04CFB9D8403AEBBF1EF89210F14866AD508E7251EB789845CBD1
                                              Function 061FE258 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1762 61fe258-61fe29e 1763 61fe2a6-61fe2d4 GlobalMemoryStatusEx 1762->1763 1764 61fe2dd-61fe305 1763->1764 1765 61fe2d6-61fe2dc 1763->1765 1765->1764
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,061FE1DA), ref: 061FE2C7
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3330599163.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61f0000_CasPol.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 691b14fb6bf45380f40ceadf259bb9867c91664ef050dcb004c775fd3da587d7
                                              • Instruction ID: 7a8215b4d4ac094aac52ab222545917825243f4e6f1ba2daa763dfbc7c73b89d
                                              • Opcode Fuzzy Hash: 691b14fb6bf45380f40ceadf259bb9867c91664ef050dcb004c775fd3da587d7
                                              • Instruction Fuzzy Hash: 861144B1C0065A9FCB10CFAAD444BDEFBF4AF48320F10812AE518B3250D779A950CFA1
                                              Function 061FD55C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1768 61fd55c-61fe2d4 GlobalMemoryStatusEx 1771 61fe2dd-61fe305 1768->1771 1772 61fe2d6-61fe2dc 1768->1772 1772->1771
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,061FE1DA), ref: 061FE2C7
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3330599163.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61f0000_CasPol.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: b4674f6a778241ffa82f63df9de3275fc0dec5659099549c1423bb1b880fda38
                                              • Instruction ID: 0237d7c2a24b49c5595c7ae3b886ba63cc5d821959caa5300f71aa998b4ea544
                                              • Opcode Fuzzy Hash: b4674f6a778241ffa82f63df9de3275fc0dec5659099549c1423bb1b880fda38
                                              • Instruction Fuzzy Hash: 5C1136B1C0065A9BCB10CF9AC444B9EFBF4AF48220F10816AE518A7240D379A910CFA1
                                              Function 01223E74 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1775 1223e74-1223e7c 1776 1223e20-1223e6a 1775->1776 1777 1223e7e-1223ee6 1775->1777 1781 1223f30-1223f32 1777->1781 1782 1223ee8-1223ef3 1777->1782 1784 1223f34-1223f8c 1781->1784 1782->1781 1783 1223ef5-1223f01 1782->1783 1785 1223f03-1223f0d 1783->1785 1786 1223f24-1223f2e 1783->1786 1793 1223fd6-1223fd8 1784->1793 1794 1223f8e-1223f99 1784->1794 1787 1223f11-1223f20 1785->1787 1788 1223f0f 1785->1788 1786->1784 1787->1787 1790 1223f22 1787->1790 1788->1787 1790->1786 1795 1223fda-1223ff2 1793->1795 1794->1793 1796 1223f9b-1223fa7 1794->1796 1803 1223ff4-1223fff 1795->1803 1804 122403c-122403e 1795->1804 1797 1223fca-1223fd4 1796->1797 1798 1223fa9-1223fb3 1796->1798 1797->1795 1800 1223fb7-1223fc6 1798->1800 1801 1223fb5 1798->1801 1800->1800 1802 1223fc8 1800->1802 1801->1800 1802->1797 1803->1804 1806 1224001-122400d 1803->1806 1805 1224040-1224052 1804->1805 1813 1224059-122408e 1805->1813 1807 1224030-122403a 1806->1807 1808 122400f-1224019 1806->1808 1807->1805 1809 122401b 1808->1809 1810 122401d-122402c 1808->1810 1809->1810 1810->1810 1812 122402e 1810->1812 1812->1807 1814 1224094-12240a2 1813->1814 1815 12240a4-12240aa 1814->1815 1816 12240ab-122410b 1814->1816 1815->1816 1823 122411b-122411f 1816->1823 1824 122410d-1224111 1816->1824 1826 1224121-1224125 1823->1826 1827 122412f-1224133 1823->1827 1824->1823 1825 1224113 1824->1825 1825->1823 1826->1827 1830 1224127-122412a call 1220aa8 1826->1830 1828 1224143-1224147 1827->1828 1829 1224135-1224139 1827->1829 1832 1224157-122415b 1828->1832 1833 1224149-122414d 1828->1833 1829->1828 1831 122413b-122413e call 1220aa8 1829->1831 1830->1827 1831->1828 1837 122416b-122416f 1832->1837 1838 122415d-1224161 1832->1838 1833->1832 1836 122414f-1224152 call 1220aa8 1833->1836 1836->1832 1841 1224171-1224175 1837->1841 1842 122417f 1837->1842 1838->1837 1840 1224163 1838->1840 1840->1837 1841->1842 1843 1224177 1841->1843 1844 1224180 1842->1844 1843->1842 1844->1844
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V.m
                                              • API String ID: 0-4037683661
                                              • Opcode ID: 03df2d797d700494b359b40ccd35be968fe92f98a054e60a322c17dcd965e511
                                              • Instruction ID: 697bc8976f1eb19519150edc2db8328461acba6752e42c230489cbe57eec979b
                                              • Opcode Fuzzy Hash: 03df2d797d700494b359b40ccd35be968fe92f98a054e60a322c17dcd965e511
                                              • Instruction Fuzzy Hash: E1A18C70E2026AEFDF10DFA8D881BDDBBF1BF58314F248129E905A7254DB789945CB81
                                              Function 0122924F Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1911 122924f-1229278 1912 122927a-122927d 1911->1912 1913 12292b6-12292b9 1912->1913 1914 122927f-12292b1 1912->1914 1915 12292bb-12292d7 1913->1915 1916 12292dc-12292de 1913->1916 1914->1913 1915->1916 1917 12292e0 1916->1917 1918 12292e5-12292e8 1916->1918 1917->1918 1918->1912 1919 12292ea-12292f9 1918->1919 1923 122933a-122934f 1919->1923 1924 12292fb-1229302 1919->1924 1928 1229350 1923->1928 1926 1229304-122930a 1924->1926 1927 1229329-1229338 1924->1927 1931 1229310 call 1229490 1926->1931 1932 1229310 call 1229364 1926->1932 1933 1229310 call 1229378 1926->1933 1934 1229310 call 122968e 1926->1934 1927->1923 1927->1924 1928->1928 1929 1229316-1229321 1929->1927 1931->1929 1932->1929 1933->1929 1934->1929
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 9
                                              • API String ID: 0-2366072709
                                              • Opcode ID: c5cac129a0dadb9573d51a0a7d2d4a81430f91f9b8f269cb4142d5a754108d5b
                                              • Instruction ID: c4691e6891a3ddc855fdd3cb421eba093312a736576eda06625415912ce7803e
                                              • Opcode Fuzzy Hash: c5cac129a0dadb9573d51a0a7d2d4a81430f91f9b8f269cb4142d5a754108d5b
                                              • Instruction Fuzzy Hash: E7317171E1022A9BDF05CFA8C49069EB7B2EF89304F50C619E905EB341DB709886CB50
                                              Function 01227908 Relevance: .6, Instructions: 555COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 470c8678a7e1f303e94e28b7ebe25fd014854f7307a5a97b71b8778b8255f131
                                              • Instruction ID: 9909e6ea24b2492ed370a1de22d1021cb1b6069be15c866ced2f395bd6cc4929
                                              • Opcode Fuzzy Hash: 470c8678a7e1f303e94e28b7ebe25fd014854f7307a5a97b71b8778b8255f131
                                              • Instruction Fuzzy Hash: 82126E30764212EBDB29AF38E98526C36A2FFC5344B50593CE105DB392CF79EC469B91
                                              Function 01227918 Relevance: .6, Instructions: 550COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36b9ef235cdc248e8823bcbcb6bafbedf1205ef61503823d31bebb6b36b56476
                                              • Instruction ID: 653aa9baf834154443c0309671035fe712c0c3bec917c9797bbd72aa5456608d
                                              • Opcode Fuzzy Hash: 36b9ef235cdc248e8823bcbcb6bafbedf1205ef61503823d31bebb6b36b56476
                                              • Instruction Fuzzy Hash: 24126E30764212EBDB29AF38E58526C36A2FFC5344B50593CE105DB392CFB9EC468B91
                                              Function 01224A8C Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2326f0356eede670802d84ec313bdbdacdcf2486cd7378badeb7f6a3e3d3cba
                                              • Instruction ID: 77f57d10a548cd63ba257e72016061c9840461f7f736f77163c0ab82a69fe535
                                              • Opcode Fuzzy Hash: a2326f0356eede670802d84ec313bdbdacdcf2486cd7378badeb7f6a3e3d3cba
                                              • Instruction Fuzzy Hash: 7DA17D70E202AADFDF11DFA9D8817DDBBF1AF48714F148129E914EB294EB749841CB81
                                              Function 01229364 Relevance: .2, Instructions: 239COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e13adf0a6f94d5b6102c9d383c84e7017520d87c3b4c55c9dbe9e3bbfa50e38
                                              • Instruction ID: 8450e776d4eab876d078e909224676dc56103f3d5aec6113bddcbd44f3ea447c
                                              • Opcode Fuzzy Hash: 1e13adf0a6f94d5b6102c9d383c84e7017520d87c3b4c55c9dbe9e3bbfa50e38
                                              • Instruction Fuzzy Hash: C2917D34A10225EFDF15CB68D984AADBBF2EF88314F148429E906EB355DB75DC82CB50
                                              Function 01226EE8 Relevance: .1, Instructions: 142COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e17c9834818133eb9266c5b7a40d6fba43499260cfbfd014fa18b091755fca9
                                              • Instruction ID: 5e3eb136ff2c93d19618f6e5699e1ed3722149459aa0c1fcbb7b4caf08c97ba8
                                              • Opcode Fuzzy Hash: 5e17c9834818133eb9266c5b7a40d6fba43499260cfbfd014fa18b091755fca9
                                              • Instruction Fuzzy Hash: 5C410331E20229AFDB15DF78D4547AEB7B2FF85300F10852AE906EB281EB759D45CB80
                                              Function 01226754 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: feb1593abae62e397db585c8897f1588d2247a6cd4ad0c8148490a1b24941e62
                                              • Instruction ID: ba1423f3d9497d55c84bb9ff19fe2a31a16cf9f3289e11291a21cba347214940
                                              • Opcode Fuzzy Hash: feb1593abae62e397db585c8897f1588d2247a6cd4ad0c8148490a1b24941e62
                                              • Instruction Fuzzy Hash: 7D512672D202299FDB18CFA9C884B9DBBB1FF48310F54811AE915BB351DBB4A844CF95
                                              Function 0122676C Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: adc2009914e4ba4dd81c475566c72dd9c1ed6393d3fd8ac1be3b36e77dd01666
                                              • Instruction ID: bf317f7b2599c202757703fa478a9e7de1663d60d48c44c965c8adf787bc75b4
                                              • Opcode Fuzzy Hash: adc2009914e4ba4dd81c475566c72dd9c1ed6393d3fd8ac1be3b36e77dd01666
                                              • Instruction Fuzzy Hash: FC512672D202299FDB18CFA9C884B9DBBB1FF48310F54811AE915BB351DBB4A844CF95
                                              Function 01226CDD Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ac3306cf7e8038fcee6dc95fbbbb740095f48213e3ee1bf9a1ed228bf35cbe6
                                              • Instruction ID: 74a7b344138d880f4f2ffa2ebbf618ab9e4acf12b141ff7a991e889a0ed2d373
                                              • Opcode Fuzzy Hash: 9ac3306cf7e8038fcee6dc95fbbbb740095f48213e3ee1bf9a1ed228bf35cbe6
                                              • Instruction Fuzzy Hash: 16513472D202299FDB18CFA9C885B9DBBB1BF48310F54811AE815BB351DBB4A884CF55
                                              Function 0122111B Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e515f2566ff42375df79308be9374685233629cd8e9c04899b7a94e96bec825
                                              • Instruction ID: 6ea74f81ea0e3779aaddf48f344f0012b328d15e20027eeb5a71810edabfbfd3
                                              • Opcode Fuzzy Hash: 8e515f2566ff42375df79308be9374685233629cd8e9c04899b7a94e96bec825
                                              • Instruction Fuzzy Hash: E1512772A01A46DFD709EF28F9919193FA1EB93302300A1BDD5017B772DA7C6D25CB81
                                              Function 01221138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46feff15ea796ccfd3cddd0a84e3a6e59ecada65549ccf8213a3e5d051c5a9d9
                                              • Instruction ID: b5a871b70d12ce61fd764a490e80923970dc134b4cd350f28a021a447f3dd421
                                              • Opcode Fuzzy Hash: 46feff15ea796ccfd3cddd0a84e3a6e59ecada65549ccf8213a3e5d051c5a9d9
                                              • Instruction Fuzzy Hash: 1D51D772A05A46CFC609EF2CF9919453FA1EBD2306300A1BDD5017B772DA7C6D25DB81
                                              Function 0122F525 Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb206b4c8fdeecb87e285ad0fb501d86c7d8f25d0b0ba1baca2318ff4bd65d3f
                                              • Instruction ID: 08f64f3825801b637dc1cb4df0595651b49701c4dec4c8d3a6bfd7d532f365b3
                                              • Opcode Fuzzy Hash: cb206b4c8fdeecb87e285ad0fb501d86c7d8f25d0b0ba1baca2318ff4bd65d3f
                                              • Instruction Fuzzy Hash: AE310330710216AFDB19AB79D65466E3BB3EF89240F54442DD506DB355EE38DC42CBD0
                                              Function 0122F538 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228e2e867d1878e9a4a3e9305a63eaf8dcee7b169395d1668b85c5c3e801d801
                                              • Instruction ID: 59742c593e9733064629f8ef8af1571d7167cfc61898ad1b8649efbfb04fff24
                                              • Opcode Fuzzy Hash: 228e2e867d1878e9a4a3e9305a63eaf8dcee7b169395d1668b85c5c3e801d801
                                              • Instruction Fuzzy Hash: D531EB30B10216AFDB19AB39D65466E3BB3EF89640F60442CC506DB396EE34DC42CBD0
                                              Function 0122F3E8 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f8ec94cc8fcfd998e55ca823bc198abedd3b4a950f55ee8dbd4da0248f01f29
                                              • Instruction ID: dc1b5b66a5feac331b1e41e2385c9ee38f95443e660a1cb4678b11c68bd30b31
                                              • Opcode Fuzzy Hash: 2f8ec94cc8fcfd998e55ca823bc198abedd3b4a950f55ee8dbd4da0248f01f29
                                              • Instruction Fuzzy Hash: 4B318F75E10616ABCB19CF68D994A9FB7B6FF89300F108929E906E7350DF70AC41CB90
                                              Function 0122F3F8 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 47c3e772a9c6474ddd349f8a0a5baf9a46e0820ddbd6acd28e9f6256d5c399d6
                                              • Instruction ID: 8c5f28ffc06a13b6d6103c33122c82bd11b05a7f645cd39e8908bd436d28337e
                                              • Opcode Fuzzy Hash: 47c3e772a9c6474ddd349f8a0a5baf9a46e0820ddbd6acd28e9f6256d5c399d6
                                              • Instruction Fuzzy Hash: C8317E74E10616ABCB19CF68D594A9FB7B6EF89300F108929E906EB350DF70AC41CB50
                                              Function 012226DC Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a00ea082de5f3910b3cd2092368c57dc0287b1dad1d3941de03b94e9d0ddafe
                                              • Instruction ID: b39201080ec0e7e1c412e18a923666d4dc49eca263e36de509a1d880b50b3f9e
                                              • Opcode Fuzzy Hash: 9a00ea082de5f3910b3cd2092368c57dc0287b1dad1d3941de03b94e9d0ddafe
                                              • Instruction Fuzzy Hash: F641FEB5D10349DFEB14CFA9C580A9EBBB1BF48310F20802AE509AB254DBB59945CB91
                                              Function 012226E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae20966a137cd1191283bff2653d81c1accd1bd90e2b0d421ba834508d4dfce0
                                              • Instruction ID: 252f43d5fb2629a07916f508557d5579529496b90711e1b30bd0a80831dc2153
                                              • Opcode Fuzzy Hash: ae20966a137cd1191283bff2653d81c1accd1bd90e2b0d421ba834508d4dfce0
                                              • Instruction Fuzzy Hash: 2541EFB0D0034DEFEB14CFA9C980A9EBBB5FF48710F108029E509AB254DBB5A945CB91
                                              Function 01229260 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e0347d66f26925c1672275963e6e03e110a245d0c400c9832156692049ebe9e
                                              • Instruction ID: 3a3002fe9ea88e80901cdf643c74a9349f56158c97401743e2481bbe7f33fe44
                                              • Opcode Fuzzy Hash: 9e0347d66f26925c1672275963e6e03e110a245d0c400c9832156692049ebe9e
                                              • Instruction Fuzzy Hash: CC216131E1022A9BDF15CFA9D49069EF7B6FF89304F50C619E905AB241DB719881CB90
                                              Function 01229150 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6562c041ab0dbfcb006c2b2ec12d90953e73d3f8cfc1bb8735e6d3ab932a64b5
                                              • Instruction ID: 43617019b7d652e442c6cafb5aaa1bf20acd32d81358a811b8a948250ed6d19f
                                              • Opcode Fuzzy Hash: 6562c041ab0dbfcb006c2b2ec12d90953e73d3f8cfc1bb8735e6d3ab932a64b5
                                              • Instruction Fuzzy Hash: 8D218835E10226ABCF19CFA9D8546DEB7B6AF89304F50861AE815F7351DB709881CB50
                                              Function 0122137F Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02c8cf1e954f034e8448b3e852fc1175e89a2a2ef1aa6391914fda1c3114821a
                                              • Instruction ID: ed3d6e770f9454cc79ecdd83e9f7a94973b46d0ad2a91e6ea5dd51d31ead54cd
                                              • Opcode Fuzzy Hash: 02c8cf1e954f034e8448b3e852fc1175e89a2a2ef1aa6391914fda1c3114821a
                                              • Instruction Fuzzy Hash: 3221D530A21122ABEB36673CE44AB6D3B65EB42315F141429F606D73C2DE6D9C91C782
                                              Function 012216A3 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e77e5a966a424bdf8b191244f9906685429b49d2b248d657bb935d7e9779f0e4
                                              • Instruction ID: efa19b59ee1a51431de5d5b1e712a9b202dd093cad781af8d8a7d1db549e06c6
                                              • Opcode Fuzzy Hash: e77e5a966a424bdf8b191244f9906685429b49d2b248d657bb935d7e9779f0e4
                                              • Instruction Fuzzy Hash: 6E216530A205129FEB25EF3CF884B6E3B65EB85314F105539E506D7292DF7C9C518B91
                                              Function 00FCD030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327375118.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_fcd000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82e953610deab3cfcdc668f4c7550212e4369cbc9a689475cf58b1e2967fae2e
                                              • Instruction ID: c9f3d6b4f47b99fadda0219ab5fbbba2134c32557644a6613299f43816582fd8
                                              • Opcode Fuzzy Hash: 82e953610deab3cfcdc668f4c7550212e4369cbc9a689475cf58b1e2967fae2e
                                              • Instruction Fuzzy Hash: FB213772544205EFDB14DF18DAC1F2ABB61FB84324F24C57DD90A0B25AC376D847DA62
                                              Function 01229A38 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbc4468e123326bb052a7449eb5989d28d56dac46c9594e8c0504cc5ec836d69
                                              • Instruction ID: ef088318fae07fdd35dc43140daa4c2597b57df684aa2baddf6b4b1e94384602
                                              • Opcode Fuzzy Hash: bbc4468e123326bb052a7449eb5989d28d56dac46c9594e8c0504cc5ec836d69
                                              • Instruction Fuzzy Hash: 0821A431B20229AFEF04DB69C854BAE7BF6BF88714F104065E505EB3A0DAB19C40CB90
                                              Function 01224F88 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 082da6a5279f19745cf8a61dcd67fbe026aae1954dd1f703c1d4e171db5c187c
                                              • Instruction ID: 96866008ebb671771add9e5635015f7ab7485a3d813f390df86303f81f0dcc03
                                              • Opcode Fuzzy Hash: 082da6a5279f19745cf8a61dcd67fbe026aae1954dd1f703c1d4e171db5c187c
                                              • Instruction Fuzzy Hash: 8B211931B10115DFCB14DB78C958BAD77F2AF4D204F104469E506EB360DB7A9D01CB91
                                              Function 00FCD005 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327375118.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_fcd000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 181f5092b824f8a841a17131f24ec27eae351fb2c7d870463c0e9de0a95a2a64
                                              • Instruction ID: 880987f93d3aad1219a8553079ff7d55abc7f2289350b09d71e6da792a4e213f
                                              • Opcode Fuzzy Hash: 181f5092b824f8a841a17131f24ec27eae351fb2c7d870463c0e9de0a95a2a64
                                              • Instruction Fuzzy Hash: E821517154D3C09FC707CB24D990B15BF71AB46224F29C5EBD8858F2A7C23A981ACB62
                                              Function 01229160 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f411d8df3ac0f2c68f7d11807c06ca03a0f296f0df9ac4ec47b1652d429a8850
                                              • Instruction ID: 505417ef50c38b335cb733f4121ce5c869f1ac6b83aa3ddf7c11c6067e6a6486
                                              • Opcode Fuzzy Hash: f411d8df3ac0f2c68f7d11807c06ca03a0f296f0df9ac4ec47b1652d429a8850
                                              • Instruction Fuzzy Hash: 7221AA34E1022A9BCF19CFA5D4545DEF7B2BF85304F20861AE815F7340DB709881CB50
                                              Function 0122187B Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7d3f7255801eae63165eb8f56dd10b0e5dd56035a4b9d236d300c0b9572e869
                                              • Instruction ID: 31b625a048944d78af689bfa40423de0acb55bd5b5361ee2b1789c5771c5e202
                                              • Opcode Fuzzy Hash: d7d3f7255801eae63165eb8f56dd10b0e5dd56035a4b9d236d300c0b9572e869
                                              • Instruction Fuzzy Hash: 88216B31B10266DFDB15DB78C554BAE77F2AF49245F100468D602EB390DB798D11CB51
                                              Function 01221888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67eb80280b6739c74735bcd8d802514ec97cf3ab62863209b1041e7316512220
                                              • Instruction ID: c296434145681c57efb101b198100461e4fc673127aeab3fbd6678858a631d29
                                              • Opcode Fuzzy Hash: 67eb80280b6739c74735bcd8d802514ec97cf3ab62863209b1041e7316512220
                                              • Instruction Fuzzy Hash: 4C215C30B1026ADFDB14EB78C554BAE77F2AF89241F100478D606EB350DB798D51CBA2
                                              Function 012216B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33be128ad7c5eb302017b43f86c73d3703bd6b9b53feea906c6bb2befcab14d4
                                              • Instruction ID: c12989426edfd63e6adf0603381c6fab488a9b25ecef4e1279c5a16c23366cec
                                              • Opcode Fuzzy Hash: 33be128ad7c5eb302017b43f86c73d3703bd6b9b53feea906c6bb2befcab14d4
                                              • Instruction Fuzzy Hash: 53219630A205129BEB29EF3CF884B5E3B65EB85314F105539E606D7252DF7CDC608B91
                                              Function 012296E0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6edc4c2ab85cdf1949dc20670e6302bd3c40f578e9135e99147e22c96e73f77a
                                              • Instruction ID: 3b69aa73e7614e4a03425537b912d93237f1bc6c897be43611242517969f7cd2
                                              • Opcode Fuzzy Hash: 6edc4c2ab85cdf1949dc20670e6302bd3c40f578e9135e99147e22c96e73f77a
                                              • Instruction Fuzzy Hash: 201103B4B101369BEF249EACD9407BE77B5EB89614F20042AE60AD7341C635DD818BD1
                                              Function 01224F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e2b163482505a4a4b14904a7eb59ffd83ecc1f04919e83ed98e8720e32bb877
                                              • Instruction ID: e251fc6fbac646912b396c336271bdda65cd5d71580938e6eec1db2b87b4ab0b
                                              • Opcode Fuzzy Hash: 9e2b163482505a4a4b14904a7eb59ffd83ecc1f04919e83ed98e8720e32bb877
                                              • Instruction Fuzzy Hash: 5E210731B10219DFDB14EB78C958BAD77F2AF8D204F104469E506EB3A1DB799D01CB91
                                              Function 01220848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a254918f76f862ccb1465150088145c3b4d08e7d6ccf554469018817d279c83
                                              • Instruction ID: 3538fb2e5670ae1de0486b2ab274926aae4663ae62f5b9480d09ff731e7590b6
                                              • Opcode Fuzzy Hash: 5a254918f76f862ccb1465150088145c3b4d08e7d6ccf554469018817d279c83
                                              • Instruction Fuzzy Hash: 2B119831B2021AABEF155A7ED40476F3655FB85714F204839F606CF256DDB9CC414BC6
                                              Function 01221488 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 418b898a54169a1af3363878ea84973b8fc607a7715de52da81c440a65cd9c36
                                              • Instruction ID: ca01ac87aa880b4549fac079c2effab8d701946d66bfcba7b5e96777c6289bf8
                                              • Opcode Fuzzy Hash: 418b898a54169a1af3363878ea84973b8fc607a7715de52da81c440a65cd9c36
                                              • Instruction Fuzzy Hash: 0D11A772E20226ABCB11AFB888506AD7BF5EF58210B590475D505D7302EB75C951C7D4
                                              Function 01220838 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91308eb7ed21bdad3c456cc097e19b42d51626e0bf864cbb0404844aa62e0aee
                                              • Instruction ID: 42f47ba12d57544671cd5a1a440ef0fbecf956b09eba4a23e2b3e90654a7e609
                                              • Opcode Fuzzy Hash: 91308eb7ed21bdad3c456cc097e19b42d51626e0bf864cbb0404844aa62e0aee
                                              • Instruction Fuzzy Hash: 32110A31B2021AABEF255A7D940477F3355EB41715F104839F602CB242DAB8CC414BC6
                                              Function 012280F0 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2e690102b3fc4c415eba40be277fc8aec989b7dcca783f1b62e7a784940f9ee
                                              • Instruction ID: ffd6d94fa371e74595ee1612be7b0a5d92de7a132fa916a191bbf948f6253608
                                              • Opcode Fuzzy Hash: f2e690102b3fc4c415eba40be277fc8aec989b7dcca783f1b62e7a784940f9ee
                                              • Instruction Fuzzy Hash: 30117970A1020AEFEB05EFBCF88169C7BB1EF84304F50517DD904AB251EE79AE558B81
                                              Function 012217C0 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7153ba5784313d9cc59bb2dc7f97a3928dca38abb31ad1e24d007401b5590af
                                              • Instruction ID: 5062019e50f4cdd7cfca55d168f1165463b1c1c80cf129b29e716c067f04a32b
                                              • Opcode Fuzzy Hash: d7153ba5784313d9cc59bb2dc7f97a3928dca38abb31ad1e24d007401b5590af
                                              • Instruction Fuzzy Hash: 6211C276F11261ABCB10AFB9A84966F7FE9EB88250F100435E906D3342EF34C9118B95
                                              Function 01226B7F Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64c696fba021d1d5990a92e7a7a23cca75a2f8ac1ce74e14638bb2b9efab2b88
                                              • Instruction ID: e63302da3a115692e9b4656b9fe39c695bec8db0642ff9f0c14eaf6ea16ef29c
                                              • Opcode Fuzzy Hash: 64c696fba021d1d5990a92e7a7a23cca75a2f8ac1ce74e14638bb2b9efab2b88
                                              • Instruction Fuzzy Hash: F8112272B10115ABD718BB7DE8557AE3BA6EFC9310F10447AE509CB780EF799841CB82
                                              Function 012217D0 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd6a3e5a25b63d1c27d015c51f95eb22f9081db66545491ef316cbffe4e9616a
                                              • Instruction ID: 5a41d9691add97863d0cc6d3410d216ff333ca7c20c20753432405dfe06d1bd0
                                              • Opcode Fuzzy Hash: fd6a3e5a25b63d1c27d015c51f95eb22f9081db66545491ef316cbffe4e9616a
                                              • Instruction Fuzzy Hash: DC01C476F112619BCB10DF79A80865F7FE9EB88250F100435E905D3341EB34C8118BD5
                                              Function 01221498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9718bc69fe70a82b230259d212a303318ec33146b731feeba84ab853bc33391
                                              • Instruction ID: 0db4b000869653c3d050b2890d812919b89f1811342ec50c4b2a81b35f8af3cf
                                              • Opcode Fuzzy Hash: c9718bc69fe70a82b230259d212a303318ec33146b731feeba84ab853bc33391
                                              • Instruction Fuzzy Hash: 29014031E20226AFCB21EFB89450AAE7BF5EB48210B1404BAD905EB301EB35D951CBD5
                                              Function 01226BB0 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d444079d390bcb22626afcc55416456f09a6140687ee29a9bfe2f141615cbe3f
                                              • Instruction ID: 886e5ac967e61d1d1eb359b90ee8ce24f5f5d1801999812f672a4e5973823205
                                              • Opcode Fuzzy Hash: d444079d390bcb22626afcc55416456f09a6140687ee29a9bfe2f141615cbe3f
                                              • Instruction Fuzzy Hash: 52012431B152959FC315BB78942466F7FB6EF86300B1040BEE505CB392DE788C45CB92
                                              Function 01227090 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24b006cf2b7a2cc04b039e64c02e5aa5830ce00cb3b5a7c63d90344580d4906d
                                              • Instruction ID: 913c64107dd4f977f7f2e60c09bf84e06b3a5ad8a5e712697881e11d308c756c
                                              • Opcode Fuzzy Hash: 24b006cf2b7a2cc04b039e64c02e5aa5830ce00cb3b5a7c63d90344580d4906d
                                              • Instruction Fuzzy Hash: CEF01439B01608CFC714DB68E598A6D77B2EF89225F1000A8E5069B3A0CF35AD42CB40
                                              Function 01228100 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3327782878.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_1220000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17e2fb2dd82416e790ce3a49035c1e124113633deeaf50fccd8cb449a1d7ec0a
                                              • Instruction ID: 1a90337cb248453fd47a281f84a80925848b7272bf3684a8e9f2ada634281ab2
                                              • Opcode Fuzzy Hash: 17e2fb2dd82416e790ce3a49035c1e124113633deeaf50fccd8cb449a1d7ec0a
                                              • Instruction Fuzzy Hash: CBF0F67090014AEBDB08FFB8F98159DBBB1EB80300F50526CC504AB251EE792E249B91