Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Analysis ID:1484418
MD5:678507e1459f47a4d77aace80d42d52d
SHA1:80703904ffc940857ec8a10aca910b4eb26c6965
SHA256:0dbc254fb42ccb7eab3122ec98798233d83327b2d19e2a45706cb79101a843e1
Tags:exe
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Contains functionality to infect the boot sector
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe" MD5: 678507E1459F47A4D77AACE80D42D52D)
    • icarus.exe (PID: 7836 cmdline: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml /install /sssid:7544 MD5: 0CD5718F7F5F8529FE4FF773DEF52DAC)
      • icarus_ui.exe (PID: 7884 cmdline: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 MD5: CF058EAA95EAD820532B59B686023E53)
      • icarus.exe (PID: 5436 cmdline: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vps MD5: 0CD5718F7F5F8529FE4FF773DEF52DAC)
      • icarus.exe (PID: 3140 cmdline: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-av MD5: 0CD5718F7F5F8529FE4FF773DEF52DAC)
        • aswOfferTool.exe (PID: 8152 cmdline: "C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC MD5: 540BA85561D8F29851603BE4FAAB266A)
          • aswOfferTool.exe (PID: 7332 cmdline: "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC MD5: 540BA85561D8F29851603BE4FAAB266A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC, CommandLine: "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC, CommandLine|base64offset|contains: ^r@E+*', Image: C:\Users\Public\Documents\aswOfferTool.exe, NewProcessName: C:\Users\Public\Documents\aswOfferTool.exe, OriginalFileName: C:\Users\Public\Documents\aswOfferTool.exe, ParentCommandLine: "C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC, ParentImage: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe, ParentProcessId: 8152, ParentProcessName: aswOfferTool.exe, ProcessCommandLine: "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC, ProcessId: 7332, ProcessName: aswOfferTool.exe

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-30T01:42:15.165409+0200
SID:2022930
Source Port:443
Destination Port:49743
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-30T01:42:53.161893+0200
SID:2022930
Source Port:443
Destination Port:49780
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006262E0 CryptProtectData,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,CryptUnprotectData,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,0_2_006262E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F1450 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_005F1450
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB768826 QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,7_2_00007FFDFB768826
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_bd71b6a0-e
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeEXE: C:\Users\Public\Documents\aswOfferTool.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeEXE: C:\Users\Public\Documents\aswOfferTool.exeJump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
PE / OLE file has a valid certificate
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49779 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb] source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_mod.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_av.pdb source: icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645759970.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000000.1855814088.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp, icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb@ source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\aswOfferTool.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\gcapi_dll.dll.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\gcapi_dll.dll.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_rvrt.pdb source: icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_vps.pdb source: icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2905801489.00007FFDFB7B0000.00000002.00000001.01000000.00000012.sdmp
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00690234 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00690234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005EA900 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,0_2_005EA900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005ECEB0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,0_2_005ECEB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00615740 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00615740

Networking

barindex
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: icarus_product.dll0.2.drStatic PE information: Found NDIS imports: FwpmSubLayerEnum0, FwpmSubLayerDestroyEnumHandle0, FwpmSubLayerDeleteByKey0, FwpmFilterDestroyEnumHandle0, FwpmCalloutCreateEnumHandle0, FwpmCalloutDeleteByKey0, FwpmEngineOpen0, FwpmFreeMemory0, FwpmTransactionAbort0, FwpmCalloutDestroyEnumHandle0, FwpmEngineClose0, FwpmFilterEnum0, FwpmTransactionCommit0, FwpmSubLayerCreateEnumHandle0, FwpmFilterCreateEnumHandle0, FwpmCalloutEnum0, FwpmTransactionBegin0, FwpmProviderDeleteByKey0, FwpmFilterDeleteByKey0
Source: Joe Sandbox ViewIP Address: 34.117.223.223 34.117.223.223
Source: Joe Sandbox ViewIP Address: 34.160.176.28 34.160.176.28
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0Accept: */*Accept-Encoding: deflate, gzip
Source: global trafficHTTP traffic detected: GET /?p_age=0&p_cpua=x64&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av-vps&p_ram=8191&p_vbd=2906&p_vep=24&p_ves=7&p_vre=7018&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0Accept: */*Accept-Encoding: deflate, gzip
Source: global trafficDNS traffic detected: DNS query: analytics.avcdn.net
Source: global trafficDNS traffic detected: DNS query: honzik.avcdn.net
Source: global trafficDNS traffic detected: DNS query: shepherd.avcdn.net
Source: unknownHTTP traffic detected: POST /v4/receive/json/25 HTTP/1.1Connection: Keep-AliveUser-Agent: Icarus Http/1.0Content-Length: 986Host: analytics.avcdn.net
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000000.1855814088.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp, icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cnx.conceptsheartranch.com/
Source: icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cnx.conceptsheartranch.comavcfg://settings/Common/InstallTime=Sending
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853481959.000002D35D136000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://doubleclick-proxy.ff.avast.com/v1/gclid
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gf.tools.avast.com/tools/gf/
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-a1.iavs9x.u.avast.com/iavs9x/avast_one_essential_setup_online.exe
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exete;sqlite
Source: icarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe~I2
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://push.ff.avast.com
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.sb.avast.com/V1/MD/
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.sb.avast.com/V1/PD/
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/WTUI
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/wtu.
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: http://www.avast.com0/
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp, aswOfferTool.exe, 00000009.00000002.1989687923.0000000000A32000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: icarus_ui.exe, 00000003.00000002.2915633088.000001D3129B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: icarus_ui.exe, 00000003.00000002.2915633088.000001D3129C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000000.1855814088.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp, icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDELETEPUTCONNECTTRACECOPYLOCKMKCOLMOVEPROPFINDPROPPATCHSEARCHUNLOCKBI
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/3517838/avg_online_security-latest.xpi?src=externa
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addons.opera.com/extensions/details/avg-online-security
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849522341.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457096726.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457714247.0000000003281000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2898014771.0000000003282000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457418179.0000000003225000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/2
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657943139.00000000031F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/W
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D0C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/118
Source: icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1651654283.000000000320C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657867754.000000000320A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/2550
Source: icarus.exe, 00000002.00000002.2902670989.000002D35F849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25:false
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657943139.00000000031F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25A
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903635277.0000000005CFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2456769775.0000000005CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25E
Source: icarus.exe, 00000007.00000002.2897158966.000001C8D1535000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25H
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645759970.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25Sent
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D0C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25_t
Source: icarus.exe, 00000002.00000002.2902670989.000002D35F849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25d
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D0C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25iB
Source: icarus.exe, 00000007.00000002.2898407396.000001C8D3051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25ve/j
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.avcdn.net:443/v4/receive/json/25
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853481959.000002D35D136000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bloatware.ff.avast.com/avast/ss/
Source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://cdn-av-download.avastbrowser.com/avg_secure_browser_setup-szb.exehttps://cdn-av-download.ava
Source: icarus.exe, 00000002.00000003.1874937842.000002D35EFD0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874974473.000002D35EF90000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874904638.000002D35D158000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1885338227.000002D35D159000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2898637326.000002D35D14E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874974473.000002D35EFAF000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exe
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exex
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-download.avastbrowser.com/avg_secure_browser_setup.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/detail/avg-online-security/nbmoafcmbajniiapeidgficgifbfmjfo?utm_s
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx/value-string-expand
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxretriesshow-windowargumentsUnable
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://firefoxextension.avast.com/aos/update.json
Source: icarus.exe, 00000008.00000002.2904362656.000001F6F81E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://firefoxextension.avast.com/aos/update.json%
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://firefoxextension.avast.com/aos/update.json/update-url
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hns-legacy.sb.avast.com
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903456913.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681154281.0000000005CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903456913.0000000005CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/O
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.0000000003202000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/defs/avg-av/release.xml.lzma
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/defs/avg-av/release.xml.lzmacdn.net
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-atrk/release/avg_antitrack_online_setup.exe
Source: icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-bg/release/avg_breach_guard_online_setup.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe
Source: icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe.com
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-du/release/avg_driver_updater_online_setup.exe
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-tu/release/avg_tuneup_online_setup.exe
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/setup/avg-vpn/release/avg_vpn_online_setup.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457555293.000000000320A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/2d97/b73e/44ed/2d97b73e44eddccbea3bc8edd9c1f3d2f2f242b4ee9d4792be5
Source: icarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1966486857.000002D35F002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/4aa3/1f81/f324/4aa31f81f324df466e31325ffd707dce1780ebef732cc8d2ce6
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457486793.00000000031EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/4c3e/3fd5/b573/4c3e3fd5b5731973696377d11d8b11553b039e1facbe1d65247
Source: icarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/5eb0/25c3/7721/5eb025c377218709a8a53743f910e4d2aa86fa28e1cd9e60b5d
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/66dc/1ddc/009e/66dc1ddc009eeac0da023172a5410a05d44324907f91fe42584
Source: icarus.exe, 00000002.00000003.1966486857.000002D35F002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd
Source: icarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/7b99/f3a1/0edd/7b99f3a10edd78f195ac9f440711ae605356ad6d072edc4a41e
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/d521/14b0/5750/d52114b057504439df11368add0a66b037622f24e710731b136
Source: icarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/universe/e3ef/98cb/2578/e3ef98cb25785ff1df992b116eb238a80eab17977c72f7dcd8b
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net/w
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://honzik.avcdn.net:443/universe/5445/a6af/3bf6/5445a6af3bf675fb142d6dd3365c3d1f65967338bfdce85
Source: icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.avast.com/inAvastium
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.avg.com
Source: icarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.avg.comad
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D10F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://identityprotection.avg.com
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm-provider.ff.avast.com/
Source: icarus.exe, 00000007.00000002.2898407396.000001C8D3051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.n
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898578349.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940115639.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892593771.000002D35EFE1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1927350397.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1989208877.000002D35EFED000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892445682.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1966718120.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893050558.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1980653834.000002D35EFF3000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1914249122.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900415485.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2901114701.000002D35EF80000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874937842.000002D35EFD0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892543481.000002D35EFA1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1981021141.000002D35EFF0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1939500757.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1972416154.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892634196.000002D35EFC1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1971955272.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/
Source: icarus.exe, 00000002.00000002.2901114701.000002D35EF80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/T
Source: icarus.exe, 00000002.00000002.2901114701.000002D35EF80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/X
Source: icarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/kN
Source: icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/pQl
Source: icarus.exe, 00000007.00000002.2897158966.000001C8D1502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipm.avcdn.net/set.s-
Source: icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.avast.com
Source: icarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.avast.comgN:
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pair.ff.avast.com
Source: icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pair.ff.avast.coml
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod1-fe-basic-auth-breach.prod.aws.lifelock.com
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-nuistatic.avcdn.net/nui/avg/1.0.752/updatefile.json
Source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://s-tools.avcdn.net/tools/chrome/av-chrome-2019.exe.lzma.tmpInstallerOffers.GoogleChrome/r:
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: icarus.exe, 00000007.00000002.2898407396.000001C8D30A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.av
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net
Source: icarus.exe, 00000007.00000002.2898407396.000001C8D3030000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2897158966.000001C8D1502000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpString found in binary or memory: https://shepherd.avcdn.net/
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2898407396.000001C8D3030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net//url
Source: icarus.exe, 00000002.00000003.1885338227.000002D35D159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net/NLa
Source: icarus.exe, 00000007.00000002.2898407396.000001C8D3051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net/erd.av
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shepherd.avcdn.net/url
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stream-production.avcdn.net
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://submit.sb.avast.com
Source: icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.avast.com/article/3/#idt_014
Source: icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.avg.com
Source: icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.avg.com/SupportArticleView?urlName=AVG-System-requirements&q=What
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://viruslab-samples.sb.avast.com
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://viruslab-samples.sb.avast.comhttps://submit.sb.avast.comhttps://hns-legacy.sb.avast.comhttps
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://winqual.sb.avast.com
Source: icarus_ui.exe, 00000003.00000003.1860595742.000001D30CB02000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000003.1860348936.000001D30C8F9000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/eula#pc
Source: icarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/eula#pcs
Source: icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/homepage#pc
Source: icarus_ui.exe, 00000003.00000003.1860595742.000001D30CB02000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000003.1860348936.000001D30C8F9000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/privacy
Source: icarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/privacys
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CFD40 GetModuleHandleW,GetProcAddress,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,0_2_005CFD40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CBF70 NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,GetLastError,GetLastError,NtQueryInformationProcess,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,0_2_005CBF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CC030 NtQueryInformationProcess,0_2_005CC030
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB763A00 RegCloseKey,SetLastError,RegSetValueExW,RegCloseKey,SetLastError,NtClose,7_2_00007FFDFB763A00
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB763770 NtDeleteKey,NtClose,RegCloseKey,SetLastError,7_2_00007FFDFB763770
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB763680 NtQueryKey,7_2_00007FFDFB763680
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB763540 NtOpenKey,7_2_00007FFDFB763540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00644540: GetSystemDirectoryW,GetLastError,GetVolumePathNameW,GetLastError,GetVolumeNameForVolumeMountPointW,GetLastError,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,0_2_00644540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CD2F0 DuplicateTokenEx,SetTokenInformation,SetTokenInformation,GetLastError,CreateProcessAsUserW,GetLastError,CloseHandle,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,GetLastError,0_2_005CD2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006164C00_2_006164C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006407B00_2_006407B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0060CBD00_2_0060CBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005A8C300_2_005A8C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005FED400_2_005FED40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00616FA00_2_00616FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F90500_2_005F9050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006456200_2_00645620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E18600_2_005E1860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0061D9E00_2_0061D9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00625A400_2_00625A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005FE0D00_2_005FE0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C02700_2_005C0270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006642500_2_00664250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006102E00_2_006102E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CA3700_2_005CA370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006063200_2_00606320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0063E3D00_2_0063E3D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C23900_2_005C2390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006424500_2_00642450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005AC5300_2_005AC530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006765FA0_2_006765FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0063C5800_2_0063C580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005DC7700_2_005DC770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006667200_2_00666720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F47C00_2_005F47C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006668100_2_00666810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005AA8B00_2_005AA8B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005BE9400_2_005BE940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E69300_2_005E6930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C29D00_2_005C29D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006769880_2_00676988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C4AC00_2_005C4AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005DAB300_2_005DAB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0063CDC00_2_0063CDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E2E600_2_005E2E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005A8E190_2_005A8E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0066CE230_2_0066CE23
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00688EBD0_2_00688EBD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005A10000_2_005A1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006490800_2_00649080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0060B1600_2_0060B160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C33200_2_005C3320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0061B4400_2_0061B440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0066B4400_2_0066B440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C14000_2_005C1400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006194C00_2_006194C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006235300_2_00623530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0063D5000_2_0063D500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006656800_2_00665680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005A37400_2_005A3740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006918360_2_00691836
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005BD9500_2_005BD950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006619C00_2_006619C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0063FA100_2_0063FA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005FDA200_2_005FDA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C5AB00_2_005C5AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00661C400_2_00661C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00689C430_2_00689C43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00621CE00_2_00621CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0067DEF00_2_0067DEF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005EDF500_2_005EDF50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0067BF420_2_0067BF42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005C1F100_2_005C1F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005ABF200_2_005ABF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005BDF800_2_005BDF80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00661F900_2_00661F90
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB752B607_2_00007FFDFB752B60
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB770F707_2_00007FFDFB770F70
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB75230D7_2_00007FFDFB75230D
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7701307_2_00007FFDFB770130
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB758C407_2_00007FFDFB758C40
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB75B9607_2_00007FFDFB75B960
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7649807_2_00007FFDFB764980
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7408807_2_00007FFDFB740880
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB79189C7_2_00007FFDFB79189C
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB75B8A07_2_00007FFDFB75B8A0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78CFE87_2_00007FFDFB78CFE8
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76E0407_2_00007FFDFB76E040
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB79BF6C7_2_00007FFDFB79BF6C
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78AEA47_2_00007FFDFB78AEA4
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB731E407_2_00007FFDFB731E40
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB74ED907_2_00007FFDFB74ED90
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76DDA07_2_00007FFDFB76DDA0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB791D207_2_00007FFDFB791D20
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB744C707_2_00007FFDFB744C70
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76E3607_2_00007FFDFB76E360
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7933647_2_00007FFDFB793364
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78D3B47_2_00007FFDFB78D3B4
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78C2E07_2_00007FFDFB78C2E0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7442F07_2_00007FFDFB7442F0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76926A7_2_00007FFDFB76926A
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78B2787_2_00007FFDFB78B278
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7582B07_2_00007FFDFB7582B0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7722107_2_00007FFDFB772210
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7810F07_2_00007FFDFB7810F0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76D1307_2_00007FFDFB76D130
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7321507_2_00007FFDFB732150
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78B08C7_2_00007FFDFB78B08C
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7430D07_2_00007FFDFB7430D0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7578007_2_00007FFDFB757800
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7758207_2_00007FFDFB775820
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7688267_2_00007FFDFB768826
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB79483C7_2_00007FFDFB79483C
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78B8347_2_00007FFDFB78B834
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76E7A07_2_00007FFDFB76E7A0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7697B07_2_00007FFDFB7697B0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76C7D07_2_00007FFDFB76C7D0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB79C7187_2_00007FFDFB79C718
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78C6707_2_00007FFDFB78C670
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7436B07_2_00007FFDFB7436B0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78B64C7_2_00007FFDFB78B64C
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78F6407_2_00007FFDFB78F640
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7705B07_2_00007FFDFB7705B0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB76E5007_2_00007FFDFB76E500
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB78B4607_2_00007FFDFB78B460
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Documents\aswOfferTool.exe 4AA31F81F324DF466E31325FFD707DCE1780EBEF732CC8D2CE6CE02D7140173B
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: String function: 00007FFDFB74C740 appears 128 times
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: String function: 00007FFDFB732E70 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: String function: 0064DDF0 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: String function: 005C8120 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: String function: 005B8750 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: String function: 005C7460 appears 57 times
Source: aswOfferTool.exe.2.drStatic PE information: Resource name: FILE type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: aswOfferTool.exe.9.drStatic PE information: Resource name: FILE type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicarus_ui.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicarus_sfx.exemicrostub.exeUnable to get parent command line.Software\Microsoft\Windows\CurrentVersion\RunOnceUnable to write RunOnce to registry.No parent PID. vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicarus.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAvBugReport.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameavDump.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/invalid stoi argumentstoi argument out of rangeUnable to query file object '{}'!/\\/\*..Unable to create directory '{}'!Unable to open directory '{}' for writing!%TMP%Unable to expand %TMP{} environment variable!%TEMP%Unable to expand %TEMP% environment variable!{}\TempUnable to retrieve the system drive letter!{}\{}{:016x}.{}.sysCannot query a .sys file version from PPL process '{}'tmpUnable to make a .sys copyGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWVerQueryValueW signature is invalidget_version: '{}'\StringFileInfo\%04x%04x\%sVerQueryValueW '{}'Cannt query a .sys file version info from PPL process '{}'GetFileVersionInfoSizeW '{}'GetFileVersionInfoW '{}'\VarFileInfo\TranslationCompanyNameProductNameProductVersionFileDescriptionFileVersionOriginalFilenameInternalNameLegalCopyrightLegalTrademarksCommentsPrivateBuildSpecialBuildUnable to get file size!Unable to get size of file '{}'!Failed to get file write time '{}'Unable to open file '{}'!set_file_content '{}'set_file_contentUnable to enumerate directory '{}'!get_available_disk_spacenocase::compare left nullparamnocase::compare right nullparam vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645850294.000000000070A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameicarus_sfx.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645759970.00000000006A7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/invalid stoi argumentstoi argument out of rangeUnable to query file object '{}'!/\\/\*..Unable to create directory '{}'!Unable to open directory '{}' for writing!%TMP%Unable to expand %TMP{} environment variable!%TEMP%Unable to expand %TEMP% environment variable!{}\TempUnable to retrieve the system drive letter!{}\{}{:016x}.{}.sysCannot query a .sys file version from PPL process '{}'tmpUnable to make a .sys copyGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWVerQueryValueW signature is invalidget_version: '{}'\StringFileInfo\%04x%04x\%sVerQueryValueW '{}'Cannt query a .sys file version info from PPL process '{}'GetFileVersionInfoSizeW '{}'GetFileVersionInfoW '{}'\VarFileInfo\TranslationCompanyNameProductNameProductVersionFileDescriptionFileVersionOriginalFilenameInternalNameLegalCopyrightLegalTrademarksCommentsPrivateBuildSpecialBuildUnable to get file size!Unable to get size of file '{}'!Failed to get file write time '{}'Unable to open file '{}'!set_file_content '{}'set_file_contentUnable to enumerate directory '{}'!get_available_disk_spacenocase::compare left nullparamnocase::compare right nullparam vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/invalid stoi argumentstoi argument out of rangeUnable to query file object '{}'!/\\/\*..Unable to create directory '{}'!Unable to open directory '{}' for writing!%TMP%Unable to expand %TMP{} environment variable!%TEMP%Unable to expand %TEMP% environment variable!{}\TempUnable to retrieve the system drive letter!{}\{}{:016x}.{}.sysCannot query a .sys file version from PPL process '{}'tmpUnable to make a .sys copyGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWVerQueryValueW signature is invalidget_version: '{}'\StringFileInfo\%04x%04x\%sVerQueryValueW '{}'Cannt query a .sys file version info from PPL process '{}'GetFileVersionInfoSizeW '{}'GetFileVersionInfoW '{}'\VarFileInfo\TranslationCompanyNameProductNameProductVersionFileDescriptionFileVersionOriginalFilenameInternalNameLegalCopyrightLegalTrademarksCommentsPrivateBuildSpecialBuildUnable to get file size!Unable to get size of file '{}'!Failed to get file write time '{}'Unable to open file '{}'!set_file_content '{}'set_file_contentUnable to enumerate directory '{}'!get_available_disk_spacenocase::compare left nullparamnocase::compare right nullparam vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameicarus_sfx.exe2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicarus_mod.dll2 vs SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engineClassification label: mal45.troj.evad.winEXE@12/54@12/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CFEC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,0_2_005CFEC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F1450 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_005F1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005CD7F0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,K32GetProcessImageFileNameW,GetPriorityClass,GetProcessTimes,K32GetProcessMemoryInfo,CloseHandle,Process32NextW,CloseHandle,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,0_2_005CD7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00627140 BeginPaint,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SetBkMode,SetTextColor,CreateFontIndirectW,SelectObject,DrawTextW,BitBlt,SelectObject,DeleteObject,SelectObject,DeleteObject,DeleteDC,EndPaint,PostQuitMessage,GdipGetImageWidth,GdipGetImageHeight,GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,SetWindowTextW,SetTimer,GetModuleHandleW,GetProcAddress,KillTimer,KillTimer,GdipImageSelectActiveFrame,SetTimer,InvalidateRect,CoCreateInstance,DefWindowProcW,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_00627140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00602A10 GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00602A10
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeFile created: C:\Users\Public\Documents\aswOfferTool.exeJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\678b2c598c892b87ce7001df13a02da0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Users\user\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeFile read: C:\ProgramData\AVG\Icarus\settings\proxy.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeString found in binary or memory: sfx-start
Source: icarus.exeString found in binary or memory: 'action-start-type' element includes invalid CDATA!
Source: icarus.exeString found in binary or memory: action-start-type
Source: icarus.exeString found in binary or memory: action-start-type(%s)
Source: icarus.exeString found in binary or memory: Invalid action-start-type
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml /install /sssid:7544
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vps
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-av
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe "C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeProcess created: C:\Users\Public\Documents\aswOfferTool.exe "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml /install /sssid:7544Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vpsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-avJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe "C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFCJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: wtsapi32.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: userenv.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: cryptbase.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: version.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: winmm.dll
Source: C:\Users\Public\Documents\aswOfferTool.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile written: C:\ProgramData\AVG\Icarus\settings\proxy.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic file information: File size 1631120 > 1048576
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106000
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb] source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_mod.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_av.pdb source: icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645759970.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000000.1855814088.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp, icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb@ source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\aswOfferTool.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\gcapi_dll.dll.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\gcapi_dll.dll.pdb source: icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_rvrt.pdb source: icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C622000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D81A2000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D732000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_vps.pdb source: icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2905801489.00007FFDFB7B0000.00000002.00000001.01000000.00000012.sdmp
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00610DF0 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,GetLastError,0_2_00610DF0
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeStatic PE information: section name: .didat
Source: dump_process.exe.0.drStatic PE information: section name: .didat
Source: dump_process.exe.0.drStatic PE information: section name: _RDATA
Source: bug_report.exe.0.drStatic PE information: section name: _RDATA
Source: icarus.exe.0.drStatic PE information: section name: .didat
Source: icarus.exe.0.drStatic PE information: section name: _RDATA
Source: icarus_ui.exe.0.drStatic PE information: section name: _RDATA
Source: icarus.exe.2.drStatic PE information: section name: .didat
Source: icarus.exe.2.drStatic PE information: section name: _RDATA
Source: icarus.exe0.2.drStatic PE information: section name: .didat
Source: icarus.exe0.2.drStatic PE information: section name: _RDATA
Source: dump_process.exe.2.drStatic PE information: section name: .didat
Source: dump_process.exe.2.drStatic PE information: section name: _RDATA
Source: icarus_ui.exe.2.drStatic PE information: section name: _RDATA
Source: bug_report.exe.2.drStatic PE information: section name: _RDATA
Source: dump_process.exe0.2.drStatic PE information: section name: .didat
Source: dump_process.exe0.2.drStatic PE information: section name: _RDATA
Source: bug_report.exe0.2.drStatic PE information: section name: _RDATA
Source: icarus_product.dll.2.drStatic PE information: section name: _RDATA
Source: icarus_product.dll0.2.drStatic PE information: section name: _RDATA
Source: gcapi.dll.9.drStatic PE information: section name: .00cfg
Source: gcapi.dll.9.drStatic PE information: section name: .voltbl
Source: gcapi.dll.9.drStatic PE information: section name: malloc_h
Source: gcapi.dll.11.drStatic PE information: section name: .00cfg
Source: gcapi.dll.11.drStatic PE information: section name: .voltbl
Source: gcapi.dll.11.drStatic PE information: section name: malloc_h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0064D9BD push ecx; ret 0_2_0064D9D0

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u0_2_006448A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u0_2_00644B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u0_2_00644EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\bug_report.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\dump_process.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeFile created: C:\Users\Public\Documents\aswOfferTool.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_ui.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_mod.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\bug_report.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\dump_process.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\bug_report.exeJump to dropped file
Source: C:\Users\Public\Documents\aswOfferTool.exeFile created: C:\Users\Public\Documents\gcapi.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\dump_process.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\gcapi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\bug_report.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\dump_process.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_ui.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_mod.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\bug_report.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\dump_process.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\bug_report.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\dump_process.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeFile created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\gcapi.dllJump to dropped file

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u0_2_006448A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u0_2_00644B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u0_2_00644EE0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgrJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_32%\ASWHOOK.DLLC
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_A64%\ASWHOOK.DLLC
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST%PRODUCT_INST_64%/ASWHOOK.DLL/DEST>
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_64%\ASWHOOK.DLLP
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST_A64%/ASWHOOK.DLL</DEST>
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_32%\ASWHOOK.DLLN
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1915117176.000002D35EFC9000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916164054.000002D35EFD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <PATH>%PRODUCT_INST_32%\ASWHOOKX.DLL</PATH>
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST_32%/ASWHOOK.DLL</DEST>
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_32%\ASWHOOK.DLL
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_A64%\ASWHOOK.DLL
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_A64%\ASWHOOK.DLLP
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <PATH%PRODUCT_INST_32%\ASWHOOKX.DLL/PATH>
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST>%PRODUCT_INST_64%/ASWHOOK.DLL</DEST>
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST%PRODUCT_INST_32%/ASWHOOK.DLL/DEST>
Source: icarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <DEST%PRODUCT_INST_A64%/ASWHOOK.DLL/DEST>
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_64%\ASWHOOK.DLL
Source: icarus.exe, 00000008.00000003.1974439911.000001F6F801E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F801E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_64%\ASWHOOK.DLL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F1450 rdtsc 0_2_005F1450
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeWindow / User API: windowPlacementGot 480Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeWindow / User API: windowPlacementGot 490Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\bug_report.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\dump_process.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_mod.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\bug_report.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\dump_process.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\bug_report.exeJump to dropped file
Source: C:\Users\Public\Documents\aswOfferTool.exeDropped PE file which has not been started: C:\Users\Public\Documents\gcapi.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\dump_process.exeJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeDropped PE file which has not been started: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\gcapi.dllJump to dropped file
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-81956
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeAPI coverage: 7.6 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe TID: 7564Thread sleep time: -90000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00690234 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00690234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005EA900 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,0_2_005EA900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005ECEB0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,0_2_005ECEB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00615740 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00615740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E2140 GetSystemInfo,GetVersionExW,GetVersionExW,RtlGetVersion,GetModuleHandleW,GetProcAddress,RtlGetVersion,0_2_005E2140
Source: icarus.exe, 00000007.00000003.1966356441.000001C8D1516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: icarus_ui.exe, 00000003.00000002.2902059166.000001D30C9C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn
Source: icarus.exe, 00000002.00000003.1989306727.000002D35EFB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:7
Source: icarus.exe, 00000002.00000003.1989306727.000002D35EFB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:w
Source: icarus.exe, 00000002.00000003.1989306727.000002D35EFB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:x
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1651654283.000000000320C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849522341.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457096726.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2897498464.000000000320A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: icarus.exe, 00000002.00000003.1853910549.000002D35D156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ice\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e
Source: icarus.exe, 00000007.00000002.2897158966.000001C8D1496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM`
Source: icarus.exe, 00000002.00000003.1854130320.000002D35D12B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ice\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: icarus.exe, 00000002.00000003.1989306727.000002D35EFB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:@T
Source: icarus.exe, 00000002.00000003.1989306727.000002D35EFB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:@
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1646126729.00000000031BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:((
Source: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1648440496.00000000031FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:11
Source: icarus.exe, 00000002.00000002.2898637326.000002D35D0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F1450 rdtsc 0_2_005F1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0066884F IsDebuggerPresent,OutputDebugStringW,0_2_0066884F
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB7A6EF0 GetLastError,IsDebuggerPresent,OutputDebugStringW,7_2_00007FFDFB7A6EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00610DF0 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,GetLastError,0_2_00610DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0068C6C6 mov eax, dword ptr fs:[00000030h]0_2_0068C6C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0068C70A mov eax, dword ptr fs:[00000030h]0_2_0068C70A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_006852A8 mov ecx, dword ptr fs:[00000030h]0_2_006852A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F3250 GetModuleHandleW,GetClassInfoExW,GetLastError,Sleep,GetProcessHeap,asw_process_storage_allocate_connector,HeapAlloc,asw_process_storage_allocate_connector,InitializeCriticalSection,GetProcessHeap,GetProcessHeap,RegisterClassExW,asw_process_storage_deallocate_connector,HeapFree,asw_process_storage_deallocate_connector,DeleteCriticalSection,GetProcessHeap,asw_process_storage_deallocate_connector,HeapFree,asw_process_storage_deallocate_connector,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,GetLastError,Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error,0_2_005F3250
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0064D0F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0064D0F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_00673233 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00673233
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_0064DBF0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0064DBF0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB77BB68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFDFB77BB68
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB789DF0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFDFB789DF0
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: 7_2_00007FFDFB77B098 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FFDFB77B098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml /install /sssid:7544Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vpsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-avJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe c:\windows\temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vps
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe c:\windows\temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-av
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe c:\windows\temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vpsJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeProcess created: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe c:\windows\temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-avJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005D04D0 AllocateAndInitializeSid,GetLengthSid,LocalAlloc,CopySid,LocalAlloc,InitializeAcl,AddAce,TreeResetNamedSecurityInfoW,SetLastError,0_2_005D04D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E2BF0 cpuid 0_2_005E2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,0_2_0068C3F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0069528F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,0_2_00695490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: EnumSystemLocalesW,0_2_00695537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: EnumSystemLocalesW,0_2_00695582
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: EnumSystemLocalesW,0_2_0069561D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_006956B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,0_2_00695910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00695A39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetLocaleInfoW,0_2_00695B3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00695C0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: EnumSystemLocalesW,0_2_0068BE8D
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00007FFDFB7A0A98
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00007FFDFB7A0C74
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,7_2_00007FFDFB7A0238
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: EnumSystemLocalesW,7_2_00007FFDFB798234
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: GetLocaleInfoW,7_2_00007FFDFB798624
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: EnumSystemLocalesW,7_2_00007FFDFB7A0658
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeCode function: EnumSystemLocalesW,7_2_00007FFDFB7A0588
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformationJump to behavior
Source: C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exeQueries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F1450 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_005F1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005F9050 __Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetSystemInfo,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetUserDefaultUILanguage,GetTimeZoneInformation,0_2_005F9050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeCode function: 0_2_005E2140 GetSystemInfo,GetVersionExW,GetVersionExW,RtlGetVersion,GetModuleHandleW,GetProcAddress,RtlGetVersion,0_2_005E2140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_32%\sched.exe
Source: icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
Source: icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %PRODUCT_INST_A64%\sched.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
Network Sniffing		2
System Time Discovery		Remote Services11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		2
Obfuscated Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Valid Accounts		1
Valid Accounts		1
DLL Side-Loading		Security Account Manager1
Network Sniffing		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Windows Service		11
Access Token Manipulation		1
DLL Search Order Hijacking		NTDS57
System Information Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Scheduled Task/Job		1
Windows Service		11
Masquerading		LSA Secrets1
Query Registry		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
Bootkit		11
Process Injection		1
Valid Accounts		Cached Domain Credentials261
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
Scheduled Task/Job		12
Virtualization/Sandbox Evasion		DCSync12
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Access Token Manipulation		Proc Filesystem2
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Bootkit		Network Sniffing1
Remote System Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484418 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 30/07/2024 Architecture: WINDOWS Score: 45 55 honzik.avcdn.net 2->55 57 analytics.ff.avast.com 2->57 59 2 other IPs or domains 2->59 71 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->71 73 Sigma detected: Execution from Suspicious Folder 2->73 10 SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe 6 43 2->10         started        signatures3 process4 dnsIp5 61 analytics-prod-gcp.ff.avast.com 34.117.223.223, 443, 49734, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 10->61 41 C:\Windows\Temp\...\icarus.exe, PE32+ 10->41 dropped 43 C:\Windows\Temp\...\icarus_ui.exe, PE32+ 10->43 dropped 45 C:\Windows\Temp\...\icarus_mod.dll, PE32 10->45 dropped 47 2 other files (none is malicious) 10->47 dropped 79 Query firmware table information (likely to detect VMs) 10->79 81 Contains functionality to infect the boot sector 10->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->83 15 icarus.exe 3 43 10->15         started        file6 signatures7 process8 dnsIp9 63 shepherd-gcp.ff.avast.com 34.160.176.28, 443, 49751, 49756 ATGS-MMD-ASUS United States 15->63 65 shepherd.ff.avast.com 15->65 67 5 other IPs or domains 15->67 33 C:\Windows\Temp\...\icarus.exe, PE32+ 15->33 dropped 35 C:\Windows\Temp\...\aswOfferTool.exe, PE32 15->35 dropped 37 C:\Windows\Temp\...\icarus.exe, PE32+ 15->37 dropped 39 9 other files (none is malicious) 15->39 dropped 69 Query firmware table information (likely to detect VMs) 15->69 20 icarus.exe 4 15->20         started        23 icarus.exe 3 15->23         started        25 icarus_ui.exe 1 15->25         started        file10 signatures11 process12 signatures13 75 Query firmware table information (likely to detect VMs) 20->75 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->77 27 aswOfferTool.exe 2 20->27         started        process14 file15 49 C:\Users\Public\Documents\aswOfferTool.exe, PE32 27->49 dropped 51 C:\Windows\Temp\...\gcapi.dll, PE32 27->51 dropped 30 aswOfferTool.exe 27->30         started        process16 file17 53 C:\Users\Public\Documents\gcapi.dll, PE32 30->53 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Documents\aswOfferTool.exe0%ReversingLabs
C:\Users\Public\Documents\gcapi.dll0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\bug_report.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\dump_process.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dll0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\bug_report.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\dump_process.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\gcapi.dll0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dll0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_ui.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\bug_report.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\dump_process.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_mod.dll0%ReversingLabs
C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.sectigo.com00%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://analytics.avcdn.net/v4/receive/json/25d0%Avira URL Cloudsafe
https://cdn-av-download.avastbrowser.com/avg_secure_browser_setup-szb.exehttps://cdn-av-download.ava0%Avira URL Cloudsafe
https://analytics.avcdn.net/20%Avira URL Cloudsafe
https://honzik.avcdn.net/defs/avg-av/release.xml.lzma0%Avira URL Cloudsafe
https://firefoxextension.avast.com/aos/update.json/update-url0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/7b99/f3a1/0edd/7b99f3a10edd78f195ac9f440711ae605356ad6d072edc4a41e0%Avira URL Cloudsafe
https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC7690%Avira URL Cloudsafe
https://www.avg.com/eula#pc0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%Avira URL Cloudsafe
https://prod1-fe-basic-auth-breach.prod.aws.lifelock.com0%Avira URL Cloudsafe
https://s-tools.avcdn.net/tools/chrome/av-chrome-2019.exe.lzma.tmpInstallerOffers.GoogleChrome/r:0%Avira URL Cloudsafe
https://addons.opera.com/extensions/details/avg-online-security0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-tu/release/avg_tuneup_online_setup.exe0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25ve/j0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe.com0%Avira URL Cloudsafe
https://winqual.sb.avast.com0%Avira URL Cloudsafe
http://www.winimage.com/zLibDllDELETEPUTCONNECTTRACECOPYLOCKMKCOLMOVEPROPFINDPROPPATCHSEARCHUNLOCKBI0%Avira URL Cloudsafe
https://analytics.avcdn.net/W0%Avira URL Cloudsafe
https://firefoxextension.avast.com/aos/update.json0%Avira URL Cloudsafe
https://my.avast.com0%Avira URL Cloudsafe
http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exete;sqlite0%Avira URL Cloudsafe
http://submit.sb.avast.com/V1/MD/0%Avira URL Cloudsafe
https://bloatware.ff.avast.com/avast/ss/0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25Sent0%Avira URL Cloudsafe
https://www.avg.com/homepage#pc0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%Avira URL Cloudsafe
https://honzik.avcdn.net/defs/avg-av/release.xml.lzmacdn.net0%Avira URL Cloudsafe
http://push.ff.avast.com0%Avira URL Cloudsafe
https://ipm.avcdn.net/kN0%Avira URL Cloudsafe
https://viruslab-samples.sb.avast.comhttps://submit.sb.avast.comhttps://hns-legacy.sb.avast.comhttps0%Avira URL Cloudsafe
https://shepherd.avcdn.net/NLa0%Avira URL Cloudsafe
https://www.avg.com/privacys0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/4aa3/1f81/f324/4aa31f81f324df466e31325ffd707dce1780ebef732cc8d2ce60%Avira URL Cloudsafe
https://shepherd.avcdn.net0%Avira URL Cloudsafe
https://id.avast.com/inAvastium0%Avira URL Cloudsafe
https://id.avg.com0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/250%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-vpn/release/avg_vpn_online_setup.exe0%Avira URL Cloudsafe
https://my.avast.comgN:0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25500%Avira URL Cloudsafe
https://stream-production.avcdn.net0%Avira URL Cloudsafe
https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
https://honzik.avcdn.net/0%Avira URL Cloudsafe
https://ipm-provider.ff.avast.com/0%Avira URL Cloudsafe
https://shepherd.avcdn.net/url0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-du/release/avg_driver_updater_online_setup.exe0%Avira URL Cloudsafe
https://pair.ff.avast.com0%Avira URL Cloudsafe
http://cnx.conceptsheartranch.comavcfg://settings/Common/InstallTime=Sending0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25H0%Avira URL Cloudsafe
https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exe0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/d521/14b0/5750/d52114b057504439df11368add0a66b037622f24e710731b1360%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25E0%Avira URL Cloudsafe
http://submit.sb.avast.com/V1/PD/0%Avira URL Cloudsafe
https://honzik.avcdn.net/O0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-atrk/release/avg_antitrack_online_setup.exe0%Avira URL Cloudsafe
https://viruslab-samples.sb.avast.com0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/5eb0/25c3/7721/5eb025c377218709a8a53743f910e4d2aa86fa28e1cd9e60b5d0%Avira URL Cloudsafe
http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25A0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/2d97/b73e/44ed/2d97b73e44eddccbea3bc8edd9c1f3d2f2f242b4ee9d4792be50%Avira URL Cloudsafe
https://firefoxextension.avast.com/aos/update.json%0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/e3ef/98cb/2578/e3ef98cb25785ff1df992b116eb238a80eab17977c72f7dcd8b0%Avira URL Cloudsafe
https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release&0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/4c3e/3fd5/b573/4c3e3fd5b5731973696377d11d8b11553b039e1facbe1d652470%Avira URL Cloudsafe
https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exex0%Avira URL Cloudsafe
https://honzik.avcdn.net/setup/avg-bg/release/avg_breach_guard_online_setup.exe0%Avira URL Cloudsafe
https://support.avg.com0%Avira URL Cloudsafe
https://honzik.avcdn.net/universe/66dc/1ddc/009e/66dc1ddc009eeac0da023172a5410a05d44324907f91fe425840%Avira URL Cloudsafe
https://identityprotection.avg.com0%Avira URL Cloudsafe
https://www.avg.com/eula#pcs0%Avira URL Cloudsafe
http://cnx.conceptsheartranch.com/0%Avira URL Cloudsafe
http://doubleclick-proxy.ff.avast.com/v1/gclid0%Avira URL Cloudsafe
http://www.avast.com0/0%Avira URL Cloudsafe
https://support.avg.com/SupportArticleView?urlName=AVG-System-requirements&q=What0%Avira URL Cloudsafe
https://hns-legacy.sb.avast.com0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%Avira URL Cloudsafe
https://pair.ff.avast.coml0%Avira URL Cloudsafe
https://ipm.avcdn.net/pQl0%Avira URL Cloudsafe
https://shepherd.av0%Avira URL Cloudsafe
https://ipm.avcdn.net/0%Avira URL Cloudsafe
https://honzik.avcdn.net/w0%Avira URL Cloudsafe
https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av-vps&p_ram=8191&p_vbd=2906&p_vep=24&p_ves=7&p_vre=7018&repoid=release&0%Avira URL Cloudsafe
http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/WTUI0%Avira URL Cloudsafe
https://shepherd.avcdn.net/0%Avira URL Cloudsafe
https://shepherd.avcdn.net//url0%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/1180%Avira URL Cloudsafe
https://analytics.avcdn.net/v4/receive/json/25:false0%Avira URL Cloudsafe
https://submit.sb.avast.com0%Avira URL Cloudsafe
https://id.avg.comad0%Avira URL Cloudsafe
https://ipm.avcdn.n0%Avira URL Cloudsafe
http://gf.tools.avast.com/tools/gf/0%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
shepherd-gcp.ff.avast.com
34.160.176.28
truefalse
    		unknown
    analytics-prod-gcp.ff.avast.com
    		34.117.223.223
    		truefalse
      		unknown
      shepherd.avcdn.net
      		unknown
      		unknownfalse
        		unknown
        analytics.avcdn.net
        		unknown
        		unknownfalse
          		unknown
          honzik.avcdn.net
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://analytics.avcdn.net/v4/receive/json/25false
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release&false
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av-vps&p_ram=8191&p_vbd=2906&p_vep=24&p_ves=7&p_vre=7018&repoid=release&false
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://analytics.avcdn.net/2SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849522341.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457096726.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457714247.0000000003281000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2898014771.0000000003282000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457418179.0000000003225000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769icarus.exe, 00000002.00000003.1885338227.000002D35D159000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25dicarus.exe, 00000002.00000002.2902670989.000002D35F849000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://prod1-fe-basic-auth-breach.prod.aws.lifelock.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.avg.com/eula#pcicarus_ui.exe, 00000003.00000003.1860595742.000001D30CB02000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000003.1860348936.000001D30C8F9000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://firefoxextension.avast.com/aos/update.json/update-urlicarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn-av-download.avastbrowser.com/avg_secure_browser_setup-szb.exehttps://cdn-av-download.avaicarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/7b99/f3a1/0edd/7b99f3a10edd78f195ac9f440711ae605356ad6d072edc4a41eicarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/defs/avg-av/release.xml.lzmaSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.0000000003202000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003202000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://s-tools.avcdn.net/tools/chrome/av-chrome-2019.exe.lzma.tmpInstallerOffers.GoogleChrome/r:icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, aswOfferTool.exe, 0000000B.00000002.1988628419.0000000000B7B000.00000002.00000001.01000000.00000015.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-tu/release/avg_tuneup_online_setup.exeicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://addons.opera.com/extensions/details/avg-online-securitySecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25ve/jicarus.exe, 00000007.00000002.2898407396.000001C8D3051000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.se/docs/hsts.htmlSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exe.comicarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://firefoxextension.avast.com/aos/update.jsonSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/WSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657943139.00000000031F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://winqual.sb.avast.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllDELETEPUTCONNECTTRACECOPYLOCKMKCOLMOVEPROPFINDPROPPATCHSEARCHUNLOCKBISecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, icarus_ui.exe, 00000003.00000000.1855814088.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmp, icarus_ui.exe, 00000003.00000002.2920194361.00007FF74BD80000.00000002.00000001.01000000.00000009.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://my.avast.comicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://submit.sb.avast.com/V1/MD/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bloatware.ff.avast.com/avast/ss/icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853481959.000002D35D136000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25SentSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000000.1645759970.00000000006A7000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exete;sqliteicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.avg.com/homepage#pcicarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/defs/avg-av/release.xml.lzmacdn.netSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1664697127.000000000320A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1669981214.0000000003226000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://push.ff.avast.comicarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipm.avcdn.net/kNicarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://viruslab-samples.sb.avast.comhttps://submit.sb.avast.comhttps://hns-legacy.sb.avast.comhttpsSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/NLaicarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.avg.com/privacysicarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/4aa3/1f81/f324/4aa31f81f324df466e31325ffd707dce1780ebef732cc8d2ce6icarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1966486857.000002D35F002000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://id.avast.com/inAvastiumicarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://id.avg.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.netSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1831517208.0000000006797000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-vpn/release/avg_vpn_online_setup.exeicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://my.avast.comgN:icarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/2550SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1651654283.000000000320C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657867754.000000000320A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://stream-production.avcdn.netSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.se/docs/alt-svc.htmlSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903456913.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681154281.0000000005CCB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exeicarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/urlicarus.exe, 00000008.00000003.1973817233.000001F6F7B59000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipm-provider.ff.avast.com/icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-du/release/avg_driver_updater_online_setup.exeSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://pair.ff.avast.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://cnx.conceptsheartranch.comavcfg://settings/Common/InstallTime=Sendingicarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25Hicarus.exe, 00000007.00000002.2897158966.000001C8D1535000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/d521/14b0/5750/d52114b057504439df11368add0a66b037622f24e710731b136SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25ESecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903635277.0000000005CFD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2456769775.0000000005CFD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exeicarus.exe, 00000002.00000003.1874937842.000002D35EFD0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874974473.000002D35EF90000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874904638.000002D35D158000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1885338227.000002D35D159000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2898637326.000002D35D14E000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874974473.000002D35EFAF000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://submit.sb.avast.com/V1/PD/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/OSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2903456913.0000000005CC0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-atrk/release/avg_antitrack_online_setup.exeSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://viruslab-samples.sb.avast.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25ASecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1657943139.00000000031F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/5eb0/25c3/7721/5eb025c377218709a8a53743f910e4d2aa86fa28e1cd9e60b5dicarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://median-free.iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exeicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/2d97/b73e/44ed/2d97b73e44eddccbea3bc8edd9c1f3d2f2f242b4ee9d4792be5SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457555293.000000000320A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://firefoxextension.avast.com/aos/update.json%icarus.exe, 00000008.00000002.2904362656.000001F6F81E0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exeSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/e3ef/98cb/2578/e3ef98cb25785ff1df992b116eb238a80eab17977c72f7dcd8bicarus.exe, 00000002.00000003.1959280513.000002D35F002000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bdicarus.exe, 00000002.00000003.1966486857.000002D35F002000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/4c3e/3fd5/b573/4c3e3fd5b5731973696377d11d8b11553b039e1facbe1d65247SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.2457486793.00000000031EF000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exexicarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.avg.comicarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://ocsp.sectigo.com0SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://identityprotection.avg.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D10F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/setup/avg-bg/release/avg_breach_guard_online_setup.exeSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/universe/66dc/1ddc/009e/66dc1ddc009eeac0da023172a5410a05d44324907f91fe42584SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2895814108.0000000003198000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.avg.com/eula#pcsicarus_ui.exe, 00000003.00000002.2906203699.000001D30F220000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://cnx.conceptsheartranch.com/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.avast.com0/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1759524220.0000000007EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1786889966.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1681435543.0000000006759000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896377494.000002D35F085000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1896177660.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000003.1893084120.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1941068444.000002D35FA4F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900359552.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898445461.000002D35F841000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940914321.000002D35F088000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1928743556.000002D35F24F000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892985746.000002D35F8C1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1916697601.000002D35F0D0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://doubleclick-proxy.ff.avast.com/v1/gclidicarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853481959.000002D35D136000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.avg.com/SupportArticleView?urlName=AVG-System-requirements&q=Whaticarus_ui.exe, 00000003.00000002.2905519878.000001D30CE11000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://hns-legacy.sb.avast.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avicarus.exe, 00000007.00000002.2898407396.000001C8D30A1000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipm.avcdn.net/pQlicarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://pair.ff.avast.comlicarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipm.avcdn.net/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1898578349.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1940115639.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892593771.000002D35EFE1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1927350397.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1989208877.000002D35EFED000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892445682.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1966718120.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1893050558.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1980653834.000002D35EFF3000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1914249122.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1900415485.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000002.2901114701.000002D35EF80000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1874937842.000002D35EFD0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892543481.000002D35EFA1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1981021141.000002D35EFF0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1939500757.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1972416154.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1892634196.000002D35EFC1000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1971955272.000002D35F002000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://wtu.d.avcdn.net/avg/wtu/95b029cd737ea13a32d791d4e211fde568448486e62646a07992c7e57969ecf0/WTUISecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853076168.000002D35D114000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://honzik.avcdn.net/wSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1849912349.0000000005CCF000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/118icarus.exe, 00000002.00000002.2898637326.000002D35D0C7000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://shepherd.avcdn.net/icarus.exe, 00000007.00000002.2898407396.000001C8D3030000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2897158966.000001C8D1502000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2899989482.000001F6F7685000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2902743184.000001F6F7EE0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sandoll.co.kricarus_ui.exe, 00000003.00000002.2915633088.000001D3129C7000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://shepherd.avcdn.net//urlicarus.exe, 00000002.00000002.2898637326.000002D35D129000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000007.00000002.2898407396.000001C8D3030000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://submit.sb.avast.comSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1816628736.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://analytics.avcdn.net/v4/receive/json/25:falseicarus.exe, 00000002.00000002.2902670989.000002D35F849000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipm.avcdn.nicarus.exe, 00000007.00000002.2898407396.000001C8D3051000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://id.avg.comadicarus.exe, 00000002.00000003.1853261533.000002D35D133000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853130990.000002D35D127000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853201578.000002D35D131000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853040333.000002D35D124000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://sectigo.com/CPS0SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000002.2899533306.0000000005150000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000002.00000002.2900459530.000002D35EDF0000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000007.00000002.2899247735.000001C8D3130000.00000002.00000001.00040000.00000003.sdmp, icarus.exe, 00000008.00000002.2901085078.000001F6F7870000.00000002.00000001.00040000.00000003.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://gf.tools.avast.com/tools/gf/SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1848417816.0000000007EB4000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1853011823.000002D35D110000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1852973224.000002D35D11A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.se/docs/http-cookies.htmlSecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe, 00000000.00000003.1711395750.0000000007EB5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000003.1959946880.000002D35F171000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000002.00000000.1851454101.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000002.00000002.2905598553.00007FF78C607000.00000002.00000001.01000000.00000008.sdmp, icarus.exe, 00000007.00000000.1964936878.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000007.00000002.2902875824.00007FF6D8187000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000008.00000002.2908474087.00007FF63D717000.00000002.00000001.01000000.00000011.sdmp, icarus.exe, 00000008.00000000.1965090416.00007FF63D717000.00000002.00000001.01000000.00000011.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            34.117.223.223
            		analytics-prod-gcp.ff.avast.comUnited States
            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
            34.160.176.28
            		shepherd-gcp.ff.avast.comUnited States
            		2686ATGS-MMD-ASUSfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1484418
            Start date and time:2024-07-30 01:41:06 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 10m 11s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
            Detection:MAL
            Classification:mal45.troj.evad.winEXE@12/54@12/2
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.212.89.10
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e9229.dscd.akamaiedge.net, s-honzik.avcdn.net.edgekey.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:41:55API Interceptor5083x Sleep call for process: SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe modified
            19:42:27API Interceptor4x Sleep call for process: icarus.exe modified
            19:42:41API Interceptor77x Sleep call for process: icarus_ui.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            34.117.223.223Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            Microstub.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            Microstub.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            ccsetup621.zipGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclientGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            _.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            _.exeGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            MDE_File_Sample_c7da8e8d530606f98d3014dbf9ce345b0d07dd48.zipGet hashmaliciousUnknownBrowse
            • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
            34.160.176.28Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
              Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                  SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                    winrar-64-6.21-installer_AmGAP-1.exeGet hashmaliciousPureLog StealerBrowse
                      ccsetup624.exeGet hashmaliciousUnknownBrowse
                        806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                          Microstub.exeGet hashmaliciousUnknownBrowse
                            Microstub.exeGet hashmaliciousUnknownBrowse
                              ccsetup621.zipGet hashmaliciousUnknownBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                shepherd-gcp.ff.avast.comTeam Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                • 34.160.176.28
                                ccsetup624.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                Microstub.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                Microstub.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                ccsetup621.zipGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclientGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                http://www.poweriso-mirror.com/PowerISO8.exeGet hashmaliciousUnknownBrowse
                                • 34.160.176.28
                                analytics-prod-gcp.ff.avast.comTeam Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                • 34.117.223.223
                                94.exeGet hashmaliciousUrsnifBrowse
                                • 34.117.223.223
                                94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exeGet hashmaliciousUrsnifBrowse
                                • 34.117.223.223
                                ccsetup624.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                Microstub.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                Microstub.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                ccsetup621.zipGet hashmaliciousUnknownBrowse
                                • 34.117.223.223

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://us-west-2.protection.sophos.com/?d=hihello.me&u=aHR0cHM6Ly9oaWhlbGxvLm1lL3AvN2I3OWEwYzAtYjI3Yi00MmU0LWE1YWEtODY0OGI1NTNiMGM5P3NoYXJlcl9pZD1Kak1TeUhmSHluVVh5a3MydFpuOG94VUdKbUcz&p=m&i=NjUwYzk1N2ZhMGU5OWEwYjY3ZDIxNzhi&t=WE1FYWNRK3hIVk5PckhQVURzVEhhT3RnY1Y5a2lpTldpOVR1VnRzYnVUcz0=&h=61e7083798104490909ca2b2d8af7b3c&s=AVNPUEhUT0NFTkNSWVBUSVYSSPnns3It4oylcIZtY22hc3gGaB3rJoPU9ItFzJAW9AGet hashmaliciousHTMLPhisherBrowse
                                • 34.117.163.232
                                setup.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                • 34.117.35.28
                                myprogram.exeGet hashmaliciousDiscord Token StealerBrowse
                                • 34.117.59.81
                                myprogram.exeGet hashmaliciousDiscord Token StealerBrowse
                                • 34.117.59.81
                                https://orr.swq.mybluehost.me/ch/f6014/Get hashmaliciousUnknownBrowse
                                • 34.117.239.71
                                https://orr.swq.mybluehost.me/ch/Get hashmaliciousUnknownBrowse
                                • 34.117.239.71
                                random.exeGet hashmaliciousUnknownBrowse
                                • 34.117.188.166
                                sand.exeGet hashmaliciousAmadey, StealcBrowse
                                • 34.117.188.166
                                random.exeGet hashmaliciousUnknownBrowse
                                • 34.117.188.166
                                AGREEMENT AND APPROVAL REPORT DIAMOND TRAILER 2024-502244_6.5.248.pdfGet hashmaliciousUnknownBrowse
                                • 34.117.239.71
                                ATGS-MMD-ASUShttps://us-west-2.protection.sophos.com/?d=hihello.me&u=aHR0cHM6Ly9oaWhlbGxvLm1lL3AvN2I3OWEwYzAtYjI3Yi00MmU0LWE1YWEtODY0OGI1NTNiMGM5P3NoYXJlcl9pZD1Kak1TeUhmSHluVVh5a3MydFpuOG94VUdKbUcz&p=m&i=NjUwYzk1N2ZhMGU5OWEwYjY3ZDIxNzhi&t=WE1FYWNRK3hIVk5PckhQVURzVEhhT3RnY1Y5a2lpTldpOVR1VnRzYnVUcz0=&h=61e7083798104490909ca2b2d8af7b3c&s=AVNPUEhUT0NFTkNSWVBUSVYSSPnns3It4oylcIZtY22hc3gGaB3rJoPU9ItFzJAW9AGet hashmaliciousHTMLPhisherBrowse
                                • 34.149.183.253
                                setup.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                • 34.36.165.17
                                https://att-net-6cf915.webflow.io/Get hashmaliciousUnknownBrowse
                                • 34.128.128.0
                                http://stonemanwell147.wixsite.com/myd0czGet hashmaliciousUnknownBrowse
                                • 34.144.206.118
                                https://orr.swq.mybluehost.me/ch/f6014/Get hashmaliciousUnknownBrowse
                                • 51.21.25.95
                                https://orr.swq.mybluehost.me/ch/Get hashmaliciousUnknownBrowse
                                • 34.160.236.64
                                https://ocbc.applerewardsstore.com/Get hashmaliciousUnknownBrowse
                                • 34.49.229.81
                                sky_spf.exeGet hashmaliciousUnknownBrowse
                                • 57.129.0.22
                                https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiZjczNzgxYTgtZmQ0Yy00OTQzLWJjYTUtYmZiNzY0YzlhYWE5IiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyMzQ4MTQ1OCwibmJmIjoxNzIyMjcxODU4LCJpYXQiOjE3MjIyNzE4NTgsImp0aSI6ImY3Mzc4MWE4LWZkNGMtNDk0My1iY2E1LWJmYjc2NGM5YWFhOSIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI3MWNkN2ZjYy00ZWFlLTQ4ZDgtOTM3OS1hMGQ3OTgxZGU3MzQiLCJzaWduX3JlcXVlc3RfaWQiOiJmNzM3ODFhOC1mZDRjLTQ5NDMtYmNhNS1iZmI3NjRjOWFhYTkiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6Im1odWRzb25AcGVyc29uY291bnR5Lm5ldCIsInVzZXJfZmlyc3RuYW1lIjoibWh1ZHNvbkBwZXJzb25jb3VudHkubmV0IiwidXNlcl9sYXN0bmFtZSI6Im1odWRzb25AcGVyc29uY291bnR5Lm5ldCJ9fQ.WZmAFl115dpCCTR_k-cPsHaU9MrqXZMUpmEWrJzglF8&eid=71cd7fcc-4eae-48d8-9379-a0d7981de734&esrt=f73781a8-fd4c-4943-bca5-bfb764c9aaa9Get hashmaliciousHTMLPhisherBrowse
                                • 34.149.135.19
                                https://st.novastqall.free.hr/i24/Get hashmaliciousUnknownBrowse
                                • 34.147.177.40

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                74954a0c86284d0d6e1c4efefe92b521Untitled.msgGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                LisectAVT_2403002B_484.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                HEU_KMS_Activator.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                golang-modules.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                Letter-04.docGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                chromeUpdate.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                • 34.160.176.28
                                a0e9f5d64349fb13191bc781f81f42e1Main.exeGet hashmaliciousLummaCBrowse
                                • 34.117.223.223
                                file.exeGet hashmaliciousLummaC, DanaBot, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                • 34.117.223.223
                                github_softwares_v1.29.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                • 34.117.223.223
                                SetUp_File.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                • 34.117.223.223
                                Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                • 34.117.223.223
                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                • 34.117.223.223
                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                • 34.117.223.223
                                svchost.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                svchost.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223
                                file.exeGet hashmaliciousUnknownBrowse
                                • 34.117.223.223

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\Public\Documents\gcapi.dllMicrostub.exeGet hashmaliciousUnknownBrowse
                                  Microstub.exeGet hashmaliciousUnknownBrowse
                                    _.exeGet hashmaliciousUnknownBrowse
                                      _.exeGet hashmaliciousUnknownBrowse
                                        _.exeGet hashmaliciousUnknownBrowse
                                          _.exeGet hashmaliciousUnknownBrowse
                                            Microstub.exeGet hashmaliciousUnknownBrowse
                                              Microstub.exeGet hashmaliciousUnknownBrowse
                                                ATT00001.htmGet hashmaliciousUnknownBrowse
                                                  C:\Users\Public\Documents\aswOfferTool.exeTeam Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse

                                                    Created / dropped Files

                                                    C:\ProgramData\AVG\Icarus\Logs\event_manager.log

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):142
                                                    Entropy (8bit):4.677559140431414
                                                    Encrypted:false
                                                    SSDEEP:3:nFXIDX4F+Muw/B4kRpSPdBOCvg3IKRHRoWnB6TewtAocv:nt8W/OYpSlDg3IKw6B6Tjy3
                                                    MD5:3FCFE06F3120F9E032DBCED0E1E3404B
                                                    SHA1:58AF96060F2B6132DFBB91699042E00B3F1C2E4F
                                                    SHA-256:97441AEC01815D33D3C823C361DB4E694FFAA159DA70D3FAE472356F8D218EA5
                                                    SHA-512:84A9A0359E550EA9808A98107EA9AC0A88603C1C68D52BF0B99052B0A7E9C67B1300AF123EB141108A019F308FB598C613243F9FF4DD0ECF542873B3B2F279E4
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.[2024-07-29 23:42:26.510] [info ] [burger ] [ 3140: 4456] [138FA1: 55] Storage path was not set so neither stored events are read...

                                                    C:\ProgramData\AVG\Icarus\Logs\icarus.log

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (386), with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):551219
                                                    Entropy (8bit):3.0903744017317156
                                                    Encrypted:false
                                                    SSDEEP:3072:mlpG9RDQOCKBphV34tlaAwA5xknd04P/gI1vBAMbsMTULLQ0dUPymetnicL/E3EF:I
                                                    MD5:26DA7622C700B62B116BFDA2988A8922
                                                    SHA1:1E962C46A6E5D61568A752865D7C54E17A6A4D8B
                                                    SHA-256:991F98F7BFA4F64EB5C5F1224946BA36677E2CC3324A741986637BDE051CCB3A
                                                    SHA-512:926DA6772AB0FB0F101306F325FD9F12FF6027CA370FF0137552944BD7F5B1ED2B6D87EB2719E6A6933829B5A18590CEDF287594BE5D7B74F1BB85DF9B4E152F
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.[2024-07-29 23:42:15.095] [info ] [entry ] [ 7836: 7840] [1A337A: 35] Icarus has been started...[2024-07-29 23:42:15.095] [debug ] [settings_lt] [ 7836: 7840] [228EA8: 190] generic accessor for scheme registry set..[2024-07-29 23:42:15.095] [debug ] [event_rout ] [ 7836: 7840] [95683E: 49] Registering request fallback handler for event_routing.enumerate_handlers. Description: event_routing_enumerate_handlers_handler..[2024-07-29 23:42:15.095] [debug ] [event_rout ] [ 7836: 7840] [95683E: 49] Registering request fallback handler for event_routing.enumerate_handlers2. Description: event_routing_enumerate_handlers_handler..[2024-07-29 23:42:15.095] [debug ] [event_rout ] [ 7836: 7840] [95683E: 49] Registering event handler for app.settings.PropertyChangedValue...[2024-07-29 23:42:15.095] [debug ] [event_rout ] [ 7836: 7840] [95683E: 49] Registering event handler for app.settings.PropertyChanged...[2024-07-29 23:42:15.095] [debug ] [event_rout ] [ 7836: 7840] [95683E:

                                                    C:\ProgramData\AVG\Icarus\Logs\sfx.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1148), with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):12122
                                                    Entropy (8bit):5.4796562647853095
                                                    Encrypted:false
                                                    SSDEEP:192:lCAbnLNHqA+xMsqoTLN35rYPiOruSDdtr/r2rjrx5raZNr8jAGjRMTLNolF:E8LaMsqW5rYPiOrxr/r2rjrx5rGr8XFf
                                                    MD5:869F94B14712F8E3DB8CAB40EA68FB29
                                                    SHA1:F223FF666E35B37CA5CB1E25B19F39CB310DDC37
                                                    SHA-256:D7282FC3FFFAE142FCC11169765F14109A46D3869AD75F5A6FBE73B375502E3C
                                                    SHA-512:E8672F680FF0A801D6D4ADC5832EF267C189E60979C35DD033090C4F0C3794F1312885D346C7F1A80BD590B187D81FE4EFF11EFA277BC42C2C99900DFA1E043A
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.[2024-07-29 23:41:54.513] [info ] [isfx ] [ 7544: 7548] [7D2020: 180] *** Starting SFX (24.7.7653.0), System(Windows 10 (10.0.19045) x64) ***..[2024-07-29 23:41:54.513] [info ] [isfx ] [ 7544: 7548] [7D2020: 181] launched by:'2580-C:\Windows\explorer.exe'..[2024-07-29 23:41:54.560] [debug ] [device_id ] [ 7544: 7548] [14984E: 70] Storing the new fingerprint..[2024-07-29 23:41:54.622] [debug ] [isfx ] [ 7544: 7560] [240BAF: 62] Sending report data: ({"record":[{"event":{"type":25,"subtype":1,"request_id":"8134ecb5-cae0-4d84-a9c3-ab482e0200f8","time":1722303339959},"setup":{"common":{"operation":"install","session_id":"c16de336-3921-435f-af06-35b55f506ddf","stage":"sfx-start","title":""},"product":{"name":"sfx"},"config":{"main_products":[{"product":"avg-av","channel":""}],"sfx_ver":"24.7.7653.0","trigger":"2580-C:\\Windows\\explorer.exe","cmdline":"\"C:\\Users\\user\\Desktop\\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe\""},"system":{"memory":8

                                                    C:\ProgramData\AVG\Icarus\Logs\sui.log

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):349204
                                                    Entropy (8bit):2.6196831001587744
                                                    Encrypted:false
                                                    SSDEEP:768:JU084JYANALobF3pZutCKoi0ny3KuhxQjddeGAkysfBh1wRsndP6moyu:JU084JVm
                                                    MD5:35B5E59F93652112CD723FBF37425025
                                                    SHA1:D749F68BFCD1A33838E402C259A176CEA2BCA584
                                                    SHA-256:5A36337AC5F469A8C3F7C3B01FE39869E561E23E25BD2424149D2D203C64B4BC
                                                    SHA-512:76D4A94D9F9586D7F9C521F6DAF68E13AA7F239C014CB90CCAB2BE2D0E4F577ABA5914E66849D5B2628CA5B7EF9DE031A7C042E233AACC399B5CA643BBAB6028
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.[2024-07-29 23:42:15.522] [info ] [sui ] [ 7884: 7888] [85DFD4: 66] *** Starting Icarus Ui..[2024-07-29 23:42:15.522] [info ] [sui ] [ 7884: 7888] [85DFD4: 67] Running from 'C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe' in version '24.7.7653.0'...[2024-07-29 23:42:15.522] [debug ] [settings_lt] [ 7884: 7888] [228EA8: 190] generic accessor for scheme registry set..[2024-07-29 23:42:15.522] [debug ] [event_rout ] [ 7884: 7888] [95683E: 49] Registering request fallback handler for event_routing.enumerate_handlers. Description: event_routing_enumerate_handlers_handler..[2024-07-29 23:42:15.522] [debug ] [event_rout ] [ 7884: 7888] [95683E: 49] Registering request fallback handler for event_routing.enumerate_handlers2. Description: event_routing_enumerate_handlers_handler..[2024-07-29 23:42:15.522] [debug ] [event_rout ] [ 7884: 7888] [95683E: 49] Registering event handler for app.settings.PropertyChangedValue...[2024-07-29 23:4

                                                    C:\ProgramData\AVG\Icarus\settings\proxy.ini

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):278
                                                    Entropy (8bit):3.4584396735456933
                                                    Encrypted:false
                                                    SSDEEP:6:Q9oPdKwo/e7nwY0ow+lGUlYlUlulnvm4HflKmaGHfltNv:QCFKwh7CaI/VJNKKHNX
                                                    MD5:B8853A8E6228549B5D3AD97752D173D4
                                                    SHA1:CD471A5D57E0946C19A694A6BE8A3959CEF30341
                                                    SHA-256:8E511706C04E382E58153C274138E99A298E87E29E12548D39B7F3D3442878B9
                                                    SHA-512:CF4EDD9EE238C1E621501F91A4C3338EC0CB07CA2C2DF00AA7C44D3DB7C4F3798BC4137C11C15379D0C71FAB1C5C61F19BE32BA3FC39DC242313D0947461A787
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:......[.P.r.o.x.y.S.e.t.t.i.n.g.s.].....A.u.t.h.o.r.i.z.a.t.i.o.n.=.0.....A.u.t.o.m.a.t.i.c.E.n.a.b.l.e.d.=.0.....C.o.n.f.i.g.U.r.l.=.....F.a.l.l.b.a.c.k.=.1.....P.o.r.t.=.8.0.8.0.....P.r.o.x.y.N.a.m.e.=.....P.r.o.x.y.T.y.p.e.=.0.....U.s.e.r.N.a.m.e.=.....U.s.e.r.P.a.s.s.=.....

                                                    C:\Users\Public\Documents\aswOfferTool.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2455480
                                                    Entropy (8bit):6.785376750874056
                                                    Encrypted:false
                                                    SSDEEP:49152:MYksggggMC96QXryMpqRrAvAfAAEV1rnFTZT0krlGW+:xvLGMpqZAo7ELxTZT0krg
                                                    MD5:540BA85561D8F29851603BE4FAAB266A
                                                    SHA1:88CAF855B9EEF93980277312321951E1675E2035
                                                    SHA-256:4AA31F81F324DF466E31325FFD707DCE1780EBEF732CC8D2CE6CE02D7140173B
                                                    SHA-512:293F33EBE731C3AAC5B1A981A2F92952B28199B968080A0F0822B0F262E215C776BD7C8549284BB17E811BEE89FD6886C8A96E28CC509A0E954AD88BCD76F618
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...........|..|..|.....|....b|...-..|.....|.....|.....|.....|...C..|.....|.f..1|..|..|.6...|.....|..|.l}.....|.....|.../..|..|G..|.....|.Rich.|.........................PE..L...xy.f...............&.\...................p....@...........................%......%...@.................................x........@.............HN%.p)....$.........................................@............p...............................text....Z.......\.................. ..`.rdata...Q...p...R...`..............@..@.data...$m.......H..................@....rsrc.......@......................@..@.reloc........$.......$.............@..B................................................................................................................................................................................................................................

                                                    C:\Users\Public\Documents\gcapi.dll

                                                    Download File
                                                    Process:C:\Users\Public\Documents\aswOfferTool.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):888600
                                                    Entropy (8bit):6.799400661071435
                                                    Encrypted:false
                                                    SSDEEP:24576:rvqA5tAf7fM6xEV1rnF6SZT0kiSJN5H9tmGn7sL0h:eAvAfAAEV1rnFTZT0krlGW+Y
                                                    MD5:3EAD47F44293E18D66FB32259904197A
                                                    SHA1:E61E88BD81C05D4678AEB2D62C75DEE35A25D16B
                                                    SHA-256:E0D08B9DA7E502AD8C75F8BE52E9A08A6BCD0C5F98D360704173BE33777E4905
                                                    SHA-512:927A134BDAEC1C7C13D11E4044B30F7C45BBB23D5CAF1756C2BEADA6507A69DF0A2E6252EC28A913861E4924D1C766704F1036D7FC39C6DDB22E5EB81F3007F0
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: Microstub.exe, Detection: malicious, Browse
                                                    • Filename: Microstub.exe, Detection: malicious, Browse
                                                    • Filename: _.exe, Detection: malicious, Browse
                                                    • Filename: _.exe, Detection: malicious, Browse
                                                    • Filename: _.exe, Detection: malicious, Browse
                                                    • Filename: _.exe, Detection: malicious, Browse
                                                    • Filename: Microstub.exe, Detection: malicious, Browse
                                                    • Filename: Microstub.exe, Detection: malicious, Browse
                                                    • Filename: ATT00001.htm, Detection: malicious, Browse
                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....]vc.........."!....."...<......................................................X.....@A.........................x.......y.......P..@............f...)...`..ht..|g.......................f......8A..............d}...............................text....!.......".................. ..`.rdata...}...@...~...&..............@..@.data....O.......>..................@....00cfg..............................@..@.tls......... ......................@....voltbl......0..........................malloc_h.....@...................... ..`.rsrc...@....P......................@..@.reloc..ht...`...v..................@..B................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\6358C710-B89F-46B9-93F2-F6CAC44F5286

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1128
                                                    Entropy (8bit):3.8756936164868914
                                                    Encrypted:false
                                                    SSDEEP:24:V98uCNrzJaOPl3+ysOayOglH5OdFytQWlwweVw2DpmgyGm6FiZS20a:V98ukzQ83lcl65OnytQWl/expmgdmocB
                                                    MD5:22B10239D326D2660373AD7B18D527B3
                                                    SHA1:3752419CC24B4B1067F3C932F0E36B233981294E
                                                    SHA-256:76C385733B75C9EB9A4E39D896D388AD7A3C180BDE372C77034BB8BF94D2FE7F
                                                    SHA-512:EB6C0DCB7D5D21A68C14A8003AD4B13699DCB3471FF7F765630496A5E087852B1FCC605100C7071FDB9561A0E5E75C6C5924B57D5C4B4444AB996D1A703A964A
                                                    Malicious:false
                                                    Preview:A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.c.C.A.5.H.U.J.7.k.U.q.c.Y.Q.u.P.s.z.o.O.V.g.Q.A.A.A.A.C.A.A.A.A.A.A.A.Q.Z.g.A.A.A.A.E.A.A.C.A.A.A.A.C.N.W.p.c.J.m.n.+.t.H.P.T.H.r.9.k.i.3.a.F.a.M.2.s.b.q.2.d.V.+.M.+.l.z.H.8.g.J.o.2.R.v.g.A.A.A.A.A.O.g.A.A.A.A.A.I.A.A.C.A.A.A.A.B.a.a.X.U.H.W.T.G.Q.B.k.f.b.D.D.w.X.j.1.Y.x.q.C.c.d.n.G.J.F.X.Y.v.t.d.p.f.2.T.C.U.j.1.d.A.A.A.A.C.q.H.S.z.v.h.r.p.z.F.k.8.l.R.u.8.Z.h.e.E.A.m.4.u.V.S.c.u.9.K.l.X.r.Y.Z.E.b./.I.u.+.5.Q.f.I.Y.M.P.S.M.+.Y.L.p.D./.j.j.I.X.V.0.u.T.h.o.O.v.L.7.F.q.h.y.d.1.+.b.z.H.a.B.3.6.X.p.b.x.J.4.B.i.t.y.8.X.+.W.F.I.q.O.8.U.m.+.A.b.a.g.p.P.v.C.O.+.T.K.f.c.D.M.D.N.Y.G.3.2.V.a.o.H.G.p.7.h.P.v.S.b.K.H.+.s.g.j.W.+.z.S.t.u.Z.U.c.p.8.q.T.4.Y.m.n.A.+.e.7.l.u.w.g.+.+.N.f.r.B.c.V.q.w.n.J.G.4.v.8.J.e.g.9.Z.8.m.J.9.E.n.7.c.2.P.3.Z.U.E.b.z.v.Q.x.s.c.s.p.W.K.c.B.P.Q.y.F.q.C.n.H.Q.8.R.8.o.d.G.U.f.G.J.P.f.v.Y.R.9.s.m.u.S.K.2.x.n.q.g.W.B.k.8.t.f.Q.6.4.6.T.g.0.E.V.6.s.F.p.2.b.s.5.Q.A.A.A.A.P.F.+.K.1.R.T.q.R.W.L.h.k.4.f.V.m.4.9.l.N.5.7.

                                                    C:\Users\user\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):2.738204882778696
                                                    Encrypted:false
                                                    SSDEEP:3:aljlIM6RgiR6KliRVUlRE:alZIMagHKkIlRE
                                                    MD5:EC469D19988F8D4D84A2BC04E198A4A1
                                                    SHA1:91CFAFA45C0A82EF414A4159FB8F77957558EADD
                                                    SHA-256:F880495C55153AF10A79E1C127996C52D1ECD7FB8264E71CB94CF815DAF4D045
                                                    SHA-512:EA40A7D0A68DC06478BD4125C23B39AF24C0B07D4EBA1B7DC118A3F894C429FE44D600F6FDB1B1A3FB582842BE0DA7B81C5677F97D1CE2112AFB41EA0B35D11B
                                                    Malicious:false
                                                    Preview:0.8.7.F.0.E.3.1.C.5.E.E.8.4.E.3.4.E.5.3.4.2.7.E.1.B.4.D.E.E.9.D.

                                                    C:\Users\user\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):72
                                                    Entropy (8bit):2.8435169731481813
                                                    Encrypted:false
                                                    SSDEEP:3:OKFZl6IlRlPBAlpdPlf98EElVl8:fZsIlDKpnCE88
                                                    MD5:B355491FDE06D04701B1566F068671E7
                                                    SHA1:8CCE1583255356E465E2E35998C6D5355D46B3DA
                                                    SHA-256:E8C7144CC1AA63618DC023B80B0A5E88539A762265DEDD905A450E9719218879
                                                    SHA-512:220DF63A0764E81047909262F2B47F6E28029F11A3832DF1DBF2BECACBE20807AF81B225245927B83AFBC8C3A73F041ABB72FE9BE18714D68ADDCA7F236E75CC
                                                    Malicious:false
                                                    Preview:f.f.9.2.1.b.c.b.-.6.c.2.4.-.4.c.c.d.-.b.6.8.0.-.6.2.9.f.e.a.1.a.c.8.0.1.

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\bug_report.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4961208
                                                    Entropy (8bit):6.519714047453427
                                                    Encrypted:false
                                                    SSDEEP:49152:kMLnHQldkoh7BxR44RNA5ud8RG4I80/m6ck5eGSljF/D1wxQ55fxGLnm7MM+MxkE:uR4f5udV/m6ckLS1Z7zxkOjT0JbnG
                                                    MD5:31E948AD14E9E68685C69B3D46D71B38
                                                    SHA1:9136C6B0E0F266132E9E802D3E5E9F510EA608FF
                                                    SHA-256:5445A6AF3BF675FB142D6DD3365C3D1F65967338BFDCE8596543C1BCC1A88A46
                                                    SHA-512:B20FAE2A75B757A502C7F261571A6AE1FF1BF98FB0719ABBA8A3DE27685DFFD4E7564C06624FBE2B51D2EB7C39BE6DE76F88026276128710D7E26BE7C2D12043
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...................Y......Y...T....?........................Q...........@.......H...................@......Y......Y............................=.....U...........Rich............PE..d...iy.f.........."....&..2....................@..............................L.......K...`.........................................@.A.....(.A.,.....L.......I..a..H.K.p)....L.(g....:.......................:.(...@.:.@.............2..............................text...<.2.......2................. ..`.rdata...G....2..H....2.............@..@.data.........A.......A.............@....pdata...a....I..b....H.............@..@_RDATA........K.......K.............@..@.rsrc.........L.......K.............@..@.reloc..(g....L..h..."K.............@..B................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\config.def

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):583
                                                    Entropy (8bit):5.420768601460394
                                                    Encrypted:false
                                                    SSDEEP:12:2AcW1OPqygANI+xzYN/qb0a3Uk7oMQuROfzUoygMaSailnk44Sk:rVAJI+dsqNUk8MQuAL6zaiO44Sk
                                                    MD5:9500A348FDF770035BFFC688F02560E9
                                                    SHA1:C22BB1FCF44F699EA1F120CCBEEFA09743DD5E11
                                                    SHA-256:C9B86EB997D856FCD3004663BAB5AD582591A52FD254368A385FE1BFE14FE97E
                                                    SHA-512:D69501B3717D99276DDB82182C0F9A79D87F814CAD4505AE48089E0C9B55757C99BA604249B16899D70614E96A474657C2B0722B4F87E1BC329F2B7E53CBD33C
                                                    Malicious:false
                                                    Preview:[ui.offer.actions]..url=https://ipm.avcdn.net/..[ui.offer.welcome]..loadtimer=10000..url=https://ipm.avcdn.net/..[reporting]..disable_checkforupdates=1..report_action_ids=RID_001,RID_002..[common]..config-def-url=https://shepherd.avcdn.net/..report-url=https://analytics.avcdn.net/v4/receive/json/25..[ui]..enable_survey=1..[updating]..conceal_hours=1..fraction=100.0..updatable=1..[CrashGuard]..FullDumpFraction=0..[Signature]..Signature=ASWSig2A5D9021F918012489D99575F1C3B36D0B3329558BD896120BDCEFB905A42B4C2051FB13DB532924923D89C521C99F120847664434E723C31CDD03D5D2FF0B57A7ASWSig2A

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\dump_process.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3497912
                                                    Entropy (8bit):6.525245802927742
                                                    Encrypted:false
                                                    SSDEEP:49152:LJFbzxEFOMW6HEjWovQYPIW2KkZnWn/+/vgrsN5hddlArtYtPt+aJM1cTyynJBqW:LDbq5iQZGHrgGJb0dxzo
                                                    MD5:B31E22903A16D20D86A80FEBF8007AAE
                                                    SHA1:110207BBA3F797E6DB6256AB9146475BA95C57EF
                                                    SHA-256:BA2F161B7F85A9D2DB0A6D624B45543FE2D25F58419B588D2AF767A571FEA7BD
                                                    SHA-512:28040932CD268FD064626B9C078F33E28D5F63806066AF342F6752A86DBC4D6A3DF26A0C4D4BE63626E9BDE5DDF9138248F5E4DCC0C588141369049C485AE39D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........Il..Il..Il.....Bl......l.....Ul..O.s.Jl..O..[l..O..]l..O..=l..@...Kl.....Hl..Il..Nl......Jl.....Pl.....@l..Il..m..#..l..#..Hl..#.q.Hl..Il..Kl..#..Hl..RichIl..........PE..d...Cy.f.........."....&.. ....................@..............................6.....FA6...`...........................................+.......+......@4..Y....2.t...H65.p)....5..U....&.......................&.(...0v".@............0 .@...0.+.@....................text...\. ....... ................. ..`.rdata.......0 ...... .............@..@.data.........+..4....+.............@....pdata..t.....2.......1.............@..@.didat..P.... 4.......3.............@..._RDATA.......04.......3.............@..@.rsrc....Y...@4..Z....3.............@..@.reloc...U....5..V....4.............@..B........................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):8064960
                                                    Entropy (8bit):6.450676060748482
                                                    Encrypted:false
                                                    SSDEEP:196608:6ot4R9uUCqHwCthYiX5+RNpqqVTrUGG17gL3zK:vc9uUCqHwCnYiX5+RNpqqVTrUGG5
                                                    MD5:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    SHA1:9BA08A6246011359F5493856AD5FC0355E0DE4F5
                                                    SHA-256:D52114B057504439DF11368ADD0A66B037622F24E710731B1366EFE271C9DF78
                                                    SHA-512:A2218DCD6F0A0E676C23106BD717B5EB22614B3900BEE5D47EA80E1ACC4B87859E6F6DFB63C0D3CDF3EC4F37C12407EF56C2C7964AE141B393C7E94368CA820A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......4z/.p.A.p.A.p.A.iD..A.v...|.A.v.E.c.A.v.B.b.A.v.D...A.iB.`.A.iE.V.A..uB.r.A..uE.x.A.yc..r.A.&nE.j.A.nE...A.nE.s.A.p.A.}.A.&nD.t.A.iG.q.A.i@.U.A.p.@...A...H.v.A...A.q.A.....q.A.p...r.A...C.q.A.Richp.A.................PE..d....y.f.........."....&.^U...%......./........@..............................|.....r.{...`...........................................l.......l......`z.......v..W..H.z.x)...p{......:b......................=b.(.....Y.@............pU.....`.l......................text....\U......^U................. ..`.rdata..b....pU......bU.............@..@.data...@.... m.......m.............@....pdata...W....v..X....u.............@..@.didat..p....@z......Vy.............@..._RDATA.......Pz......Xy.............@..@.rsrc........`z......Zy.............@..@.reloc.......p{......\z.............@..B................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dll

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):876992
                                                    Entropy (8bit):6.587617267914047
                                                    Encrypted:false
                                                    SSDEEP:12288:ctXh3vViH1d7+KMBSzCJ0/yBsrTLd+NNO5B1ph0lhSMXliqUot67:ctiHpMBOqAxh0lhSMXlm48
                                                    MD5:D428D101CEB8F6920115C6303577D3CD
                                                    SHA1:9F5CE80423540F1EAB82E7AF5C51F5A64CFDAE1C
                                                    SHA-256:5EB025C377218709A8A53743F910E4D2AA86FA28E1CD9E60B5DB6270D5AF3FAF
                                                    SHA-512:9B0CCEEA15AD2AEFAD7439DE00B3F4CD5A822B060C0C45A47FDA56764084E4BFC7954B1DC88B80BBA04828DDA09066EDB4F888480D8CFFA9D78408D8AA0E0503
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.........q@.}...}...}..k....}..k...o}.......}.......}.......}.......}..k....}.."....}.."....}.......}.......}..r...#}..z....}...}...}.......}..k....}..k....}...}...........|.......}.......}...}...}.......}..Rich.}..................PE..d....y.f.........." ...&............................................................?9....`A........................................pq.......q............... ..tj..H8..x).......... ...........................(....~..@............................................text............................... ..`.rdata..............................@..@.data............H...l..............@....pdata..tj... ...l..................@..@_RDATA............... ..............@..@.rsrc................"..............@..@.reloc...............(..............@..B........................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_product.dll.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 876992
                                                    Category:dropped
                                                    Size (bytes):325318
                                                    Entropy (8bit):7.999427709426562
                                                    Encrypted:true
                                                    SSDEEP:6144:XIrS5StcyaldS2POEMTb9m0qr+9VJEhpiy4JiD8mFOgTHIrxujo:XzStIlFPIjhad4JiYUon
                                                    MD5:F0F889962150B51DF8E82B702C6BAC29
                                                    SHA1:C3A2FA34D671F1A6E694AE24D6B0311BAB18F2EB
                                                    SHA-256:18BCB60EF9D98633969342D4429A2AB69409D720CC2D8834B10E0004E71B4491
                                                    SHA-512:58019869F2273F2C34F0E144896C9A7F403753937F04FCF08BB15E87A57989DE128F5828D2534E9B6DF71279009C63B9ABF7E26806DF42E5B516745386780445
                                                    Malicious:false
                                                    Preview:]..@..a.......&..p.........../D.|......I0..y.]n.u......i...7.....B]......F2$1..../e.Y.....f.G!...!.n../....T.J..e...2'<.NU.....T.X0[.w.e[.K.x65...\....v.2'...]9...~.g.q....b....BX.........4hY..X.'.Nq&S...:\....Q5.'..o..4D.iRX.qZ......U...D.J Pq..C.....>I...@..v..E...9e../.?,^.f.,.mR..'h#.(..._C)t.....1v...*i.S&N./;k.JK..q....|..72.SH]....+.X.(....-.!...;4.Nz.Q,..o...^j..U...P....D.^.....B..Y..s..u...{..Q..m.3..? .(c...X.8I.....2w ............!....n..t......*.Q..T..W.e.......VG..........$..$....B....ZL.^Q$f*.7...#32.....ev}.]E...0k....fC..3.{X...w.....E~.....$.#....w.U..Oz....N<.....^.>`|o.-..e.....)X.N*@.Y.4.M......gz@...J......g...m...aD:.....aW....9.....'...!...U..KD...x..5..l.wx..3vWk......ty....'!...Pq......_=...M..........W.2~?N...@*.|..Q..+....../K.E.^....1._..b...9.x..2c.K.mq.....j.F.p........u._.........Qz.C.z..ks..1..%.. ..d.%6......_.....hgG.....I.,..,..d.-. U...n.D...{..|AM./._...c.lT.B."o./.. #..,.."."...&...Y.Z.<...3.... ..

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):50976
                                                    Entropy (8bit):6.695978421209108
                                                    Encrypted:false
                                                    SSDEEP:1536:6fMVFuX7Y1C7X+oAiZ8uMX07F9Kx24Zza:WMVFsSC7+K8ua0qm
                                                    MD5:97F5D0CAAA1988C95BF38385D2CF260E
                                                    SHA1:255099F6E976837A0C3EB43A57599789A6330E85
                                                    SHA-256:73EE549578DED906711189EDCEF0EEDBC9DB7CCBD30CF7776BD1F7DD9E034339
                                                    SHA-512:AD099C25868C12246ED3D4EE54CEF4DF49D5276A5696CA72EFA64869367E262A57C8FF1FB947AD2F70CAEF1D618849DBAB2EC6161C25758D9F96733A7534B18F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................r.............../......./b............../......Rich............................PE..d....>_e.........."....%.N...(...... ..........@..........................................`.................................................\u..(.......8.......P....x.. O...........l...............................................`.. ............................text...)L.......N.................. ..`.rdata.......`.......R..............@..@.data...............................@....pdata..P............l..............@..@.rsrc...8............r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus_rvrt.exe.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 50976
                                                    Category:dropped
                                                    Size (bytes):26032
                                                    Entropy (8bit):7.992977293575329
                                                    Encrypted:true
                                                    SSDEEP:768:dXkqelTjZK0JgHW7tbzdiH2P6AdRo7+lmAg:dEfJJZtwH2PJbuUg
                                                    MD5:F13E71BDBBA9A80351A786C44272F737
                                                    SHA1:DC8F9B86B56684F3A7BD7DBB16DC27B436735E97
                                                    SHA-256:7E7DF8B8EF9226E9E916199D8721E52D8737654D6EC5A8A3B11B49CFA6633D34
                                                    SHA-512:2D8BF0BABE54618CD81212990BA9975CEA64C5E51172DAB95004364229B0A35190F94DF2E37FC70E93DF2A24EBC2339BD0A8801411ABE1F98915E6873562E7FC
                                                    Malicious:false
                                                    Preview:]..@. ........&..p.........../D.|...G'_..z.-~A..\..*~kHy54......<.....=......6......! o..- 6Y../.e+.Y.1~...~y. .....}..N..H.)G'P0..K..*..?.."...c.|..p.z.m!*..D...P.X..@~..E.B.T....5.7o..Y[C.......1.f..]?.........*......W....z.V.b}.H....h0......>./...w.K..}.o..Tm....V|.2.,f.U.......C@.]..e_.&....3....5NC.:.Tm..A3...:.q'Pj2}.m...1k.s.T....O. .....sq.&PaB...=.F.f.F]..;..'...W....{i8......Ki.u.i..2#..*....L.........F......~..x.W..@.J..X..*.'....0t.g.B....b....Z...@~<...8QZLR..2>_.X....=q...%..r*....oP......B.*&..wjV.........`..-..K.=.&r....*....Mi...q..{!..P.aF........-)D.9...r.iE..3..Q.....}.'....o.VL.3.].fW...,......R....<.P.l./.>.%3...{K>...=0..m.B.....f.=...E.^3...."n{.kw..-./-.,..D.d0..$*...rq$...=...g...._n~...H.....p.I..e..U..(._.5.W..y.7.r.^......?|h..\;$.IW....E..N..$.....>..:..."....v.`Jya.MF.\.>.N...\.....I.m.*e.+.Ut....._...xo.[$.M.Q..V_..X.~.XO..'M;.*.(.@....X.d.{..g...0Lx.C....*......`w.o].....O5.'..Y..........y:}..w.....$.b.{....b..IJ..

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\product-def.xml

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):59458
                                                    Entropy (8bit):5.135716781444715
                                                    Encrypted:false
                                                    SSDEEP:1536:vOt4htHPgPSOKOYIZckySPpy1qvd3vN7B4Z0s9Y2fNyPAyBL0Ku/Uw+qU4WbXJG1:v5pTmbk
                                                    MD5:B1FE2A8CBEFDBCA027B3A0DF9A6C253F
                                                    SHA1:8DD13694434546716D8C42A9F6DFBF7D074D61AF
                                                    SHA-256:7B99F3A10EDD78F195AC9F440711AE605356AD6D072EDC4A41EA8FD666238B23
                                                    SHA-512:B1390BBDBC1CA32886E100B27932996D0D5F4F70D648C71341264B12058164E15CC53FCC0B425E5D16F4403083D6A76F6C1CE93CDEC1E60B3F0C39E3ED6C2D6F
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product name="avg-av-vps">..<product-defs>...<config>....<install-folder name="AvVps"/>....<full-name name="AVG Antivirus Vps"/>...</config>..</product-defs>..<group-defs>...<group name="base" mandatory-selected="true">....<action-list op="install">.....<delete-pending-files/>.....<commit-extracted-files>......<important>true</important>.....</commit-extracted-files>.....<expand-vps-version order-base="commit-extracted-files" order="+1">......<important>true</important>.....</expand-vps-version>.....<copy-path order-base="set-property" order="-2">......<post-condition>.......<directory path="%PRODUCT_INST[avg-av]%" exists="true"/>......</post-condition>......<src>%PRODUCT_INST%\*</src>......<dest>%PRODUCT_INST[avg-av]%\defs\%VPS_VERSION%</dest>......<ignore-same-files>true</ignore-same-files>......<move-type>Immediately</move-type>.....</copy-path>.....<copy-path order-base="set-property" order="-2">......<post-condition>.......<directory path="%PRODUCT_INST[avg

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\product-def.xml.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 59458
                                                    Category:dropped
                                                    Size (bytes):13315
                                                    Entropy (8bit):7.985240962080042
                                                    Encrypted:false
                                                    SSDEEP:384:7CMZiwYePHNWUkC3oIFBQvOeB3Ea6Wc/y8KpTlgdB7MJyL:7CMZLYePtWdCYIFKxB3Ea6JolohMk
                                                    MD5:950089BB576784963DF75889B986F302
                                                    SHA1:8F69C3A4C20A12F1F31B6F48632913F20E6D49CF
                                                    SHA-256:4EF803108A118D1D0FFF37D8D658CD436DE1F4B2FBD18146477142AA96A7BCE6
                                                    SHA-512:9868FB84F7915E1D267799D37309C7E9DDD3B48083C99ECA4CCCFA800A059BC9BCA0B84C111E18613377B19FFA93DB3497D83DE0C670FC4E8263CCD9E4B12A79
                                                    Malicious:false
                                                    Preview:]..@.B..............f......{3....&.7d..>$....`K...H......8..:_..~...\......>./........%..H.......o...Y....9-.f.P!....p...tC.k.....[...j...7^..1......N8...2....`..D.X.....h.TXhJk]......k...*3...J_..@[...URa.nK'.9W.a..Z.3k/.1e..gF6?.t...~.3e.=........BD....v...G7=..C.zM[B9d^..A...!....3BN3.(`..5T.....ZY&#AM.JA.......lnm.L.`x.......b@.`!...:...ZV.M~.P.%,.p.....Y..X2.oa.\.....}^....>.....7.{R=...3m>......I40Bua......[.q..Fn3j1....V6Wr..i9=P.'..a.y...|...\i&..EP..x.[y....Y5z<...dI..e..D..6.G..5*..%i^y\...O..:.....{...]/..%.[.......I+R...<\So...tPXA......?.T.+H.I.u.....~.cU.yTUq..pO....&=9.....X........RG...?b,....JY....8q.n.f/.<.@.... i;.@D.r/..-.r?.b-...]..g..e...wj.o...Ux"........6.o4...w.b......u.!j&<..`.M..?......._D}.~...@...eM...VJ..6>.....c.........%.q..6N0......!C..A..,o7..;.r.kE..>...aX.w..;p.!*{.6P.H........`o......-.n.|.O.\.=]g^b.'.rU..........2.......6.r&.%......O.U.s.X....vyP.E......F.l.e>J..z.0$...O...R..........r.r.S32..1.."...~.@.

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\product-info.xml

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):5930
                                                    Entropy (8bit):5.099742097995836
                                                    Encrypted:false
                                                    SSDEEP:96:aVzg4WzZcltFFiLTUzioVNPVmP9TB7Cn5bRezByVILZe+LM:a+4WzZcn3iLTUzioHPVmP9l7k5bRezBY
                                                    MD5:835EF1D6539657E9D42011928AB9023A
                                                    SHA1:81906C50D1A3857CADB3486919DD9390AA1A2688
                                                    SHA-256:370554C18FF8A387FB44BF9308F668F996C702748121097E6278D93EC0E7219C
                                                    SHA-512:52145E87DB4707702FFE86B6432197933BDD9A3AA5674354B93FD70708B0CBDE5E17D67B9DFF663BBF2409663C6976BB2989483A0923C5FDAB2E7DD6F19F10FE
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-av-vps</name>..<version>24.7.2906.7018</version>..<build-time>1722264162</build-time>..<inner-version>24072906</inner-version>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>1a74ec107a0724fa270c9517727e69456e337659e5bd5bf1b143dca3aef69a09</sha-256>....<timestamp>1722264108</timestamp>....<size>7167424</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>d52114b057504439df11368add0a66b037622f24e710731b1366efe271c9df78</sha-256>....<timestamp>1722264107</timestamp>....<size>8064960</size>...</file>...<file>....<conditions>.....<os

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2455480
                                                    Entropy (8bit):6.785376750874056
                                                    Encrypted:false
                                                    SSDEEP:49152:MYksggggMC96QXryMpqRrAvAfAAEV1rnFTZT0krlGW+:xvLGMpqZAo7ELxTZT0krg
                                                    MD5:540BA85561D8F29851603BE4FAAB266A
                                                    SHA1:88CAF855B9EEF93980277312321951E1675E2035
                                                    SHA-256:4AA31F81F324DF466E31325FFD707DCE1780EBEF732CC8D2CE6CE02D7140173B
                                                    SHA-512:293F33EBE731C3AAC5B1A981A2F92952B28199B968080A0F0822B0F262E215C776BD7C8549284BB17E811BEE89FD6886C8A96E28CC509A0E954AD88BCD76F618
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...........|..|..|.....|....b|...-..|.....|.....|.....|.....|...C..|.....|.f..1|..|..|.6...|.....|..|.l}.....|.....|.../..|..|G..|.....|.Rich.|.........................PE..L...xy.f...............&.\...................p....@...........................%......%...@.................................x........@.............HN%.p)....$.........................................@............p...............................text....Z.......\.................. ..`.rdata...Q...p...R...`..............@..@.data...$m.......H..................@....rsrc.......@......................@..@.reloc........$.......$.............@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 2455480
                                                    Category:dropped
                                                    Size (bytes):925362
                                                    Entropy (8bit):7.999795655674359
                                                    Encrypted:true
                                                    SSDEEP:12288:wLUUwJ812o1J9qtRJbZgTHmoI9Kzh1kSlck3YyWdXI6LY:wLUUwJ2JU/hZgTHm79KzX9YyWIiY
                                                    MD5:A382B5B73BF6DFF0E31644CF24AE3FE4
                                                    SHA1:8B8A8165B3313857312A040392345504820AE6C1
                                                    SHA-256:21B6EC59DE3955094CB1E7F6A87A552C998252D87B318C1A9AE88950457249C2
                                                    SHA-512:9D02DEC862D84AEE274F79FDA4F7B907E7B31AE965400DAD13DE5C004AECC6C58C37BDFA2FCD924DA6D04DD17BB68AB95E7B85556C7A4C7B7396C1F96982CE23
                                                    Malicious:false
                                                    Preview:]..@..w%......&..p.........../D.|..y..:.}.._..G...5mA..aQ..c5t ..+........w.uRl.,E.u9....r....dV...?].T ......-....3.f.....D..../.-.6*.:....-.n.#3.w5...F7M......!N.[H..4,/..j..q.5?.`s.BXj.b'U;.W2zUY....*.n.Y..Ie...S....j5<............$.^{...)..Q..|..,r.-...s%..V..N..*.7,.d.p.,...A.....Zhh.i]..!2.>UH.>$h....T&Ad...Nddu........V.....=.swU..]DWv..x..).-.[...+..0.{q..&"8........-{..........e6:l[......B..].....LYI..........GR....*4$....W.V...m.I/X..v.-..g.Q.G......W/..p.\X^....GG.....{........r.|yi.2#...>..z.Y...xQ.......(Bz*#.XV.j.X.e.....>.!..?s..u..ck.O.Iv.9......Nt+.S6.x.5...nl.E......y.~b.....K...5..XO#...V.-...CN<Q...o.'....2..58.....0.l)..h,../...>^...l.!.b.....[..c,..1`....zG ....X.;...[.U....M.[]a...L..{.......d,../.O....._b.;.VV.....R6..zu..*.\.."....(i).....o....$.l].:n...,$!'.@.(.;.".I._.F....;.]...L_.~.;..dcL.o..<..x5...J.....D.kq..D.b.o.....d..1t.N]j.....D.*..`a..iw.vN.......`i!..k..{A..yPWPg.0.s......w7*S.X...+<.(.,~.[... 2..f7i............

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\bug_report.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4961208
                                                    Entropy (8bit):6.519714047453427
                                                    Encrypted:false
                                                    SSDEEP:49152:kMLnHQldkoh7BxR44RNA5ud8RG4I80/m6ck5eGSljF/D1wxQ55fxGLnm7MM+MxkE:uR4f5udV/m6ckLS1Z7zxkOjT0JbnG
                                                    MD5:31E948AD14E9E68685C69B3D46D71B38
                                                    SHA1:9136C6B0E0F266132E9E802D3E5E9F510EA608FF
                                                    SHA-256:5445A6AF3BF675FB142D6DD3365C3D1F65967338BFDCE8596543C1BCC1A88A46
                                                    SHA-512:B20FAE2A75B757A502C7F261571A6AE1FF1BF98FB0719ABBA8A3DE27685DFFD4E7564C06624FBE2B51D2EB7C39BE6DE76F88026276128710D7E26BE7C2D12043
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...................Y......Y...T....?........................Q...........@.......H...................@......Y......Y............................=.....U...........Rich............PE..d...iy.f.........."....&..2....................@..............................L.......K...`.........................................@.A.....(.A.,.....L.......I..a..H.K.p)....L.(g....:.......................:.(...@.:.@.............2..............................text...<.2.......2................. ..`.rdata...G....2..H....2.............@..@.data.........A.......A.............@....pdata...a....I..b....H.............@..@_RDATA........K.......K.............@..@.rsrc.........L.......K.............@..@.reloc..(g....L..h..."K.............@..B................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\config.def

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):757
                                                    Entropy (8bit):5.407720307097613
                                                    Encrypted:false
                                                    SSDEEP:12:2AcW1OPqygAieSOZI+xzYN/qb0a3Uk7oMQuROfzXy9FQV6UaAAOheM6/QtTWJtzX:rVASOZI+dsqNUk8MQuALC9m36/xJpPqk
                                                    MD5:26C276EA2D6B073451E08576A159A2F5
                                                    SHA1:040BAD1070B1742469D5A6244CD2699E8E0D7D31
                                                    SHA-256:BB8244553B8135846A2F3DE384995378D6E3CB52BA6DF2078DC09A9152896D90
                                                    SHA-512:A14FAD99C0A5D6F67439CDEE877DBE264288D2E984D063C76B7C5A7C443B3847CF8152CBEEC49F595A61E3DD9FBBC13601A7E6FADD8E859B82908DB16C23F515
                                                    Malicious:false
                                                    Preview:[ui.offer.actions]..url=https://ipm.avcdn.net/..[ui.offer.welcome]..loadtimer=10000..url=https://ipm.avcdn.net/..[bugreport]..product_finished_errors=258,45021..[reporting]..disable_checkforupdates=1..report_action_ids=RID_001,RID_002..[common]..config-def-url=https://shepherd.avcdn.net/..report-url=https://analytics.avcdn.net/v4/receive/json/25..[ui]..enable_survey=1..[updating]..conceal_hours=1..fraction=100.0..updatable=1..[offer.browser.asb]..decision_type=2..download_url=https://cdn-av-download.avgbrowser.com/avg_secure_browser_setup.exe..enable=1..priority=1..ui.offer=welcome..[Signature]..Signature=ASWSig2A03526D6B218414BD4C43CB46ADC95F95E0328DEB97C93637625B8BFD3B08BB7D67E4E9B4B90EEEE305B8A2CD2F1B51C6BA4668C4A03A06CD199027D053AAD56EASWSig2A

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\config.def.edat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:ASCII text, with very long lines (2186), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):21189
                                                    Entropy (8bit):5.68730380776495
                                                    Encrypted:false
                                                    SSDEEP:384:DMJ7eXHtHcV2g2Ji0YblA3V4H3p+aTKBG1srr7dl9D3eJc8oaKAg:M7e9HrJiMF4H2BWw/D3em8orAg
                                                    MD5:8B374B550ADBF0E900F081394490E8A6
                                                    SHA1:C99DDD3CD3C107624D891901704DA201B6C34975
                                                    SHA-256:F3B71692FDBBCD129B14C8CEEDDE570D7F15154DE92BAFD0FBFC5914C7AA3B3D
                                                    SHA-512:8357BFDEB55C29292CDABE56B1AFB6AA0A5C0E8F8E60C0BD6F0A2A5E95AB24142745A9B595DD557372AF52945F5A567A8741224C10B2329E2ABE2F2D2BEA4AB4
                                                    Malicious:false
                                                    Preview:[RemoteAccessShield.Setting]..BruteForceMaxAttemptsPerDay=60..BruteForceMaxAttemptsPerHour=40..BruteForceMaxAttemptsPerMinute=30..BruteForceMaxAttemptsPerTenSeconds=12..[Settings.UserInterface]..ShellExtensionFileName=0..streaming=0..[WebmailSignature]..GmailEnabled=1..MaxRequestSize=16384..OutlookEnabled=1..YahooEnabled=1..[WebShield.NXRedirect]..Redirect=0..[WebShield.WebScanner]..VpsFileRep=1..[Offers.GoogleChrome]..DefaultState=0..ShowInComplete=0..ShowInIntro=0..ShowInPaidBusiness=0..ShowInPaidConsumer=0..ShowInPost=1..UseTryOffer=1..[Offers.SecureBrowser]..ShowInIntro=1..[Settings.{D93EF81A-B92F-27FE-AF54-9278EA8BF910}.const]..ScanAreas=*RTK-SUPERQUICK;QuickStartup;QuickMemory..[AntiTrack]..Enabled=0..[FileSystemShield.FileSystem]..EngineLdrModuleFlags=24..[Fmwlite]..License_check_interval=16..[PerfReporting]..AvastProcessesWprCaptureInterval=0..[Components]..ais_cmp_fw=2..ais_shl_spm=3..[GrimeFighter]..info2_licensed_period=3600..info2_unlicensed_period=3600..LicensedClean=1..Us

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\dump_process.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3497912
                                                    Entropy (8bit):6.525245802927742
                                                    Encrypted:false
                                                    SSDEEP:49152:LJFbzxEFOMW6HEjWovQYPIW2KkZnWn/+/vgrsN5hddlArtYtPt+aJM1cTyynJBqW:LDbq5iQZGHrgGJb0dxzo
                                                    MD5:B31E22903A16D20D86A80FEBF8007AAE
                                                    SHA1:110207BBA3F797E6DB6256AB9146475BA95C57EF
                                                    SHA-256:BA2F161B7F85A9D2DB0A6D624B45543FE2D25F58419B588D2AF767A571FEA7BD
                                                    SHA-512:28040932CD268FD064626B9C078F33E28D5F63806066AF342F6752A86DBC4D6A3DF26A0C4D4BE63626E9BDE5DDF9138248F5E4DCC0C588141369049C485AE39D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........Il..Il..Il.....Bl......l.....Ul..O.s.Jl..O..[l..O..]l..O..=l..@...Kl.....Hl..Il..Nl......Jl.....Pl.....@l..Il..m..#..l..#..Hl..#.q.Hl..Il..Kl..#..Hl..RichIl..........PE..d...Cy.f.........."....&.. ....................@..............................6.....FA6...`...........................................+.......+......@4..Y....2.t...H65.p)....5..U....&.......................&.(...0v".@............0 .@...0.+.@....................text...\. ....... ................. ..`.rdata.......0 ...... .............@..@.data.........+..4....+.............@....pdata..t.....2.......1.............@..@.didat..P.... 4.......3.............@..._RDATA.......04.......3.............@..@.rsrc....Y...@4..Z....3.............@..@.reloc...U....5..V....4.............@..B........................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\edition.edat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):2
                                                    Entropy (8bit):1.0
                                                    Encrypted:false
                                                    SSDEEP:3:Jn:J
                                                    MD5:9BF31C7FF062936A96D3C8BD1F8F2FF3
                                                    SHA1:F1ABD670358E036C31296E66B3B66C382AC00812
                                                    SHA-256:E629FA6598D732768F7C726B4B621285F9C3B85303900AA912017DB7617D8BDB
                                                    SHA-512:9A6398CFFC55ADE35B39F1E41CF46C7C491744961853FF9571D09ABB55A78976F72C34CD7A8787674EFA1C226EAA2494DBD0A133169C9E4E2369A7D2D02DE31A
                                                    Malicious:false
                                                    Preview:15

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\gcapi.dll

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):888600
                                                    Entropy (8bit):6.799400661071435
                                                    Encrypted:false
                                                    SSDEEP:24576:rvqA5tAf7fM6xEV1rnF6SZT0kiSJN5H9tmGn7sL0h:eAvAfAAEV1rnFTZT0krlGW+Y
                                                    MD5:3EAD47F44293E18D66FB32259904197A
                                                    SHA1:E61E88BD81C05D4678AEB2D62C75DEE35A25D16B
                                                    SHA-256:E0D08B9DA7E502AD8C75F8BE52E9A08A6BCD0C5F98D360704173BE33777E4905
                                                    SHA-512:927A134BDAEC1C7C13D11E4044B30F7C45BBB23D5CAF1756C2BEADA6507A69DF0A2E6252EC28A913861E4924D1C766704F1036D7FC39C6DDB22E5EB81F3007F0
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....]vc.........."!....."...<......................................................X.....@A.........................x.......y.......P..@............f...)...`..ht..|g.......................f......8A..............d}...............................text....!.......".................. ..`.rdata...}...@...~...&..............@..@.data....O.......>..................@....00cfg..............................@..@.tls......... ......................@....voltbl......0..........................malloc_h.....@...................... ..`.rsrc...@....P......................@..@.reloc..ht...`...v..................@..B................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):8064960
                                                    Entropy (8bit):6.450676060748482
                                                    Encrypted:false
                                                    SSDEEP:196608:6ot4R9uUCqHwCthYiX5+RNpqqVTrUGG17gL3zK:vc9uUCqHwCnYiX5+RNpqqVTrUGG5
                                                    MD5:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    SHA1:9BA08A6246011359F5493856AD5FC0355E0DE4F5
                                                    SHA-256:D52114B057504439DF11368ADD0A66B037622F24E710731B1366EFE271C9DF78
                                                    SHA-512:A2218DCD6F0A0E676C23106BD717B5EB22614B3900BEE5D47EA80E1ACC4B87859E6F6DFB63C0D3CDF3EC4F37C12407EF56C2C7964AE141B393C7E94368CA820A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......4z/.p.A.p.A.p.A.iD..A.v...|.A.v.E.c.A.v.B.b.A.v.D...A.iB.`.A.iE.V.A..uB.r.A..uE.x.A.yc..r.A.&nE.j.A.nE...A.nE.s.A.p.A.}.A.&nD.t.A.iG.q.A.i@.U.A.p.@...A...H.v.A...A.q.A.....q.A.p...r.A...C.q.A.Richp.A.................PE..d....y.f.........."....&.^U...%......./........@..............................|.....r.{...`...........................................l.......l......`z.......v..W..H.z.x)...p{......:b......................=b.(.....Y.@............pU.....`.l......................text....\U......^U................. ..`.rdata..b....pU......bU.............@..@.data...@.... m.......m.............@....pdata...W....v..X....u.............@..@.didat..p....@z......Vy.............@..._RDATA.......Pz......Xy.............@..@.rsrc........`z......Zy.............@..@.reloc.......p{......\z.............@..B................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dll

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):6259640
                                                    Entropy (8bit):6.491629802553454
                                                    Encrypted:false
                                                    SSDEEP:98304:Nen05aOqPALbMFT40RN53UaXP+U/ECJlZU3fPF+5W/1TH1be1dMuNAZwKrOf9lC2:Nen05b7W40BEa/ECJlZU3fPF+5W/1THC
                                                    MD5:3DE8201916344B1A766908E492BD1019
                                                    SHA1:2DBDD5A0D85FDBC46892CFEB576EF559F022807F
                                                    SHA-256:E3EF98CB25785FF1DF992B116EB238A80EAB17977C72F7DCD8BFEB15981C3371
                                                    SHA-512:370B33E3F5AADC5A33971C143F200E2BC14E7718B154CF0707F2D6B640734369F64CB594B444231C652B9FF03917A3899E9924274458F48A764276EA5AE859F9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......x.#.<.M.<.M.<.M...N.2.M...H..M.:...0.M.:.I...M.:.H.N.M.:.N.*.M.5...>.M.j.I. .M...I..M.j.H.8.M...K.=.M...H...M...I.?.M..N.>.M..I.4.M...L...M.<.L..M...I.=.M...H.'.M.<.M.2.M...I...M.V.D.q.M.V.M.=.M.V...=.M.<...=.M.V.O.=.M.Rich<.M.........PE..d....y.f.........." ...&..>..`!.......$......................................``......{`...`A.........................................GS......GS.h....._.......\.....HZ_.p)...._....0.J.......................J.(.....J.@.............>..............................text....>.......>................. ..`.rdata..6.....>.......>.............@..@.data....8....S......dS.............@....pdata........\.......[.............@..@.sdata........_.......^.............@..._RDATA........_.......^.............@..@.rsrc........._.......^.............@..@.reloc......._.......^.............@..B................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_product.dll.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 6259640
                                                    Category:dropped
                                                    Size (bytes):1770333
                                                    Entropy (8bit):7.99988550541586
                                                    Encrypted:true
                                                    SSDEEP:49152:PJAfTopwE8u/N9+ETPZ41FyDLGk4pQ3caih:+fTop2YNUi4pSS
                                                    MD5:E1022AE554209563D6C7C8E9031EAA20
                                                    SHA1:E9288DED872ACA818E406332A14C641BDE08888C
                                                    SHA-256:B0E8CF35211923A4EB21F49882EEFE635062234B1186CE51105B71AA60A1C8CC
                                                    SHA-512:B772CC6CDD1706099A435B4DA95CFE00A0A298701FCD46E24755524A17813618837AC8456BBA2BB7A27AB861E56722A3391CED28E51AB11C03269157DD0E7A09
                                                    Malicious:false
                                                    Preview:]..@..._......&..p.........../D.|......I0..y.]n.u......i...7.....B]......F2$1..../e.Y.....f.k..7@.p....HF.......Ci.J..Q....z..q/[u8..&.uP.J.if. ..7/3..n..{K..fH.....1.P.?C......'...l....0xd.sO.u68.%.. .:.d`#04..;.~....Jv....8....;.E<....PL.I;X.Po.Q$m.N.m..DL.,.2..p..A!...%.k..a...D...U.J?.....VWw.........n....KD$.....e......m...f.|...L.....W..L.5..g%..R*8N.AU4R.t.O;nS=.}E...fD...W.X:.r..B.3..+.y........za.@x.k.J.........,../.l.........N#....Ug..$y.t/...V/....C&=.V=..8[d.,.....w.' .5.....b...R..o0..4...>|....f.....]S.B.{?-.....5,r...3.6`....O.....'..b.?7. (...z....?.6<.F].NrdZ..#..\..{.`.s......^..w..Vw73.O,.6..v....~E}..~.......f...*\.v.%U.......7...Q..>'.IS.}..9.....L<..*w..W....|.w.....P....!S.....f.*..g....r?........D]?..u...q...e.B.......w....8m.r.]....%...NFW.[u.U........3d`.\.B..Tz.6..S.>..?..7..nou..7....tv...Z..p.7..kqB...._.=,R..L.._.7.M..Q.=..ys.,. .L@....3Pa...&.+..o9.7.....~.(dN..,..C.....P7...bN.H.l...F..}."...

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):50976
                                                    Entropy (8bit):6.695978421209108
                                                    Encrypted:false
                                                    SSDEEP:1536:6fMVFuX7Y1C7X+oAiZ8uMX07F9Kx24Zza:WMVFsSC7+K8ua0qm
                                                    MD5:97F5D0CAAA1988C95BF38385D2CF260E
                                                    SHA1:255099F6E976837A0C3EB43A57599789A6330E85
                                                    SHA-256:73EE549578DED906711189EDCEF0EEDBC9DB7CCBD30CF7776BD1F7DD9E034339
                                                    SHA-512:AD099C25868C12246ED3D4EE54CEF4DF49D5276A5696CA72EFA64869367E262A57C8FF1FB947AD2F70CAEF1D618849DBAB2EC6161C25758D9F96733A7534B18F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................r.............../......./b............../......Rich............................PE..d....>_e.........."....%.N...(...... ..........@..........................................`.................................................\u..(.......8.......P....x.. O...........l...............................................`.. ............................text...)L.......N.................. ..`.rdata.......`.......R..............@..@.data...............................@....pdata..P............l..............@..@.rsrc...8............r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_rvrt.exe.lzma

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:LZMA compressed data, non-streamed, size 50976
                                                    Category:dropped
                                                    Size (bytes):26032
                                                    Entropy (8bit):7.992977293575329
                                                    Encrypted:true
                                                    SSDEEP:768:dXkqelTjZK0JgHW7tbzdiH2P6AdRo7+lmAg:dEfJJZtwH2PJbuUg
                                                    MD5:F13E71BDBBA9A80351A786C44272F737
                                                    SHA1:DC8F9B86B56684F3A7BD7DBB16DC27B436735E97
                                                    SHA-256:7E7DF8B8EF9226E9E916199D8721E52D8737654D6EC5A8A3B11B49CFA6633D34
                                                    SHA-512:2D8BF0BABE54618CD81212990BA9975CEA64C5E51172DAB95004364229B0A35190F94DF2E37FC70E93DF2A24EBC2339BD0A8801411ABE1F98915E6873562E7FC
                                                    Malicious:false
                                                    Preview:]..@. ........&..p.........../D.|...G'_..z.-~A..\..*~kHy54......<.....=......6......! o..- 6Y../.e+.Y.1~...~y. .....}..N..H.)G'P0..K..*..?.."...c.|..p.z.m!*..D...P.X..@~..E.B.T....5.7o..Y[C.......1.f..]?.........*......W....z.V.b}.H....h0......>./...w.K..}.o..Tm....V|.2.,f.U.......C@.]..e_.&....3....5NC.:.Tm..A3...:.q'Pj2}.m...1k.s.T....O. .....sq.&PaB...=.F.f.F]..;..'...W....{i8......Ki.u.i..2#..*....L.........F......~..x.W..@.J..X..*.'....0t.g.B....b....Z...@~<...8QZLR..2>_.X....=q...%..r*....oP......B.*&..wjV.........`..-..K.=.&r....*....Mi...q..{!..P.aF........-)D.9...r.iE..3..Q.....}.'....o.VL.3.].fW...,......R....<.P.l./.>.%3...{K>...=0..m.B.....f.=...E.^3...."n{.kw..-./-.,..D.d0..$*...rq$...=...g...._n~...H.....p.I..e..U..(._.5.W..y.7.r.^......?|h..\;$.IW....E..N..$.....>..:..."....v.`Jya.MF.\.>.N...\.....I.m.*e.+.Ut....._...xo.[$.M.Q..V_..X.~.XO..'M;.*.(.@....X.d.{..g...0Lx.C....*......`w.o].....O5.'..Y..........y:}..w.....$.b.{....b..IJ..

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus_ui.exe

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12255680
                                                    Entropy (8bit):6.582045469175903
                                                    Encrypted:false
                                                    SSDEEP:196608:tCyhvUYCXWmkCL/pQTumd72K75aMdrqNEg:t1hvTCL/eCO7xAOrqNEg
                                                    MD5:CF058EAA95EAD820532B59B686023E53
                                                    SHA1:49709CB9B40FA558E67E24357251DFE9041FC6B9
                                                    SHA-256:66DC1DDC009EEAC0DA023172A5410A05D44324907F91FE4258420A9D17F7E859
                                                    SHA-512:6B93B0F4C8B487CCFE6B687C47555B2124636D216CBB38CAB0F387A1C51C19392EC026C60F023B3664C03D0414D663A5935060BD223344DF3ACB7DBD6971BC6F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......}.u.9...9...9.......$..........?7.0...?7..-...?7..J...?7../.......v...-......-......0..;.......8...9...>...o...:.......;.......)...........9.......S7.....S7..8...S7.8...9...;...S7..8...Rich9...........PE..d....y.f.........."....&....,a......T.........@..........................................`................................................d..................p...H..x)...........>.......................A..(...`=..@...............`............................text...`......................... ..`.rdata.../%......0%................@..@.data...`n4..0......................@....pdata..p..........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\product-def.xml

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1320261
                                                    Entropy (8bit):5.391575493962356
                                                    Encrypted:false
                                                    SSDEEP:6144:Pk0OrSmXIqx5qDRe9swL2SkIVPwF5SCBkB9ys2JQoYrJ3ecZwMzKg:Pk0OrSm+ReiwKSkIVPc/kB9MDYpYMzKg
                                                    MD5:7536A42465EAF94530982F592EE00F1F
                                                    SHA1:2C812DD88F83498F4A7FD9F1F801FB776DD2AD76
                                                    SHA-256:2D97B73E44EDDCCBEA3BC8EDD9C1F3D2F2F242B4EE9D4792BE50A0370C31FC46
                                                    SHA-512:E045C2AE75A203C0771566050144F8BD63FAC7098B0F24D02FE25DFAEA3C08F640552D22F66F0D36B2FB4D5CE02D5BE01694B7BA61B39DABE4843D74F6746B1C
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product name="avg-av">..<product-defs>...<config>....<install-folder name="Antivirus"/>....<program-data-folder name="Antivirus"/>....<registry-key name="Antivirus"/>....<full-name name="AVG Antivirus"/>....<languages>.....<lang>en-us</lang>.....<lang>cs-cz</lang>.....<lang>da-dk</lang>.....<lang>de-de</lang>.....<lang>es-es</lang>.....<lang>fi-fi</lang>.....<lang>fr-fr</lang>.....<lang>hu-hu</lang>.....<lang>id-id</lang>.....<lang>it-it</lang>.....<lang>ja-jp</lang>.....<lang>ko-kr</lang>.....<lang>ms-my</lang>.....<lang>nb-no</lang>.....<lang>nl-nl</lang>.....<lang>pl-pl</lang>.....<lang>pt-br</lang>.....<lang>pt-pt</lang>.....<lang>ru-ru</lang>.....<lang>sk-sk</lang>.....<lang>sr-sp</lang>.....<lang>sv-se</lang>.....<lang>tr-tr</lang>.....<lang>zh-cn</lang>.....<lang>zh-tw</lang>....</languages>...</config>...<vars>....<var name="%V_PRODUCT_PREFIX%">.....<desc lang="en-us">avg</desc>....</var>....<var name="%V_AV_SVC_MODULE%">.....<desc lang="en-us">AVGSvc.ex

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\product-info.xml

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):9649
                                                    Entropy (8bit):5.271801858833516
                                                    Encrypted:false
                                                    SSDEEP:192:24GzDBLvmNC0u1chcnipUzIoH7VuPNv70JbbezBIAJro3RzWtW4/shvO:2LxLmNk+YJpWs/ezSIc0WqyO
                                                    MD5:BBE3743AEB4C47FECC4C94B9D5CF7D27
                                                    SHA1:067C289E203FAB588AEE2AA5DD2F3791E791ADB3
                                                    SHA-256:70C4B4989BCFF73809711CCCA4AC1BD0459C0814929398C23B6239C04C680F77
                                                    SHA-512:72D231E4AA1D07F898470147F319DC011368DD89BC2AAEFF19F27690BB4FF408E61C3855EEAC8D9CDB5DB910144C4F7E27A8983116598C0D5D8B705C98BF05DE
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-av</name>..<version>24.7.9311.1966</version>..<build-time>1721331953</build-time>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>1a74ec107a0724fa270c9517727e69456e337659e5bd5bf1b143dca3aef69a09</sha-256>....<timestamp>1721331924</timestamp>....<size>7167424</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>d52114b057504439df11368add0a66b037622f24e710731b1366efe271c9df78</sha-256>....<timestamp>1721331925</timestamp>....<size>8064960</size>...</file>...<file>....<conditions>.....<os platform="arm64"/>....</conditions>....<name

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\setupui.cont

                                                    Download File
                                                    Process:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    File Type:XZ compressed data, checksum CRC32
                                                    Category:dropped
                                                    Size (bytes):390756
                                                    Entropy (8bit):7.999498919202024
                                                    Encrypted:true
                                                    SSDEEP:6144:NELOfcuJDeG36sYbO1ma4cSfxatdAsVJxCpvEgZbtWnqYTk1XJwuIhJezmJ4u6/:NELAFJD53TYbmmJDZaZVwcabtYlw1yu7
                                                    MD5:1A91F1DB1B66709AAF1A7373860791C0
                                                    SHA1:AAF8435A3379AEA3272172A9D1B5C4D75B111E05
                                                    SHA-256:4C3E3FD5B5731973696377D11D8B11553B039E1FACBE1D652477178599DED37E
                                                    SHA-512:65E4F888ABEB06F84D885B31CA830EEDBFFBEA5FE3F0E30DFBA6FB47C8CFED18AF61B726858281885FDD74B408E5F9587A267B114F9D35DDB3074ED02A7303F9
                                                    Malicious:false
                                                    Preview:.7zXZ...i".6..!.....F.;...2.7].0...?..Lm.K%. .6.X.....L.@#........EG.t..r.%.S.T......1<.d...X.T...%.Yb..q..U.v.....U+...7..BP.I..Teur.V}...b0....L.C..Y)....*q.N.........!...c".\.....M.}.;...fb-..#.......-P.).*{>(..#h_..D..0FU..R...0).[.E=Vz*.......+z3M....eqZp...h*!.....P....._..C..bQ..N......b=.....>^B..O...m..K.I...-...Z...X{.N.]..^.....x`...."...Dao....vA....;..Zk.....Ppn~G..H.n.t..d.(.gv..k;.0&A^b.n.C.........e..ee~....5Q.0.Z.FO.J.r..J..A<N.+E..6$..XJr^t.m..V...V'.ET;1r.B.......G...a..G.]gcG.....f....*.!r..w.....3.kZ...X.&:..?...pOO]t.kb...e......b.uI>..SA..7.*.es2.'...........Wq......M.RX.f*.@.W/...:..q..lA..mk*.6e.%..y..p..R....Q.....~...p@m..O8'..$.ek ..P....@...-`.b....Q.I.y..]..:.7z.C......}}._...x..o....._.....Q.. .a......]....V..>C....Du6~...1..:....[{AH+..q..1z,...&~.y..h..}.....v*...#[..%...f....yP.........6.g.d..Ff.%V...vz65....p {U;.-....p..0vV...W.w.N..{#.....t..uK.........\)L...>4....s8...y........kah.$a..."Z.7.3-=.....3

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\02e38037-6dff-40b5-992a-d1b318535241

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 1320261
                                                    Category:dropped
                                                    Size (bytes):143080
                                                    Entropy (8bit):7.998566983723096
                                                    Encrypted:true
                                                    SSDEEP:3072:TuTFJOFvsLTU1x5Brs1Pg88A5prYM8Pi1N8WPFspMas9qtwgDM:TuSsU1TBrm8OyPqPZ9yjM
                                                    MD5:C9BAA9F9FBD36F20983C43436EF6B75F
                                                    SHA1:7FF99E4912F88BEBEE227A7BE0BC20F4198F1643
                                                    SHA-256:DF1FD59373A68967AEE77E193B0021809CCDAC21C4DC1D24D896FF4FD51A00D1
                                                    SHA-512:828E4DAD45ECE44F49587C2DC7F5838129914472CEB15263448796A3E00D22FC4EDDE94EC80C1C9E499CA919E1A8001E8FDA27AFD246D950EEE5D394645D0E1F
                                                    Malicious:false
                                                    Preview:]..@.E%.............f......{3....&.7d..>$....`K...H.......4...^.a.)....0C:.6..n.f.c...j...$Px...........X.PMf$5.B....O..DN....[.d..s..s..M..:B..(.N..L.?7=~Rg.[...N!."..8......1uW.#....;u<Q..MC..Kl.#.9!U.3N..N...^....Gp..a.@....-.m..Q...c.6.....]..vK..I..(.<..s.1h.r..)y.]!J9%...*/.(]X...%."....Y.,.J.......Z..T,....u1.&......n..&.!E$Dn<..;."....@..90H$Jk4..{i%.@^...q;.%.t!......Md..fJp) m.0..>3......hs...Y.4..<...Q8.$.@.n...u..N..X..ia.f..o.."....b<...^X...z.U;..[..[....A.`.W.0.X..l...v.GfM.9..y..q... $.....4E..Xd..[l.>..R...z../KjC*d..9J...!.O..U.^.l..].S).zLS.[90....O."0...kX[$V!...b{...1&.*@a{....|.Bg.....d0K.KGS.....r.h.]m.9..}.>Y.Ha..Sh.\.UgmX.......Hm.!8.?..k..r)..z.M........bc0:...N9?Qf.w78.....j.C y...;...V8.8..'....HE.Ur..A.,.4.....k.:'Vm.M.J.`..V....*.`.U#...\.8.G.`:......7...P."~.T....|...n......qsm.|..a....L......M580...............e...c1.9.8B.i<..@..~...5..&......kl@..<%8./H..R.),.\.G....0...G....NQ.~O....T.s.p...w.....KjX,

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\4c4d3f01-f478-45d9-a0bd-c58c23e3640d

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 12255680
                                                    Category:dropped
                                                    Size (bytes):3974468
                                                    Entropy (8bit):7.999953089153007
                                                    Encrypted:true
                                                    SSDEEP:98304:0qcefz/a3QZyI4xsg67R/qMgqPALj9wD3w9Z6pjR:KXQZ5gz67RCMvIjw3DR
                                                    MD5:747E5A35924EA17748255C07A66791D8
                                                    SHA1:ACC83C8FF114B84D4FCAA58BAD677C88647FAF52
                                                    SHA-256:45F465ECFD79E1960F0AE66FE90BBBBAE880CC99811C23A65E1D42E9ED61549A
                                                    SHA-512:69CFA7313A60BAA5C6D109A0A61152B7CBAEEDE39C29840F3EE47EB01CCE3B153A72F3C0F9EE7FD2F821A66C2CBE2D44B2DBD33BF3200D66B46009431D981CD3
                                                    Malicious:false
                                                    Preview:].............&..p.........../D.|......e.F<w.,...vY.Ta.....NE..1E...V..Z..m9..^../:Y!....y....eg........~f..%.Ql..|:\.L0<Gv...r.k.8}..W..TG{.@4t.....e.j....~...zdI..)...d.Bg.....N.E.......l..S...=..gF.&?%. #...5i...fy.9....r.G...n...s.$.....AZ`..aS..*8...#.3.w.(....[.P....EI..sJ2{.....,.9.=L...n.j....&p`K..?l2...z.M....o.....pc5.p.6..I....I.9..{..<.K(.u.F..Co^2....K.4n.s.Np9...I.c...hO.TR...*...U.H...+C..Dvr..|..n....:...Nm{...$....V..(..&...s[<.....8.....7..9..............4....-E....v...?.L.R.Y{......sd[.6........j.a...#!.T..R.W5......... x.Nd.2....=.....U/.E.4....YuE.....uB.jND*e....}.|..n .uC.c.2tD._.U..%BO..M+p.R...Hq.n.j..?.C.{m.R%.....+j.Z.^.vk.....F-t..YK.R.B,N2.....5......Z..25...Z...H%^......q.+.t.,.#L.c.....g..+......z{.c.t....j.S..........X...\...U...=-B.I4..B:.u"..`.op../+.w..?....dT.v..w.a.d.s.%g.h.2...>.Xi.R..n..+4.i.z.......PE..?.B:.b....~.....{ .u..h.PM .s..:.....Zpf.-.KU........8hZ..N.K...hVt.o..I.7.ad.......)..q.....

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\6e6de890-e78a-4633-a9d1-34d9893c824b

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 390756
                                                    Category:dropped
                                                    Size (bytes):396250
                                                    Entropy (8bit):7.999533685597223
                                                    Encrypted:true
                                                    SSDEEP:12288:sCjirXnWAOtWu2gFIOqaRO6N7w1hy41BSXZuxe2J/yu:9irXWAOtWUIGbzkUZuI2
                                                    MD5:25CD565EE87CCC5D35397B2F515C4D20
                                                    SHA1:69B664CE87B51307BA42420B364A6389E135FD66
                                                    SHA-256:2CD6919B51EF9EE59565D6A0551E59CC6CDF4E65CFDAA08B48E69FC2F02967E6
                                                    SHA-512:3366BEFDFC8CEBA6C17D7077AAD9B6C1796B56A67F731C802E22E91DCAD6E69C4E34C7C9BE526F4428E2CB9E4B64AA573811D8DF00E72301C026F52F179A1FFB
                                                    Malicious:false
                                                    Preview:]..@.d........~..E..8... .rZ.~0.eg6....p~...$..r7.Y........Z...-.a..I..z....4N...s==.Z.'.Q;.%=3`6.9..{P..+..g.......Pi%..M.d..._.].[a..)...R.@..B.....x~!{..4.v..4....... .-...q...N.`.......xf.N~..9..0.5.e..r.G....T.......g..; K...3..^....-......H......-.]..um..Q....v6.M....%.f..q<...[!...i......U...X.o-b..{~.].c+$..E.....Pp....5.r.oz}.,s....*=.V.A.*l....8...m]7..7<.C.s..W9...r$O...U.u.JM..F.%V.....N....c.E..+.2Es......../G8. ...e..+.....r....h.j....pu??!.......;......L...n|.]..?..#>.'/HZ.,.Sa.?K.o..l...e.r...O"mb..../..z._n1.W..4:jV....I=.j........l..(.bN.K....?.......,h..#?:^....M#.b.(r....j.9<}t..2...Q..b..$..n...mj..../.,A......FR..V]:]N~?.~W.....2......8....F..t..%.......0s....xL.....U...K...$..#..P.V._.pY...A...#..-n....(x.Bx..6t8.....3w.. .4..^....>...c:M.on..lP_.....O.w.. ...G..F."h=....q.KF..+~c...;Z....W?;...,h.E'..3.2. ......I....Y..p..9......x4.-.>4zX.uS.+..(.=.u..qn..@....F0..M._*..{.-.o...B..I..bF........P.Ms...

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\6f83f20d-0d00-47c7-8e5e-0e0cd62fe1b2

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 15288
                                                    Category:dropped
                                                    Size (bytes):9567
                                                    Entropy (8bit):7.977755483295916
                                                    Encrypted:false
                                                    SSDEEP:192:JyDUuA9epZXFLBZ3iajsRAzqxeQZuKEj6NZi/P4qJaHiOkN:cAMZXFLLSaxGxeQZu3+iXD4CJN
                                                    MD5:1FF7130AD9EC4C06EB4E8615CA76DEE3
                                                    SHA1:E5D0D6D31CE65BA9682885C676B72EED0493C2AD
                                                    SHA-256:12C6750E615036DD1DE45811E8FDF25EAFDB6A687C13D0EC0440777E90B9832E
                                                    SHA-512:A807BABAD54D66F329E8189EA12DC2B868F09FDCADD0551B1E16B4F8300175DE9CDDA097DCBAF460B9315C5E9E45B1967E2ED19493BE6A914261FDEDF4DAC162
                                                    Malicious:false
                                                    Preview:]..@..;.......&..p.........../D.|.........{...cl..KN......TS;...p....."...gW.....~...~....oF~;....L.c.Jc..k_....P....u*....E.~.Y.......0....\.!/M.k.sc.[y.5.....Kf.vb.#.W...@..O.?~..X.x.Lv..R..3.J.^...N..^..=ryC../f..Px%...k..|.U.M.^..C...Z..}~.T").Y=z.2...S".v^./.^..G.J.?.}....\.?..1..mE..X..m..j.....8D.['.]/B.'......k....._.*.f..U....N...`...... S...].t.3k..C.4j8...{..x9........]..V....J...q'.b.I.B.v.k.1}.l..8.a..u>-.Rb.E.g'>l..`..?.SLz..>.....CD.........W.M`b.........~..b?...w.?.$.J..`X...r|[0U?..../.i..._.Q._h^:.......F...)....b.......sG-=....hef.+."..~B;.r..5O}U.z.$iiw.....).^..Rs.}.)KO..:<@....Gi.sw..9.o.....+. .\...l..@=.9..=.S....|"....Z.!.!..a..(.5./..]tp.r.......|)).`.j.......M.UU`.<..K/......x...)XP. zq.H'.1A%..JCu...#.!).S.`....&.......jN..)...C...6y#...{.f. b.e.o......5....A..M....z......j..e.......)...A....b8s...>.eN.p..uw....K...A..|..92....c.^......<.u...W...Z.....2.P....E`6b.. .._._.4..Y.......s...Q..l./0D.ib..E.

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\a2c5882e-e612-4511-9406-8ea10602a58b

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 3497912
                                                    Category:dropped
                                                    Size (bytes):1018909
                                                    Entropy (8bit):7.999836338135886
                                                    Encrypted:true
                                                    SSDEEP:24576:WJnbYcKWQUPWzSrL1XD9LxJruhb9R9qQz3jya1NnOeu5md:657xbp9Lx5uBNzPNnOeimd
                                                    MD5:FA05699443553FAA439D67A5C2B943BA
                                                    SHA1:CC99FBA829DD91A0ED9C9644507222E763B74BBD
                                                    SHA-256:AE21D2BA9FDB661E44CA128596606C6A9985612C589AE62A1B31129B301522F5
                                                    SHA-512:486A8C974D49F378A07A54E7A76A810087E45AE131473441343468B25E9C72B49186ECD8FADAB2BE620160A09059F2D8FF2EDA23B0978399B0DCD71185645B7A
                                                    Malicious:false
                                                    Preview:]..@.._5......&..p.........../D.|..N...mx...6.`....U....U6.2..}.a.Ys..NY..T..:D.0Ww..N...X...ax...$Z./R#.V;.u.N.4..r........jXd..f........7...u....y....Z......+.."h...v9Ah....XE:.a~..3s.....XT)^d.E.(....O$f..........UAf...:a_.f....=..K|.<..n".IR.....0J..a..V^.E.GX...4......N.TS....Q....9!2K.2..r.n..,De..~...z6...#.<w.....R6|.f..\.)..3.....Y...@..y.Je..5v2}6.z....\..n.*$N..c..f\F....T..7:..X.bg/N..36..\..|.|....,.B.Q.tA).>Z..g.AB.>$j......",F...,+..%..:TW9..!..%.I......2.elN^0J....41.u....;#...._..3....K...u...8HK....>Y$.]*.a..\P.....N_..J..W`..6...T...T."..?.....~.}{..@..>.c.gZ..,o..A..T.^Vm.{.f1............=i.U.o.9..?.Q..._&..}..q|.+.T."..U.M.h.8.>Y..O...2....Dat.;...=.T..........{.M.[....gp[(...#.........}.>.yR+?..V.&.Y....-.........u9~.!.{1.u......I..n6u...`^}....../..Uv#/.\..d....>..[* ..eN.7....y..45...v.....A3..J26}s$....".l......g.~.uK....F.&..:.q...z...R.c../^.^.."T._.M....az@..[`}V....`.S...g.....5[.w.4.[JY.^....W..&........@...j..

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\bug_report.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4961208
                                                    Entropy (8bit):6.519714047453427
                                                    Encrypted:false
                                                    SSDEEP:49152:kMLnHQldkoh7BxR44RNA5ud8RG4I80/m6ck5eGSljF/D1wxQ55fxGLnm7MM+MxkE:uR4f5udV/m6ckLS1Z7zxkOjT0JbnG
                                                    MD5:31E948AD14E9E68685C69B3D46D71B38
                                                    SHA1:9136C6B0E0F266132E9E802D3E5E9F510EA608FF
                                                    SHA-256:5445A6AF3BF675FB142D6DD3365C3D1F65967338BFDCE8596543C1BCC1A88A46
                                                    SHA-512:B20FAE2A75B757A502C7F261571A6AE1FF1BF98FB0719ABBA8A3DE27685DFFD4E7564C06624FBE2B51D2EB7C39BE6DE76F88026276128710D7E26BE7C2D12043
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...................Y......Y...T....?........................Q...........@.......H...................@......Y......Y............................=.....U...........Rich............PE..d...iy.f.........."....&..2....................@..............................L.......K...`.........................................@.A.....(.A.,.....L.......I..a..H.K.p)....L.(g....:.......................:.(...@.:.@.............2..............................text...<.2.......2................. ..`.rdata...G....2..H....2.............@..@.data.........A.......A.............@....pdata...a....I..b....H.............@..@_RDATA........K.......K.............@..@.rsrc.........L.......K.............@..@.reloc..(g....L..h..."K.............@..B................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\dump_process.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3497912
                                                    Entropy (8bit):6.525245802927742
                                                    Encrypted:false
                                                    SSDEEP:49152:LJFbzxEFOMW6HEjWovQYPIW2KkZnWn/+/vgrsN5hddlArtYtPt+aJM1cTyynJBqW:LDbq5iQZGHrgGJb0dxzo
                                                    MD5:B31E22903A16D20D86A80FEBF8007AAE
                                                    SHA1:110207BBA3F797E6DB6256AB9146475BA95C57EF
                                                    SHA-256:BA2F161B7F85A9D2DB0A6D624B45543FE2D25F58419B588D2AF767A571FEA7BD
                                                    SHA-512:28040932CD268FD064626B9C078F33E28D5F63806066AF342F6752A86DBC4D6A3DF26A0C4D4BE63626E9BDE5DDF9138248F5E4DCC0C588141369049C485AE39D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........Il..Il..Il.....Bl......l.....Ul..O.s.Jl..O..[l..O..]l..O..=l..@...Kl.....Hl..Il..Nl......Jl.....Pl.....@l..Il..m..#..l..#..Hl..#.q.Hl..Il..Kl..#..Hl..RichIl..........PE..d...Cy.f.........."....&.. ....................@..............................6.....FA6...`...........................................+.......+......@4..Y....2.t...H65.p)....5..U....&.......................&.(...0v".@............0 .@...0.+.@....................text...\. ....... ................. ..`.rdata.......0 ...... .............@..@.data.........+..4....+.............@....pdata..t.....2.......1.............@..@.didat..P.... 4.......3.............@..._RDATA.......04.......3.............@..@.rsrc....Y...@4..Z....3.............@..@.reloc...U....5..V....4.............@..B........................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\e2b8bc1a-44bb-45b8-9819-b96f648402f7

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 8064960
                                                    Category:dropped
                                                    Size (bytes):2429015
                                                    Entropy (8bit):7.999910064841778
                                                    Encrypted:true
                                                    SSDEEP:49152:wD66xgP9Jr2nsAC94p1rbeuU/u88bEM4TLIpSTsGp20vPFlkTqTxhXv:wnxE9Jr2nsB94brKFmaM4/Ip4lKqb
                                                    MD5:40FC4AABBFED90B01F551E8573FD8718
                                                    SHA1:96DB0976B3F55BEEE3265398D140738FF9D4DB8B
                                                    SHA-256:08DE05D0963AFD0716E2CEFA2EB24BB4CA012CEAF4E2258FA09236453AEA1D34
                                                    SHA-512:68E461D7E8FAF45CC4714B3AAF012A3BB54F7BB686781B3BEA82E17321D1760E18B85630387A1952CDF16DCFDC05D28808C6151770D6F6F959AF77937BCEAEAE
                                                    Malicious:false
                                                    Preview:]..@...{......&..p.........../D.|......I0..y.]n.u......i...7.....B]......F2$1..../e.Y.....f~*3.T(.O...?....Q.wr.(w..7...]l.(1..}.....y..Y.Q..4{.........?.xnN..AxZ....P..]X"y:.......B.....{e.Y..y....{g]Eg..)..CR.v.W]bv:....p..V.l.........>..mb....e...t^........W...}...].4"..c....Z..m.l.O.5.7..r.....:.e.5..)2.K....Rr#.v.2.O..Tk..|.OD.}.H+.."F!.H..3.y..o-@...<.G.....Q....p.....47..<8...[......w.T9t.h.U...L..y...}.X....g.K.#.....v..Z.....<.UF.).#.~%..(*.-jd.QB..V6.A...4.l.@i....C.ea..f.%T.....K6............y7..aT.%.&.'....l...+T.-`1>$I ...oB....X1,....E:...3nm.)Y.#...D.1......>.....A.0.{..o...5.Yxt.O..R$.u.<C&^.....}O.6..y7.R.$.Bl.k....'.;.F.$..=.Y...W|9ma......X[...-9.k.D<....m.....(0s"..i..../.].@...D%le.S.\n.6.y..H.hf ..$.H.}.w.....sU....(0c.V19.u..VCS......S0S_.-...a....9..$f..XP){..^>l:G.G.T...h...a.e......\.#N.P.........&..9...d.J4..<.*.l 3.....9A.Y.p...%.&D..z.#I....f.{..[..8.5....b..r:)g>w.-...gt..`Q.....Pw.v.sq.....6...j.CS.me

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\ff6061b5-5452-4727-b6c1-9188411a7592

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:LZMA compressed data, non-streamed, size 4961208
                                                    Category:dropped
                                                    Size (bytes):1474732
                                                    Entropy (8bit):7.9998807573071335
                                                    Encrypted:true
                                                    SSDEEP:24576:24tfIMbwwiCsnzBPW4xmh+cQnDIvh0rb6EQ9s/UEOA5b2c0f:jxkBtfIvurPUTc0f
                                                    MD5:0261C917EAD57EF33534536C40AAEF4B
                                                    SHA1:85E9FEAD9ACB4619004B4282B437C2B3009458D7
                                                    SHA-256:828D450367EB05B67F9E25A466A387D827D8E73C4E22F2CACE22D95489DF4C92
                                                    SHA-512:83ACCC840F33A5498216CC17D06CA22DE23F98B97A058CADBF40A9129B1A20421EE2F18C30CD565F520385D361BDBA7901A9BCAC204B504330C55974A1C4E23D
                                                    Malicious:false
                                                    Preview:]..@...K......&..p.........../D.|..y..:.}.._..G...5mA..aQ..c5t ..+........w.uRl.,E.u9....r....dV...9....pN.[]..._....H...-...M;z. .!!..6&.i./D..Q.a.t.y..q...y.d.K.Jj.TP...U.i.He+.n.....u.v.D....8......:..75.r.`/B{:>%.8Z....i.^&..s...S..Y..T..T5....8..1E.$z..,C..G.].{p.0lU=.....J.....e...R........Bj.....s./.}.....1..~~.H..d!q...:.._.qHk....x.'#...? .?.;4X...:.3...'Uz.../1.c<.I;..~...3.h.......r.Z.M.j....N..]..<..WX.nQ....|$..s...\b..D..e_Aiu.5.jg/.s.8.:...d.Z7~..p...z@E%B#..<..Y.......[LE....7...u...X?d.G..1.U..J.=.Z....9.u..).4..g2......(.!2......../7lY.=..n^.E.zU.n=oW7..}...;....n.H.~.T......}).3.R_....."&(0..h&....W.m..w.X.E<8g..?4.l.~..cv.....u.^nU.....<.*x......E..^.p..*.nn...?D.....4.KF..RMu9".(R....p..&..I..k*.q&x.'\,.N.b.h...^e!....VF]..~.....v.g...)./U..`...P.L.....U.X..@...~..>r.r.Y..#...$.x.....!.B.4...)h.PN90_.h.S.. ..K.Y.o..ts.?..Q.~....@.A..hRb.{e.......8.F...E.....M.b....P.......P.K.|.I.....0..*d.y!.....Y.....^......u,..B.

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):8064960
                                                    Entropy (8bit):6.450676060748482
                                                    Encrypted:false
                                                    SSDEEP:196608:6ot4R9uUCqHwCthYiX5+RNpqqVTrUGG17gL3zK:vc9uUCqHwCnYiX5+RNpqqVTrUGG5
                                                    MD5:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    SHA1:9BA08A6246011359F5493856AD5FC0355E0DE4F5
                                                    SHA-256:D52114B057504439DF11368ADD0A66B037622F24E710731B1366EFE271C9DF78
                                                    SHA-512:A2218DCD6F0A0E676C23106BD717B5EB22614B3900BEE5D47EA80E1ACC4B87859E6F6DFB63C0D3CDF3EC4F37C12407EF56C2C7964AE141B393C7E94368CA820A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......4z/.p.A.p.A.p.A.iD..A.v...|.A.v.E.c.A.v.B.b.A.v.D...A.iB.`.A.iE.V.A..uB.r.A..uE.x.A.yc..r.A.&nE.j.A.nE...A.nE.s.A.p.A.}.A.&nD.t.A.iG.q.A.i@.U.A.p.@...A...H.v.A...A.q.A.....q.A.p...r.A...C.q.A.Richp.A.................PE..d....y.f.........."....&.^U...%......./........@..............................|.....r.{...`...........................................l.......l......`z.......v..W..H.z.x)...p{......:b......................=b.(.....Y.@............pU.....`.l......................text....\U......^U................. ..`.rdata..b....pU......bU.............@..@.data...@.... m.......m.............@....pdata...W....v..X....u.............@..@.didat..p....@z......Vy.............@..._RDATA.......Pz......Xy.............@..@.rsrc........`z......Zy.............@..@.reloc.......p{......\z.............@..B................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_mod.dll

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):15288
                                                    Entropy (8bit):6.953429300839112
                                                    Encrypted:false
                                                    SSDEEP:384:wOYgk0sW4IYiiftEdAM+o/8E9VF0NySR:izWhYiiedAMxkEk
                                                    MD5:934C0E7759E708657C2F77EB75902AE0
                                                    SHA1:43A6ABED472CA7D8D002E045031F900C4A67F9C7
                                                    SHA-256:B9CA3D2E44AF8CF61696AB10DD5BBD16ADA02A32207E4CA454A4B9DE6E472F2B
                                                    SHA-512:2C34F98A5020496D1BA7529C5A1A36D6F0938EDDDB02D75A189E83BE02DE22BBB563A586BF8C3E090B510C0F24E586447AB237BFFF09B166F49ACCA052D71E07
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................*........Rich..................PE..L...ux.f...........!...&..................... ...............................P.......P....@E........................ !..\....#..<....0..............H...p)...@..(.... ............................................... .. ............................text...U........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12255680
                                                    Entropy (8bit):6.582045469175903
                                                    Encrypted:false
                                                    SSDEEP:196608:tCyhvUYCXWmkCL/pQTumd72K75aMdrqNEg:t1hvTCL/eCO7xAOrqNEg
                                                    MD5:CF058EAA95EAD820532B59B686023E53
                                                    SHA1:49709CB9B40FA558E67E24357251DFE9041FC6B9
                                                    SHA-256:66DC1DDC009EEAC0DA023172A5410A05D44324907F91FE4258420A9D17F7E859
                                                    SHA-512:6B93B0F4C8B487CCFE6B687C47555B2124636D216CBB38CAB0F387A1C51C19392EC026C60F023B3664C03D0414D663A5935060BD223344DF3ACB7DBD6971BC6F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......}.u.9...9...9.......$..........?7.0...?7..-...?7..J...?7../.......v...-......-......0..;.......8...9...>...o...:.......;.......)...........9.......S7.....S7..8...S7.8...9...;...S7..8...Rich9...........PE..d....y.f.........."....&....,a......T.........@..........................................`................................................d..................p...H..x)...........>.......................A..(...`=..@...............`............................text...`......................... ..`.rdata.../%......0%................@..@.data...`n4..0......................@....pdata..p..........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\product-def.xml

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1320261
                                                    Entropy (8bit):5.391575493962356
                                                    Encrypted:false
                                                    SSDEEP:6144:Pk0OrSmXIqx5qDRe9swL2SkIVPwF5SCBkB9ys2JQoYrJ3ecZwMzKg:Pk0OrSm+ReiwKSkIVPc/kB9MDYpYMzKg
                                                    MD5:7536A42465EAF94530982F592EE00F1F
                                                    SHA1:2C812DD88F83498F4A7FD9F1F801FB776DD2AD76
                                                    SHA-256:2D97B73E44EDDCCBEA3BC8EDD9C1F3D2F2F242B4EE9D4792BE50A0370C31FC46
                                                    SHA-512:E045C2AE75A203C0771566050144F8BD63FAC7098B0F24D02FE25DFAEA3C08F640552D22F66F0D36B2FB4D5CE02D5BE01694B7BA61B39DABE4843D74F6746B1C
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product name="avg-av">..<product-defs>...<config>....<install-folder name="Antivirus"/>....<program-data-folder name="Antivirus"/>....<registry-key name="Antivirus"/>....<full-name name="AVG Antivirus"/>....<languages>.....<lang>en-us</lang>.....<lang>cs-cz</lang>.....<lang>da-dk</lang>.....<lang>de-de</lang>.....<lang>es-es</lang>.....<lang>fi-fi</lang>.....<lang>fr-fr</lang>.....<lang>hu-hu</lang>.....<lang>id-id</lang>.....<lang>it-it</lang>.....<lang>ja-jp</lang>.....<lang>ko-kr</lang>.....<lang>ms-my</lang>.....<lang>nb-no</lang>.....<lang>nl-nl</lang>.....<lang>pl-pl</lang>.....<lang>pt-br</lang>.....<lang>pt-pt</lang>.....<lang>ru-ru</lang>.....<lang>sk-sk</lang>.....<lang>sr-sp</lang>.....<lang>sv-se</lang>.....<lang>tr-tr</lang>.....<lang>zh-cn</lang>.....<lang>zh-tw</lang>....</languages>...</config>...<vars>....<var name="%V_PRODUCT_PREFIX%">.....<desc lang="en-us">avg</desc>....</var>....<var name="%V_AV_SVC_MODULE%">.....<desc lang="en-us">AVGSvc.ex

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\product-info.xml

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):9649
                                                    Entropy (8bit):5.271801858833516
                                                    Encrypted:false
                                                    SSDEEP:192:24GzDBLvmNC0u1chcnipUzIoH7VuPNv70JbbezBIAJro3RzWtW4/shvO:2LxLmNk+YJpWs/ezSIc0WqyO
                                                    MD5:BBE3743AEB4C47FECC4C94B9D5CF7D27
                                                    SHA1:067C289E203FAB588AEE2AA5DD2F3791E791ADB3
                                                    SHA-256:70C4B4989BCFF73809711CCCA4AC1BD0459C0814929398C23B6239C04C680F77
                                                    SHA-512:72D231E4AA1D07F898470147F319DC011368DD89BC2AAEFF19F27690BB4FF408E61C3855EEAC8D9CDB5DB910144C4F7E27A8983116598C0D5D8B705C98BF05DE
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-av</name>..<version>24.7.9311.1966</version>..<build-time>1721331953</build-time>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>1a74ec107a0724fa270c9517727e69456e337659e5bd5bf1b143dca3aef69a09</sha-256>....<timestamp>1721331924</timestamp>....<size>7167424</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>d52114b057504439df11368add0a66b037622f24e710731b1366efe271c9df78</sha-256>....<timestamp>1721331925</timestamp>....<size>8064960</size>...</file>...<file>....<conditions>.....<os platform="arm64"/>....</conditions>....<name

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\setupui.cont

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:XZ compressed data, checksum CRC32
                                                    Category:dropped
                                                    Size (bytes):390756
                                                    Entropy (8bit):7.999498919202024
                                                    Encrypted:true
                                                    SSDEEP:6144:NELOfcuJDeG36sYbO1ma4cSfxatdAsVJxCpvEgZbtWnqYTk1XJwuIhJezmJ4u6/:NELAFJD53TYbmmJDZaZVwcabtYlw1yu7
                                                    MD5:1A91F1DB1B66709AAF1A7373860791C0
                                                    SHA1:AAF8435A3379AEA3272172A9D1B5C4D75B111E05
                                                    SHA-256:4C3E3FD5B5731973696377D11D8B11553B039E1FACBE1D652477178599DED37E
                                                    SHA-512:65E4F888ABEB06F84D885B31CA830EEDBFFBEA5FE3F0E30DFBA6FB47C8CFED18AF61B726858281885FDD74B408E5F9587A267B114F9D35DDB3074ED02A7303F9
                                                    Malicious:false
                                                    Preview:.7zXZ...i".6..!.....F.;...2.7].0...?..Lm.K%. .6.X.....L.@#........EG.t..r.%.S.T......1<.d...X.T...%.Yb..q..U.v.....U+...7..BP.I..Teur.V}...b0....L.C..Y)....*q.N.........!...c".\.....M.}.;...fb-..#.......-P.).*{>(..#h_..D..0FU..R...0).[.E=Vz*.......+z3M....eqZp...h*!.....P....._..C..bQ..N......b=.....>^B..O...m..K.I...-...Z...X{.N.]..^.....x`...."...Dao....vA....;..Zk.....Ppn~G..H.n.t..d.(.gv..k;.0&A^b.n.C.........e..ee~....5Q.0.Z.FO.J.r..J..A<N.+E..6$..XJr^t.m..V...V'.ET;1r.B.......G...a..G.]gcG.....f....*.!r..w.....3.kZ...X.&:..?...pOO]t.kb...e......b.uI>..SA..7.*.es2.'...........Wq......M.RX.f*.@.W/...:..q..lA..mk*.6e.%..y..p..R....Q.....~...p@m..O8'..$.ek ..P....@...-`.b....Q.I.y..]..:.7z.C......}}._...x..o....._.....Q.. .a......]....V..>C....Du6~...1..:....[{AH+..q..1z,...&~.y..h..}.....v*...#[..%...f....yP.........6.g.d..Ff.%V...vz65....p {U;.-....p..0vV...W.w.N..{#.....t..uK.........\)L...>4....s8...y........kah.$a..."Z.7.3-=.....3

                                                    C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml

                                                    Download File
                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.2367061378286355
                                                    Encrypted:false
                                                    SSDEEP:48:cEYpQmPUb4n682A+IP/hPX1U5VR73290M:0um8Y6E+KJXC5V13290M
                                                    MD5:E2E2401BB7CE02E61EF0BA7B0FE73AAB
                                                    SHA1:BE961529D5219D5A87747D1275C52F5CFA221BB3
                                                    SHA-256:D57D6D5979F6787ACD4FC34383469DF00F1EF1C08AA88DCE4BCEBA5525F841F7
                                                    SHA-512:81D62BE9A498904FC90EA910B78670BADA9DF69662E19A44D970AB710C7CBDB0F7A3A280EFF694B50B5F2F944041A398CAA58982370F6D557A9C20EA5CAEE813
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="utf-8"?>.<icarus-info xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">..<file-mapping-sfx>...<handle>1cc</handle>...<size>1631120</size>..</file-mapping-sfx>..<file-list>...<file>....<alias>sfx-info.xml</alias>....<sha-256>b94383d8d890427d3339f75d396522964ae17bc4316fb03c4725543d30173498</sha-256>....<offset>1610822</offset>....<size>717</size>....<timestamp>1721892466</timestamp>....<flags>0</flags>...</file>...<file>....<alias>avg-av/edition.edat</alias>....<sha-256>e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb</sha-256>....<offset>1611616</offset>....<size>2</size>....<timestamp>1721892466</timestamp>....<flags>0</flags>...</file>...<file>....<alias>avg-av/config.def.edat</alias>....<sha-256>f3b71692fdbbcd129b14c8ceedde570d7f15154de92bafd0fbfc5914c7aa3b3d</sha-256>....<offset>1611698</offset>....<size>8283</size>....<timestamp>1721892304</timestamp>....<flags>1</flags>...</file>..</file-list>..<sfx-dir>C:\Users\user\Desktop</sfx-

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.771142734865859
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    File size:1'631'120 bytes
                                                    MD5:678507e1459f47a4d77aace80d42d52d
                                                    SHA1:80703904ffc940857ec8a10aca910b4eb26c6965
                                                    SHA256:0dbc254fb42ccb7eab3122ec98798233d83327b2d19e2a45706cb79101a843e1
                                                    SHA512:087d046dc4fb5e2bfb74bb16fa56e7d16c7f5aad19e4f14992dc167590f270d2d1b8da7e44172765999964a387488e0f64a813671e759d5a8bd958ed167fbe93
                                                    SSDEEP:49152:QN2OR9WF/G/ooooEYOKOhBVWKoJhymxwSe4v:i2FF/GYhBVWKoi3
                                                    TLSH:8C759E317646C032E4A211B25B689BBE812DFD348BA644C763E44F39FD215C36B36B97
                                                    File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......i.V]-O8.-O8.-O8..=;."O8..==..O8.+.../O8.+.<.9O8.+.;.7O8.+.=.DO8..=<.4O8..!<.(O8.$7../O8.{:=.,O8.-O8.+O8..=?.,O8..=9.8O8.-O9..N8

                                                    File Icon

                                                    Icon Hash:cc8d0d191e1e107c

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4551d0
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x668D790B [Tue Jul 9 17:53:15 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:f592e2f2b7cc60319087716c76ac6b79

                                                    Authenticode Signature

                                                    Signature Valid:true
                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                    Signature Validation Error:The operation completed successfully
                                                    Error Number:0
                                                    Not Before, Not After
                                                    • 16/09/2022 01:00:00 18/09/2025 00:59:59
                                                    Subject Chain
                                                    • CN="AVG Technologies USA, LLC", O="AVG Technologies USA, LLC", L=Redwood City, S=California, C=US
                                                    Version:3
                                                    Thumbprint MD5:A1611C3679916473A418093E16AEDD48
                                                    Thumbprint SHA-1:79A1F7262575EC7D1304F9CDAC161C91DA814B87
                                                    Thumbprint SHA-256:EF742180FB09007A9E14469292CCC7A0E2E63EB33336A03DFA293EB5EE954E49
                                                    Serial:0435603F7A888AE16C05B00F153CC6FC

                                                    Entrypoint Preview

                                                    Instruction
                                                    push esi
                                                    push 00000000h
                                                    push 00000000h
                                                    push 00000001h
                                                    push 00000000h
                                                    call dword ptr [00507360h]
                                                    push 005396B0h
                                                    push 00536A84h
                                                    call dword ptr [005072E0h]
                                                    push eax
                                                    call dword ptr [005072DCh]
                                                    mov esi, eax
                                                    test esi, esi
                                                    je 00007F818C604965h
                                                    push 00000800h
                                                    mov ecx, esi
                                                    call dword ptr [005074E8h]
                                                    call esi
                                                    test eax, eax
                                                    jne 00007F818C60498Dh
                                                    push 00530120h
                                                    call dword ptr [00507370h]
                                                    push 00539694h
                                                    push 005359D8h
                                                    call dword ptr [005072E0h]
                                                    push eax
                                                    call dword ptr [005072DCh]
                                                    mov esi, eax
                                                    test esi, esi
                                                    je 00007F818C604965h
                                                    push 00000000h
                                                    push 00455120h
                                                    push 00000000h
                                                    mov ecx, esi
                                                    call dword ptr [005074E8h]
                                                    call esi
                                                    push 0000000Ah
                                                    call dword ptr [00507364h]
                                                    test eax, eax
                                                    jne 00007F818C60495Dh
                                                    push C000001Dh
                                                    call dword ptr [00507368h]
                                                    call 00007F818C65971Fh
                                                    push eax
                                                    call dword ptr [00507368h]
                                                    int3
                                                    int3
                                                    int3
                                                    push edi
                                                    mov edi, ecx
                                                    cmp byte ptr [edi+0000008Ch], 00000000h
                                                    je 00007F818C604966h
                                                    mov eax, dword ptr [edi]
                                                    push esi
                                                    push 00000000h
                                                    mov esi, dword ptr [eax]
                                                    mov ecx, esi
                                                    call dword ptr [005074E8h]
                                                    mov ecx, edi
                                                    call esi
                                                    pop esi
                                                    pop edi
                                                    ret
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3

                                                    Rich Headers

                                                    Programming Language:
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x1592f00xe8.rdata
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1593d80xf0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x16a0000x17240.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x18b8900x2b00.reloc
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1820000xcf48.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1425280x8c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1425c00x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x127c780x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1070000x4e8.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x158f1c0x80.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x105f9a0x106000bf80bf07f3afc82d8f2f0bea4d338447False0.47250995199188933data6.584060415898252IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x1070000x541600x54200b9e533c6bbfcdfde8bc7b1daeec7c00dFalse0.40033548476968794data5.788288612302234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x15c0000xcc940xa8004e4e08186fd42259747249fb374ce957False0.11544363839285714DOS executable (block device driver)4.8322990643226325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .didat0x1690000x540x2002d7bcbaa61d20d0b79e89f841a1c6c5cFalse0.1328125data0.8770653977102518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x16a0000x172400x1740032603a0dae54922d263d97f719ebf559False0.8896484375data7.713435680777911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1820000xcf480xd0004dd0604b1311a0c8d3f4b8caa2021134False0.6620718149038461data6.652512922904067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    COLOR0x16a3180x4dataEnglishUnited States3.0
                                                    GIF0x16a3200x2061GIF image data, version 89a, 420 x 150EnglishUnited States0.7474966823501026
                                                    LZMA0x16c3880x4c1bLZMA compressed data, streamedEnglishUnited States1.0008212287635374
                                                    RT_ICON0x170fa80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.7445848375451264
                                                    RT_ICON0x1718500x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.8634393063583815
                                                    RT_ICON0x171db80xadaaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.994376715101894
                                                    RT_ICON0x17cb680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6373443983402489
                                                    RT_ICON0x17f1100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7448405253283302
                                                    RT_ICON0x1801b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7659574468085106
                                                    RT_GROUP_ICON0x1806200x5adataEnglishUnited States0.7333333333333333
                                                    RT_VERSION0x1806800x3b0dataEnglishUnited States0.475635593220339
                                                    RT_MANIFEST0x180a300x80fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminatorsEnglishUnited States0.318952981095492

                                                    Imports

                                                    DLLImport
                                                    SHELL32.dllSHGetFolderPathW
                                                    ntdll.dllVerSetConditionMask, RtlNtStatusToDosError, RtlCaptureContext, RtlUnwind
                                                    KERNEL32.dllDeleteFileW, GetFileInformationByHandle, GetFullPathNameW, OutputDebugStringA, FileTimeToSystemTime, GetSystemTimeAsFileTime, GetCurrentProcessId, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, CreateEventW, WaitForMultipleObjects, SetEvent, ResetEvent, CreateSemaphoreW, ReleaseSemaphore, GetSystemInfo, GetVersionExW, QueryPerformanceFrequency, QueryPerformanceCounter, ExpandEnvironmentStringsW, GetModuleFileNameW, GetFileAttributesW, LoadLibraryExW, GetSystemDirectoryW, DeviceIoControl, VirtualAlloc, VirtualFree, VirtualProtect, HeapDestroy, HeapReAlloc, GlobalMemoryStatusEx, TerminateThread, GetExitCodeThread, TlsFree, SetFilePointer, SetFileAttributesW, EnterCriticalSection, MoveFileExW, GetWindowsDirectoryW, LockFileEx, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, DuplicateHandle, GetFileAttributesExW, FindFirstFileW, FindClose, SetFileTime, CreateDirectoryW, RemoveDirectoryW, FindFirstFileExW, FindNextFileW, QueryDosDeviceW, GetFinalPathNameByHandleW, GetVolumePathNameW, GetVolumeNameForVolumeMountPointW, GetEnvironmentVariableW, SetFilePointerEx, UnlockFileEx, GetFileSizeEx, CopyFileW, SetFileInformationByHandle, GetDiskFreeSpaceExW, FindResourceW, LoadResource, LockResource, SizeofResource, K32GetMappedFileNameW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, VirtualQuery, GetSystemTimes, GetTickCount64, RaiseException, LCMapStringW, GetConsoleMode, GetConsoleOutputCP, GetFileType, GetStdHandle, GetCommandLineA, FreeLibraryAndExitThread, ExitThread, InterlockedPushEntrySList, OutputDebugStringW, FlushFileBuffers, DeleteCriticalSection, InitializeCriticalSection, LoadLibraryW, LocalAlloc, SetLastError, K32GetProcessMemoryInfo, GetProcessTimes, GetPriorityClass, VerifyVersionInfoW, GetCurrentThread, GetExitCodeProcess, ReadFile, WriteConsoleW, WriteFile, CreateProcessW, CreateFileW, K32GetProcessImageFileNameW, OpenProcess, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, InitializeProcThreadAttributeList, CompareStringW, WaitForSingleObject, Sleep, GetLastError, LocalFree, GetUserDefaultUILanguage, GetCommandLineW, GetCurrentProcess, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSectionEx, CloseHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleExW, HeapFree, GetProcessHeap, HeapAlloc, GetCurrentThreadId, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, LeaveCriticalSection, ReadConsoleW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, SetEndOfFile, FindResourceExW, HeapSize, GetVersion, InitializeCriticalSectionAndSpinCount, GlobalUnlock, GlobalLock, GlobalAlloc, CreateThread, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, LoadLibraryExA, HeapSetInformation, IsProcessorFeaturePresent, ExitProcess, lstrcpyW, SetDllDirectoryW, GlobalFree, GetTimeZoneInformation, GetPrivateProfileStringA, GetStringTypeW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, InitOnceBeginInitialize, InitOnceComplete, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess
                                                    USER32.dllPostMessageW, CharLowerW, SetWindowLongW, GetWindowLongW, DefWindowProcW, SystemParametersInfoW, LoadImageW, CreateWindowExW, SendMessageW, SetWindowPos, SetFocus, DestroyWindow, PostQuitMessage, DestroyIcon, GetDC, ReleaseDC, GetMessageW, IsDialogMessageW, DispatchMessageW, LoadIconW, EndPaint, BeginPaint, InvalidateRect, UpdateWindow, RegisterWindowMessageW, KillTimer, DrawTextW, LoadCursorW, SetTimer, IsWindow, ShowWindow, SetWindowTextW, UnregisterClassW, GetSystemMetrics, GetClassInfoExW, MessageBoxW, TranslateMessage, MoveWindow, RegisterClassExW
                                                    ADVAPI32.dllLookupPrivilegeValueW, RegDeleteKeyExW, RegEnumKeyW, OpenProcessToken, GetTokenInformation, IsValidSid, GetSidSubAuthority, GetSidSubAuthorityCount, ConvertStringSecurityDescriptorToSecurityDescriptorW, DuplicateTokenEx, SetTokenInformation, CryptReleaseContext, CryptGenRandom, CryptAcquireContextW, RegNotifyChangeKeyValue, RegQueryInfoKeyW, RegDeleteValueW, RegEnumValueW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, LookupAccountSidW, TreeResetNamedSecurityInfoW, AddAce, InitializeAcl, CopySid, GetLengthSid, AllocateAndInitializeSid, SetNamedSecurityInfoW, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, RevertToSelf, ImpersonateSelf, AdjustTokenPrivileges, OpenThreadToken, CreateProcessAsUserW
                                                    COMCTL32.dll
                                                    gdiplus.dllGdipGetImageWidth, GdipGetImageHeight, GdipLoadImageFromStream, GdipGetPropertyItemSize, GdipDeleteGraphics, GdipImageGetFrameCount, GdipCreateFromHDC, GdipImageSelectActiveFrame, GdipFree, GdipDisposeImage, GdipDrawImageRectI, GdipAlloc, GdipGetPropertyItem, GdipCloneImage, GdipImageGetFrameDimensionsCount, GdiplusShutdown, GdiplusStartup, GdipImageGetFrameDimensionsList
                                                    SHLWAPI.dllPathMatchSpecW
                                                    GDI32.dllDeleteDC, CreateCompatibleDC, SetBkMode, GetTextExtentPoint32W, SelectObject, DeleteObject, CreateCompatibleBitmap, BitBlt, SetTextColor, CreateFontIndirectW
                                                    ole32.dllCLSIDFromString, CoCreateInstance, CreateStreamOnHGlobal
                                                    CRYPT32.dllCryptProtectData, CryptUnprotectData

                                                    Exports

                                                    NameOrdinalAddress
                                                    asw_process_storage_allocate_connector10x4531a0
                                                    asw_process_storage_deallocate_connector20x4531c0
                                                    on_avast_dll_unload30x4449e0
                                                    onexit_register_connector_avast_240x453020

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                    2024-07-30T01:42:15.165409+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974313.85.23.86192.168.2.4
                                                    2024-07-30T01:42:53.161893+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434978013.85.23.86192.168.2.4

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 30, 2024 01:41:56.046843052 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.046897888 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.046977997 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.050012112 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.050035000 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.563612938 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.563679934 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.568295002 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.568306923 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.568558931 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.615503073 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.615567923 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.615575075 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.760987997 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.761075020 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.761123896 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.761262894 CEST49734443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.761280060 CEST4434973434.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.781949043 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.781980038 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:56.782057047 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.782361984 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:56.782380104 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.271234989 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.271308899 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.283313990 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.283344030 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.284081936 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.290324926 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.290376902 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.290395975 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.431833982 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.432118893 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:41:57.432200909 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.440716982 CEST49735443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:41:57.440746069 CEST4434973534.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.033009052 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.033088923 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.033171892 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.033690929 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.033725977 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.440002918 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.440042019 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.440107107 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.452991962 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.453010082 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.514204979 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.514422894 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.516031981 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.516061068 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.516294956 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.525095940 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.525326967 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:16.525338888 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.653295994 CEST4434974834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:16.653583050 CEST49748443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:17.740169048 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:17.740283012 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:17.817307949 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:17.817390919 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:17.817634106 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:17.818974972 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:17.819008112 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:17.896918058 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:17.896955013 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:17.897491932 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:17.900006056 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:17.900051117 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:18.044013023 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:18.044096947 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:18.044279099 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:18.044523001 CEST49750443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:18.044553041 CEST4434975034.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:18.315058947 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.315129995 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:18.319412947 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:18.319425106 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.319964886 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.320516109 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:18.364496946 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.452771902 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.452867031 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:18.453291893 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:18.453944921 CEST49751443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:18.453974009 CEST4434975134.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:19.587363958 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:19.587424040 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:19.587488890 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:19.587928057 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:19.587946892 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.075213909 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.075297117 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:20.077646017 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:20.077672005 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.077893019 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.079150915 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:20.120523930 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.219819069 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.219887972 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:20.220047951 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:20.224605083 CEST49756443192.168.2.434.160.176.28
                                                    Jul 30, 2024 01:42:20.224637985 CEST4434975634.160.176.28192.168.2.4
                                                    Jul 30, 2024 01:42:29.256099939 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.256196976 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.256278992 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.256722927 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.256759882 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.746864080 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.746963024 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.748577118 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.748610973 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.749097109 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.749681950 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.749730110 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.882150888 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.882510900 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:29.882713079 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.882942915 CEST49778443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:29.882983923 CEST4434977834.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.196999073 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.197094917 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.197177887 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.197776079 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.197813034 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.683881044 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.683964014 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.685561895 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.685583115 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.686611891 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.687108994 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.687180042 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.819058895 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.819452047 CEST4434977934.117.223.223192.168.2.4
                                                    Jul 30, 2024 01:42:30.819552898 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.819792986 CEST49779443192.168.2.434.117.223.223
                                                    Jul 30, 2024 01:42:30.819828987 CEST4434977934.117.223.223192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 30, 2024 01:41:56.024414062 CEST5367053192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:41:56.042337894 CEST53536701.1.1.1192.168.2.4
                                                    Jul 30, 2024 01:41:56.859787941 CEST6063553192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:16.421094894 CEST6228953192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:16.438846111 CEST53622891.1.1.1192.168.2.4
                                                    Jul 30, 2024 01:42:16.973572016 CEST6229153192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:17.741175890 CEST53622911.1.1.1192.168.2.4
                                                    Jul 30, 2024 01:42:18.500868082 CEST6229353192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:19.568034887 CEST6229553192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:19.586733103 CEST53622951.1.1.1192.168.2.4
                                                    Jul 30, 2024 01:42:20.870697975 CEST6229753192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:20.871200085 CEST6229753192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:21.249564886 CEST6230153192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:21.249954939 CEST6230153192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:28.632208109 CEST5860353192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:29.255342960 CEST53586031.1.1.1192.168.2.4
                                                    Jul 30, 2024 01:42:30.178438902 CEST5860553192.168.2.41.1.1.1
                                                    Jul 30, 2024 01:42:30.196244001 CEST53586051.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jul 30, 2024 01:41:56.024414062 CEST192.168.2.41.1.1.10x5fccStandard query (0)analytics.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:41:56.859787941 CEST192.168.2.41.1.1.10xab15Standard query (0)honzik.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:16.421094894 CEST192.168.2.41.1.1.10x512Standard query (0)analytics.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:16.973572016 CEST192.168.2.41.1.1.10xf5Standard query (0)shepherd.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:18.500868082 CEST192.168.2.41.1.1.10xa360Standard query (0)honzik.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:19.568034887 CEST192.168.2.41.1.1.10xfab8Standard query (0)shepherd.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:20.870697975 CEST192.168.2.41.1.1.10xef97Standard query (0)honzik.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:20.871200085 CEST192.168.2.41.1.1.10x5e50Standard query (0)honzik.avcdn.net28IN (0x0001)false
                                                    Jul 30, 2024 01:42:21.249564886 CEST192.168.2.41.1.1.10x5f79Standard query (0)honzik.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:21.249954939 CEST192.168.2.41.1.1.10x4962Standard query (0)honzik.avcdn.net28IN (0x0001)false
                                                    Jul 30, 2024 01:42:28.632208109 CEST192.168.2.41.1.1.10x2cc0Standard query (0)analytics.avcdn.netA (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:30.178438902 CEST192.168.2.41.1.1.10x2b23Standard query (0)analytics.avcdn.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jul 30, 2024 01:41:56.042337894 CEST1.1.1.1192.168.2.40x5fccNo error (0)analytics.avcdn.netanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:41:56.042337894 CEST1.1.1.1192.168.2.40x5fccNo error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:41:56.042337894 CEST1.1.1.1192.168.2.40x5fccNo error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:41:56.878886938 CEST1.1.1.1192.168.2.40xab15No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:16.438846111 CEST1.1.1.1192.168.2.40x512No error (0)analytics.avcdn.netanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:16.438846111 CEST1.1.1.1192.168.2.40x512No error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:16.438846111 CEST1.1.1.1192.168.2.40x512No error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:17.741175890 CEST1.1.1.1192.168.2.40xf5No error (0)shepherd.avcdn.netshepherd.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:17.741175890 CEST1.1.1.1192.168.2.40xf5No error (0)shepherd.ff.avast.comshepherd-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:17.741175890 CEST1.1.1.1192.168.2.40xf5No error (0)shepherd-gcp.ff.avast.com34.160.176.28A (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:18.519789934 CEST1.1.1.1192.168.2.40xa360No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:19.586733103 CEST1.1.1.1192.168.2.40xfab8No error (0)shepherd.avcdn.netshepherd.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:19.586733103 CEST1.1.1.1192.168.2.40xfab8No error (0)shepherd.ff.avast.comshepherd-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:19.586733103 CEST1.1.1.1192.168.2.40xfab8No error (0)shepherd-gcp.ff.avast.com34.160.176.28A (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:20.890980005 CEST1.1.1.1192.168.2.40x5e50No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:20.973156929 CEST1.1.1.1192.168.2.40xef97No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:21.268982887 CEST1.1.1.1192.168.2.40x5f79No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:21.353382111 CEST1.1.1.1192.168.2.40x4962No error (0)honzik.avcdn.nets-honzik.avcdn.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:29.255342960 CEST1.1.1.1192.168.2.40x2cc0No error (0)analytics.avcdn.netanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:29.255342960 CEST1.1.1.1192.168.2.40x2cc0No error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:29.255342960 CEST1.1.1.1192.168.2.40x2cc0No error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                    Jul 30, 2024 01:42:30.196244001 CEST1.1.1.1192.168.2.40x2b23No error (0)analytics.avcdn.netanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:30.196244001 CEST1.1.1.1192.168.2.40x2b23No error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 30, 2024 01:42:30.196244001 CEST1.1.1.1192.168.2.40x2b23No error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • analytics.avcdn.net
                                                    • shepherd.avcdn.net

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.44973434.117.223.2234437544C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:41:56 UTC138OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Connection: Keep-Alive
                                                    User-Agent: Icarus Http/1.0
                                                    Content-Length: 986
                                                    Host: analytics.avcdn.net
                                                    2024-07-29 23:41:56 UTC986OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 38 31 33 34 65 63 62 35 2d 63 61 65 30 2d 34 64 38 34 2d 61 39 63 33 2d 61 62 34 38 32 65 30 32 30 30 66 38 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 33 30 33 33 33 39 39 35 39 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 63 31 36 64 65 33 33 36 2d 33 39 32 31 2d 34 33 35 66 2d 61 66 30 36 2d 33 35 62 35 35 66 35 30 36 64 64 66 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 73 74 61 72 74 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22 3a 7b 22 6e
                                                    Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"8134ecb5-cae0-4d84-a9c3-ab482e0200f8","time":1722303339959},"setup":{"common":{"operation":"install","session_id":"c16de336-3921-435f-af06-35b55f506ddf","stage":"sfx-start","title":""},"product":{"n
                                                    2024-07-29 23:41:56 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:41:56 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-07-29 23:41:56 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                    Data Ascii: {"processed": true}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.44973534.117.223.2234437544C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:41:57 UTC139OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Connection: Keep-Alive
                                                    User-Agent: Icarus Http/1.0
                                                    Content-Length: 1017
                                                    Host: analytics.avcdn.net
                                                    2024-07-29 23:41:57 UTC1017OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 39 65 35 30 66 66 65 35 2d 32 34 63 39 2d 34 30 62 37 2d 62 34 65 37 2d 62 33 37 62 62 36 65 33 31 66 33 36 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 33 30 33 33 34 30 30 36 37 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 63 31 36 64 65 33 33 36 2d 33 39 32 31 2d 34 33 35 66 2d 61 66 30 36 2d 33 35 62 35 35 66 35 30 36 64 64 66 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 70 72 65 70 61 72 69 6e 67 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22
                                                    Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"9e50ffe5-24c9-40b7-b4e7-b37bb6e31f36","time":1722303340067},"setup":{"common":{"operation":"install","session_id":"c16de336-3921-435f-af06-35b55f506ddf","stage":"sfx-preparing","title":""},"product"
                                                    2024-07-29 23:41:57 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:41:57 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-07-29 23:41:57 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                    Data Ascii: {"processed": true}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.44974834.117.223.2234437544C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:16 UTC139OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Connection: Keep-Alive
                                                    User-Agent: Icarus Http/1.0
                                                    Content-Length: 1047
                                                    Host: analytics.avcdn.net
                                                    2024-07-29 23:42:16 UTC1047OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 65 30 33 37 31 30 35 66 2d 66 62 66 30 2d 34 32 63 38 2d 39 33 65 38 2d 65 30 36 34 37 64 39 37 31 66 66 62 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 33 30 33 38 39 38 33 38 32 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 63 31 36 64 65 33 33 36 2d 33 39 32 31 2d 34 33 35 66 2d 61 66 30 36 2d 33 35 62 35 35 66 35 30 36 64 64 66 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 72 75 6e 6e 69 6e 67 2d 69 63 61 72 75 73 22 2c 22 74 69 74 6c 65 22 3a 22 41 56 47 20 41 6e 74
                                                    Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"e037105f-fbf0-42c8-93e8-e0647d971ffb","time":1722303898382},"setup":{"common":{"operation":"install","session_id":"c16de336-3921-435f-af06-35b55f506ddf","stage":"sfx-running-icarus","title":"AVG Ant
                                                    2024-07-29 23:42:16 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:16 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.44975034.117.223.2234437836C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:17 UTC243OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Host: analytics.avcdn.net
                                                    User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0
                                                    Accept: */*
                                                    Accept-Encoding: deflate, gzip
                                                    Content-Type: application/json
                                                    Content-Length: 1758
                                                    2024-07-29 23:42:17 UTC1758OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 64 66 31 37 38 36 30 62 2d 38 34 37 61 2d 34 30 33 66 2d 62 34 64 35 2d 31 35 38 65 62 63 38 30 38 32 36 38 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 33 30 33 33 36 30 36 39 30 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 66 66 39 32 31 62 63 62 2d 36 63 32 34 2d 34 63 63 64 2d 62 36 38 30 2d 36 32 39 66 65 61 31 61 63 38 30 31 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 30 38 37 46 30 45 33 31 43 35 45 45 38 34
                                                    Data Ascii: {"record":[{"event" : {"request_id" : "df17860b-847a-403f-b4d5-158ebc808268","subtype" : 1,"time" : 1722303360690,"type" : 25},"identity" : {"endpoint_id" : "ff921bcb-6c24-4ccd-b680-629fea1ac801","fingerprint" : "087F0E31C5EE84
                                                    2024-07-29 23:42:18 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:17 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-07-29 23:42:18 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                    Data Ascii: {"processed": true}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.44975134.160.176.284437836C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:18 UTC397OUTGET /?p_age=0&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release& HTTP/1.1
                                                    Host: shepherd.avcdn.net
                                                    User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0
                                                    Accept: */*
                                                    Accept-Encoding: deflate, gzip
                                                    2024-07-29 23:42:18 UTC586INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:18 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 757
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread
                                                    Config-Id: 41
                                                    Config-Name: Icarus_ipm-messaging-in-22.11-and-higher_avg-av-release_avg-av-7bf18af74dcd19fd6a51bfa4edc69116d6a4a99efe277dab391351e8b66a23ed
                                                    Config-Version: 528
                                                    Segments: ipm messaging in 22.11 and higher,avg-av release,avg-av
                                                    TTL: 86400
                                                    TTL-Spread: 43200
                                                    Via: 1.1 google
                                                    Alt-Svc: clear
                                                    Connection: close
                                                    2024-07-29 23:42:18 UTC757INData Raw: 5b 75 69 2e 6f 66 66 65 72 2e 61 63 74 69 6f 6e 73 5d 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 75 69 2e 6f 66 66 65 72 2e 77 65 6c 63 6f 6d 65 5d 0d 0a 6c 6f 61 64 74 69 6d 65 72 3d 31 30 30 30 30 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 62 75 67 72 65 70 6f 72 74 5d 0d 0a 70 72 6f 64 75 63 74 5f 66 69 6e 69 73 68 65 64 5f 65 72 72 6f 72 73 3d 32 35 38 2c 34 35 30 32 31 0d 0a 5b 72 65 70 6f 72 74 69 6e 67 5d 0d 0a 64 69 73 61 62 6c 65 5f 63 68 65 63 6b 66 6f 72 75 70 64 61 74 65 73 3d 31 0d 0a 72 65 70 6f 72 74 5f 61 63 74 69 6f 6e 5f 69 64 73 3d 52 49 44 5f 30 30 31 2c 52 49 44 5f 30 30 32 0d 0a 5b 63 6f 6d 6d 6f 6e 5d 0d 0a 63 6f 6e 66 69 67 2d 64 65
                                                    Data Ascii: [ui.offer.actions]url=https://ipm.avcdn.net/[ui.offer.welcome]loadtimer=10000url=https://ipm.avcdn.net/[bugreport]product_finished_errors=258,45021[reporting]disable_checkforupdates=1report_action_ids=RID_001,RID_002[common]config-de


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.44975634.160.176.284437836C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:20 UTC392OUTGET /?p_age=0&p_cpua=x64&p_icar=1&p_lng=en&p_midex=3F5C7CD44D1F6AC769934CADA267B4DF5D947186C770C67293689B94B6A17DFA&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avg-av-vps&p_ram=8191&p_vbd=2906&p_vep=24&p_ves=7&p_vre=7018&repoid=release& HTTP/1.1
                                                    Host: shepherd.avcdn.net
                                                    User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0
                                                    Accept: */*
                                                    Accept-Encoding: deflate, gzip
                                                    2024-07-29 23:42:20 UTC592INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:20 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 583
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread
                                                    Config-Id: 41
                                                    Config-Name: Icarus_ipm-messaging-in-22.11-and-higher_avg-av-vps-fulldump-test-69c8e65c6e5f9e105128f26c2f66e51341ca9fbb12fb3532f7fcce91e1103d0a
                                                    Config-Version: 528
                                                    Segments: ipm messaging in 22.11 and higher,avg-av-vps fulldump test
                                                    TTL: 86400
                                                    TTL-Spread: 43200
                                                    Via: 1.1 google
                                                    Alt-Svc: clear
                                                    Connection: close
                                                    2024-07-29 23:42:20 UTC583INData Raw: 5b 75 69 2e 6f 66 66 65 72 2e 61 63 74 69 6f 6e 73 5d 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 75 69 2e 6f 66 66 65 72 2e 77 65 6c 63 6f 6d 65 5d 0d 0a 6c 6f 61 64 74 69 6d 65 72 3d 31 30 30 30 30 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 72 65 70 6f 72 74 69 6e 67 5d 0d 0a 64 69 73 61 62 6c 65 5f 63 68 65 63 6b 66 6f 72 75 70 64 61 74 65 73 3d 31 0d 0a 72 65 70 6f 72 74 5f 61 63 74 69 6f 6e 5f 69 64 73 3d 52 49 44 5f 30 30 31 2c 52 49 44 5f 30 30 32 0d 0a 5b 63 6f 6d 6d 6f 6e 5d 0d 0a 63 6f 6e 66 69 67 2d 64 65 66 2d 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 68 65 70 68 65 72 64 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 72 65 70 6f 72 74 2d 75 72 6c 3d 68 74
                                                    Data Ascii: [ui.offer.actions]url=https://ipm.avcdn.net/[ui.offer.welcome]loadtimer=10000url=https://ipm.avcdn.net/[reporting]disable_checkforupdates=1report_action_ids=RID_001,RID_002[common]config-def-url=https://shepherd.avcdn.net/report-url=ht


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.44977834.117.223.2234437836C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:29 UTC243OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Host: analytics.avcdn.net
                                                    User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0
                                                    Accept: */*
                                                    Accept-Encoding: deflate, gzip
                                                    Content-Type: application/json
                                                    Content-Length: 2937
                                                    2024-07-29 23:42:29 UTC2937OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 61 37 33 34 66 34 62 36 2d 36 61 64 62 2d 34 61 30 38 2d 62 39 63 63 2d 66 61 39 37 37 32 31 39 37 62 37 64 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 33 30 33 33 37 32 39 30 37 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 66 66 39 32 31 62 63 62 2d 36 63 32 34 2d 34 63 63 64 2d 62 36 38 30 2d 36 32 39 66 65 61 31 61 63 38 30 31 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 30 38 37 46 30 45 33 31 43 35 45 45 38 34
                                                    Data Ascii: {"record":[{"event" : {"request_id" : "a734f4b6-6adb-4a08-b9cc-fa9772197b7d","subtype" : 1,"time" : 1722303372907,"type" : 25},"identity" : {"endpoint_id" : "ff921bcb-6c24-4ccd-b680-629fea1ac801","fingerprint" : "087F0E31C5EE84
                                                    2024-07-29 23:42:29 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:29 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-07-29 23:42:29 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                    Data Ascii: {"processed": true}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.44977934.117.223.2234437836C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-07-29 23:42:30 UTC243OUTPOST /v4/receive/json/25 HTTP/1.1
                                                    Host: analytics.avcdn.net
                                                    User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0
                                                    Accept: */*
                                                    Accept-Encoding: deflate, gzip
                                                    Content-Type: application/json
                                                    Content-Length: 2991
                                                    2024-07-29 23:42:30 UTC2991OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 30 39 34 31 63 31 63 39 2d 31 63 61 61 2d 34 37 61 32 2d 62 38 31 63 2d 30 36 64 61 34 31 33 61 37 39 64 66 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 33 30 33 33 37 34 34 35 37 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 66 66 39 32 31 62 63 62 2d 36 63 32 34 2d 34 63 63 64 2d 62 36 38 30 2d 36 32 39 66 65 61 31 61 63 38 30 31 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 30 38 37 46 30 45 33 31 43 35 45 45 38 34
                                                    Data Ascii: {"record":[{"event" : {"request_id" : "0941c1c9-1caa-47a2-b81c-06da413a79df","subtype" : 1,"time" : 1722303374457,"type" : 25},"identity" : {"endpoint_id" : "ff921bcb-6c24-4ccd-b680-629fea1ac801","fingerprint" : "087F0E31C5EE84
                                                    2024-07-29 23:42:30 UTC216INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 29 Jul 2024 23:42:30 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 19
                                                    Via: 1.1 google
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-07-29 23:42:30 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                    Data Ascii: {"processed": true}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:19:41:54
                                                    Start date:29/07/2024
                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe"
                                                    Imagebase:0x5a0000
                                                    File size:1'631'120 bytes
                                                    MD5 hash:678507E1459F47A4D77AACE80D42D52D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:19:42:14
                                                    Start date:29/07/2024
                                                    Path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\icarus-info.xml /install /sssid:7544
                                                    Imagebase:0x7ff78c0b0000
                                                    File size:8'064'960 bytes
                                                    MD5 hash:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:3
                                                    Start time:19:42:15
                                                    Start date:29/07/2024
                                                    Path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\common\icarus_ui.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699
                                                    Imagebase:0x7ff74b540000
                                                    File size:12'255'680 bytes
                                                    MD5 hash:CF058EAA95EAD820532B59B686023E53
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:19:42:26
                                                    Start date:29/07/2024
                                                    Path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av-vps\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av-vps_slave_ep_9790da46-df0d-4eaf-836c-333e7f0f6bff /slave:avg-av-vps
                                                    Imagebase:0x7ff6d7c30000
                                                    File size:8'064'960 bytes
                                                    MD5 hash:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:19:42:26
                                                    Start date:29/07/2024
                                                    Path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\icarus.exe /sssid:7544 /er_master:master_ep_c49a148d-d41a-4006-9442-19e426280197 /er_ui:ui_ep_581b4bdb-9d29-4a49-a4c3-bb80fc26b699 /er_slave:avg-av_slave_ep_83aa3eab-76fa-4cb3-9fbe-ff74362582a9 /slave:avg-av
                                                    Imagebase:0x7ff63d1c0000
                                                    File size:8'064'960 bytes
                                                    MD5 hash:0CD5718F7F5F8529FE4FF773DEF52DAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:9
                                                    Start time:19:42:28
                                                    Start date:29/07/2024
                                                    Path:C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Temp\asw-15964abc-1925-4c12-b178-1ccb084db464\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
                                                    Imagebase:0x7f0000
                                                    File size:2'455'480 bytes
                                                    MD5 hash:540BA85561D8F29851603BE4FAAB266A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:19:42:28
                                                    Start date:29/07/2024
                                                    Path:C:\Users\Public\Documents\aswOfferTool.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
                                                    Imagebase:0xa50000
                                                    File size:2'455'480 bytes
                                                    MD5 hash:540BA85561D8F29851603BE4FAAB266A
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:11.9%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:15.1%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:21
                                                      execution_graph 81695 61d630 81696 61d640 81695->81696 81697 61d664 _AnonymousOriginator 81695->81697 81696->81697 81699 61d6fc 81696->81699 81711 5c8440 81697->81711 81726 67343f 81699->81726 81700 61d69a 81701 5c8440 41 API calls 81700->81701 81703 61d6a5 81701->81703 81715 61f380 81703->81715 81706 61d6b0 _AnonymousOriginator 81719 612a50 81706->81719 81708 61d6c8 _AnonymousOriginator 81723 654fa0 81708->81723 81710 61d6e0 _AnonymousOriginator 81712 5c844b 81711->81712 81713 5c846c _AnonymousOriginator 81711->81713 81712->81711 81712->81713 81714 67343f std::_Throw_Cpp_error 41 API calls 81712->81714 81713->81700 81714->81712 81717 61f390 _AnonymousOriginator 81715->81717 81718 61f3bd 81715->81718 81716 5c8440 41 API calls 81716->81717 81717->81716 81717->81718 81718->81706 81720 612a85 81719->81720 81722 612a60 _AnonymousOriginator 81719->81722 81720->81708 81721 5c8440 41 API calls 81721->81722 81722->81720 81722->81721 81731 655730 81723->81731 81745 67337b 41 API calls _vsnprintf 81726->81745 81728 67344e 81746 67345c 11 API calls CallUnexpected 81728->81746 81730 67345b 81733 65573b 81731->81733 81732 654fc7 81732->81710 81733->81732 81735 677900 81733->81735 81738 6899fa 81735->81738 81739 689a05 RtlFreeHeap 81738->81739 81743 677918 81738->81743 81740 689a1a GetLastError 81739->81740 81739->81743 81741 689a27 __dosmaperr 81740->81741 81744 6778e2 14 API calls __dosmaperr 81741->81744 81743->81733 81744->81743 81745->81728 81746->81730 81747 6270c0 81748 627103 GetWindowLongW 81747->81748 81751 6270d6 81747->81751 81749 627112 81748->81749 81750 627128 81748->81750 81753 627140 170 API calls 81749->81753 81752 62712b DefWindowProcW 81750->81752 81751->81752 81754 6270e0 SetWindowLongW 81751->81754 81755 627121 81753->81755 81758 627140 81754->81758 81757 6270fc 81759 6271a2 81758->81759 81760 627776 81759->81760 81761 6271ca 81759->81761 81765 62746e 81760->81765 81770 627792 KillTimer 81760->81770 81842 627516 _AnonymousOriginator 81760->81842 81762 6271d0 81761->81762 81763 627767 KillTimer 81761->81763 81764 6271db 81762->81764 81802 6274ac 81762->81802 81763->81765 81766 627473 PostQuitMessage 81764->81766 81767 6271e4 81764->81767 81768 6278b4 DefWindowProcW 81765->81768 81908 5f21d0 81765->81908 81766->81765 81767->81765 81772 6271ed BeginPaint 81767->81772 81768->81842 81775 6277cd SetTimer InvalidateRect 81770->81775 81776 6277b8 GdipImageSelectActiveFrame 81770->81776 81844 64c340 81772->81844 81774 6278ed 81774->81757 81775->81765 81776->81775 81780 6278f3 81928 64c501 81780->81928 81781 627237 81786 627245 81781->81786 81787 6278fa 81781->81787 81782 627855 CoCreateInstance 81783 627876 81782->81783 81784 62790f 81782->81784 81805 627890 81783->81805 81813 627940 81783->81813 81935 5c8210 42 API calls Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 81784->81935 81788 627278 81786->81788 81792 627905 81786->81792 81793 62725c 81786->81793 81790 64c501 std::_Throw_Cpp_error 43 API calls 81787->81790 81847 64c365 81788->81847 81790->81792 81934 5cfd10 KiUserExceptionDispatcher Concurrency::cancel_current_task 81792->81934 81793->81788 81911 5c9ae0 81793->81911 81795 62790a 81798 67343f std::_Throw_Cpp_error 41 API calls 81795->81798 81798->81784 81799 62728f CreateCompatibleDC CreateCompatibleBitmap SelectObject 81806 6272ef BitBlt SetBkMode 81799->81806 81800 62744c EndPaint 81804 5c8440 41 API calls 81800->81804 81801 62792f 81936 669660 81801->81936 81840 6274ef 81802->81840 81802->81842 81859 627e00 81802->81859 81804->81765 81805->81768 81812 627330 SetTextColor 81806->81812 81810 62755a 81811 62756d GdipGetImageWidth 81810->81811 81817 6275ba GetSystemMetrics GetSystemMetrics MoveWindow 81810->81817 81810->81840 81814 627585 81811->81814 81815 627588 GdipGetImageHeight 81811->81815 81821 62734f __fread_nolock 81812->81821 81939 5c8210 42 API calls Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 81813->81939 81814->81815 81815->81817 81820 627625 81817->81820 81828 627635 SendMessageW SendMessageW 81820->81828 81831 627657 81820->81831 81850 678f33 81821->81850 81822 62796d 81823 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 81822->81823 81825 62797e 81823->81825 81827 627994 81825->81827 81940 627a50 SetEvent 81825->81940 81827->81757 81828->81831 81830 627685 81884 628070 81830->81884 81831->81830 81832 627675 SetWindowTextW 81831->81832 81832->81830 81835 6276eb 81837 5f21d0 98 API calls 81835->81837 81836 6276cd SetTimer 81836->81835 81838 6276f2 81837->81838 81839 6276f6 GetModuleHandleW 81838->81839 81838->81840 81839->81840 81841 627705 GetProcAddress 81839->81841 81840->81795 81840->81842 81841->81840 81843 627717 81841->81843 81921 64d0d5 81842->81921 81843->81840 81941 64c383 GetCurrentThreadId 81844->81941 81848 64c371 ReleaseSRWLockExclusive 81847->81848 81849 627282 81847->81849 81848->81849 81849->81799 81849->81800 81851 678f4f 81850->81851 81852 678f41 81850->81852 81957 6778e2 14 API calls __dosmaperr 81851->81957 81852->81851 81857 678f69 81852->81857 81854 678f59 81958 67342f 41 API calls __fread_nolock 81854->81958 81855 627376 9 API calls 81855->81800 81857->81855 81959 6778e2 14 API calls __dosmaperr 81857->81959 81860 627e26 81859->81860 81861 627fe5 81859->81861 81860->81861 81862 627e2e GlobalAlloc 81860->81862 81863 64d0d5 _ValidateLocalCookies 5 API calls 81861->81863 81862->81861 81864 627e41 GlobalLock 81862->81864 81865 627ff4 81863->81865 81866 627e50 _Yarn 81864->81866 81867 627fde GlobalFree 81864->81867 81865->81810 81868 627e5a GlobalUnlock CreateStreamOnHGlobal 81866->81868 81867->81861 81868->81867 81869 627e80 81868->81869 81877 627f1f 81869->81877 81960 628000 81869->81960 81872 627ea4 GdipLoadImageFromStream GdipImageGetFrameDimensionsCount 81873 627ee6 81872->81873 81874 627f04 GdipImageGetFrameDimensionsList 81873->81874 81876 627f35 GdipImageGetFrameCount 81874->81876 81874->81877 81875 64d0d5 _ValidateLocalCookies 5 API calls 81878 627fd8 81875->81878 81879 627f53 GdipGetPropertyItemSize 81876->81879 81880 627f50 81876->81880 81877->81875 81878->81810 81881 627f78 81879->81881 81880->81879 81966 678fa0 81881->81966 81885 6280c2 81884->81885 81886 6280d3 GetDC 81884->81886 81887 6280c4 DeleteDC 81885->81887 81889 628291 81886->81889 81904 6280f5 81886->81904 81887->81886 81887->81887 81895 64d0d5 _ValidateLocalCookies 5 API calls 81889->81895 81890 628103 GdipImageSelectActiveFrame 81894 62811b CreateCompatibleDC 81890->81894 81890->81904 81891 62826b GdipImageSelectActiveFrame 81892 628282 81891->81892 81893 628285 ReleaseDC 81891->81893 81892->81893 81893->81889 81896 628131 CreateCompatibleBitmap 81894->81896 81894->81904 81897 6276b7 81895->81897 81898 628148 SelectObject GdipCreateFromHDC 81896->81898 81896->81904 81897->81835 81897->81836 81899 628180 GdipGetImageHeight 81898->81899 81898->81904 81902 6281a0 GdipGetImageWidth 81899->81902 81899->81904 81901 628232 GdipDeleteGraphics 81901->81904 81902->81904 81903 6282d3 81976 64a62a KiUserExceptionDispatcher Concurrency::cancel_current_task 81903->81976 81904->81890 81904->81891 81904->81894 81904->81901 81904->81902 81904->81903 81906 6281d2 GdipDrawImageRectI 81904->81906 81975 6282e0 43 API calls 6 library calls 81904->81975 81906->81904 81977 5f25c0 InitOnceBeginInitialize 81908->81977 81914 5c9afe _Yarn 81911->81914 81919 5c9b30 _Yarn 81911->81919 81912 5c9be4 82009 5c82c0 43 API calls SimpleUString::operator= 81912->82009 81914->81788 81918 5c9bc3 _AnonymousOriginator 81918->81788 81919->81912 81919->81918 81920 67343f std::_Throw_Cpp_error 41 API calls 81919->81920 81920->81912 81922 64d0dd 81921->81922 81923 64d0de IsProcessorFeaturePresent 81921->81923 81922->81774 81925 64d12e 81923->81925 82010 64d0f1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 81925->82010 81927 64d211 81927->81774 81929 64c517 std::_Throw_Cpp_error 81928->81929 82011 64c4b4 43 API calls 2 library calls 81929->82011 81931 64c527 81932 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 81931->81932 81933 64c535 81932->81933 81935->81801 81937 6696a7 KiUserExceptionDispatcher 81936->81937 81938 66967a 81936->81938 81937->81813 81938->81937 81939->81822 81940->81827 81942 64c3cc 81941->81942 81943 64c3ad 81941->81943 81944 64c3d5 81942->81944 81945 64c3ec 81942->81945 81946 64c3b2 AcquireSRWLockExclusive 81943->81946 81952 64c3c2 81943->81952 81947 64c3e0 AcquireSRWLockExclusive 81944->81947 81944->81952 81948 64c44b 81945->81948 81954 64c404 81945->81954 81946->81952 81947->81952 81950 64c452 TryAcquireSRWLockExclusive 81948->81950 81948->81952 81949 64d0d5 _ValidateLocalCookies 5 API calls 81951 62722c 81949->81951 81950->81952 81951->81780 81951->81781 81952->81949 81954->81952 81955 64c43b TryAcquireSRWLockExclusive 81954->81955 81956 64c77b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aullrem __Xtime_get_ticks 81954->81956 81955->81952 81955->81954 81956->81954 81957->81854 81958->81855 81959->81854 81961 62801f 81960->81961 81962 62800f 81960->81962 81964 677900 std::exception_ptr::~exception_ptr 14 API calls 81961->81964 81965 627e92 GdipAlloc 81961->81965 81963 628010 DeleteDC 81962->81963 81963->81961 81963->81963 81964->81965 81965->81872 81965->81877 81968 689a34 __dosmaperr 81966->81968 81967 689a72 81974 6778e2 14 API calls __dosmaperr 81967->81974 81968->81967 81969 689a5d RtlAllocateHeap 81968->81969 81973 684e77 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 81968->81973 81969->81968 81971 627f84 GdipGetPropertyItem 81969->81971 81971->81877 81973->81968 81974->81971 81975->81904 81978 5f261f 81977->81978 81979 5f26b3 81977->81979 81981 5f2659 81978->81981 81992 5f26e0 94 API calls std::_Facet_Register 81978->81992 81993 6798a7 81979->81993 81983 5f26b8 81981->81983 81984 5f2695 81981->81984 82004 5c9f40 44 API calls Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 81983->82004 81986 64d0d5 _ValidateLocalCookies 5 API calls 81984->81986 81985 5f2642 InitOnceComplete 81985->81981 81985->81983 81988 5f21e8 81986->81988 81988->81768 81988->81782 81989 5f26cf 81990 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 81989->81990 81991 5f26dd 81990->81991 81992->81985 82005 68c809 EnterCriticalSection LeaveCriticalSection CallUnexpected 81993->82005 81995 6798ac 81996 6798b7 81995->81996 82006 68c84e 41 API calls 7 library calls 81995->82006 81997 6798e0 81996->81997 81998 6798c1 IsProcessorFeaturePresent 81996->81998 82008 685379 23 API calls CallUnexpected 81997->82008 82000 6798cd 81998->82000 82007 673233 8 API calls 3 library calls 82000->82007 82003 6798ea 82004->81989 82005->81995 82006->81996 82007->81997 82008->82003 82010->81927 82011->81931 82012 63e2e0 82013 63e333 82012->82013 82016 63e341 82012->82016 82053 5e20d0 82013->82053 82018 6407b0 82016->82018 82017 63e35c 82022 6407bd __wsopen_s 82018->82022 82019 640969 82020 64d0d5 _ValidateLocalCookies 5 API calls 82019->82020 82021 640978 82020->82021 82021->82017 82022->82019 82023 6409a4 82022->82023 82024 640991 82022->82024 82023->82019 82027 6409dc 82023->82027 82028 6409c9 82023->82028 82025 64d0d5 _ValidateLocalCookies 5 API calls 82024->82025 82026 6409a0 82025->82026 82026->82017 82030 640a02 82027->82030 82033 6409ef 82027->82033 82029 64d0d5 _ValidateLocalCookies 5 API calls 82028->82029 82032 6409d8 82029->82032 82059 5dffb0 82030->82059 82032->82017 82035 64d0d5 _ValidateLocalCookies 5 API calls 82033->82035 82034 640a1b 82069 5dfc80 82034->82069 82036 6409fe 82035->82036 82036->82017 82038 640a3d 82039 5dfc80 5 API calls 82038->82039 82040 640a5f 82039->82040 82081 5e1860 82040->82081 82042 640a8f 82043 640b04 82042->82043 82120 5dfd70 5 API calls 3 library calls 82042->82120 82122 5df780 5 API calls 2 library calls 82043->82122 82046 640ab9 82121 5dfd70 5 API calls 3 library calls 82046->82121 82048 640adf 82051 5dfc80 5 API calls 82048->82051 82049 640b20 82050 64d0d5 _ValidateLocalCookies 5 API calls 82049->82050 82052 640b5b 82050->82052 82051->82043 82052->82017 82054 5e20da 82053->82054 82058 5e210d 82053->82058 82166 5e2140 GetSystemInfo 82054->82166 82058->82016 82060 5dffe5 _Yarn __fread_nolock 82059->82060 82061 5e018d _Yarn 82060->82061 82062 5e0074 82060->82062 82123 5df780 5 API calls 2 library calls 82060->82123 82064 64d0d5 _ValidateLocalCookies 5 API calls 82061->82064 82062->82061 82065 5e007c 82062->82065 82066 5e01b5 82064->82066 82067 64d0d5 _ValidateLocalCookies 5 API calls 82065->82067 82066->82034 82068 5e00a5 82067->82068 82068->82034 82070 5dfcdc 82069->82070 82071 5dfcc5 82069->82071 82072 5dfd1a 82070->82072 82073 5dfd40 82070->82073 82076 5dfd5a 82070->82076 82071->82070 82124 5dedd0 5 API calls 3 library calls 82071->82124 82079 64d0d5 _ValidateLocalCookies 5 API calls 82072->82079 82125 5df780 5 API calls 2 library calls 82073->82125 82077 64d0d5 _ValidateLocalCookies 5 API calls 82076->82077 82078 5dfd6a 82077->82078 82078->82038 82080 5dfd3c 82079->82080 82080->82038 82082 5e20b6 82081->82082 82085 5e18b8 82081->82085 82083 64d0d5 _ValidateLocalCookies 5 API calls 82082->82083 82084 5e20c5 82083->82084 82084->82042 82085->82082 82086 5e1941 __fread_nolock 82085->82086 82088 5e1976 __fread_nolock 82085->82088 82087 64d0d5 _ValidateLocalCookies 5 API calls 82086->82087 82089 5e1972 82087->82089 82088->82082 82126 5e1280 82088->82126 82089->82042 82091 5e19b7 82091->82082 82118 678fa0 15 API calls 82091->82118 82144 689a34 82091->82144 82092 5e1a6b 82092->82082 82094 5e1a7c 82092->82094 82095 5e1adf 82094->82095 82151 5df780 5 API calls 2 library calls 82094->82151 82100 5e1b03 __fread_nolock 82095->82100 82152 5e17d0 5 API calls __fread_nolock 82095->82152 82097 5e1b6c 82097->82100 82101 5e1be5 82097->82101 82153 5e17d0 5 API calls __fread_nolock 82097->82153 82102 64d0d5 _ValidateLocalCookies 5 API calls 82100->82102 82105 5e1c2c 82101->82105 82155 5df780 5 API calls 2 library calls 82101->82155 82104 5e1b4f 82102->82104 82103 5e1b93 82103->82100 82103->82101 82154 5e17d0 5 API calls __fread_nolock 82103->82154 82104->82042 82105->82100 82156 5e17d0 5 API calls __fread_nolock 82105->82156 82108 5e1c69 82108->82100 82109 5e1cf5 __fread_nolock 82108->82109 82157 5e17d0 5 API calls __fread_nolock 82108->82157 82159 5e17d0 5 API calls __fread_nolock 82109->82159 82112 5e1c94 82112->82100 82112->82109 82158 5e17d0 5 API calls __fread_nolock 82112->82158 82114 5e2083 82160 5e1400 5 API calls 3 library calls 82114->82160 82116 5e1d61 82116->82100 82116->82114 82117 5e17d0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 82116->82117 82117->82116 82118->82092 82120->82046 82121->82048 82122->82049 82123->82060 82124->82070 82125->82076 82127 5e12a7 82126->82127 82128 5e12b2 82126->82128 82127->82128 82132 5e12c5 _Yarn 82127->82132 82129 64d0d5 _ValidateLocalCookies 5 API calls 82128->82129 82130 5e12c1 82129->82130 82130->82091 82131 5e1353 82162 5df780 5 API calls 2 library calls 82131->82162 82132->82131 82161 5e01c0 5 API calls _ValidateLocalCookies 82132->82161 82135 5e1381 82136 5e13ec 82135->82136 82139 5e1393 __fread_nolock 82135->82139 82137 64d0d5 _ValidateLocalCookies 5 API calls 82136->82137 82138 5e13fc 82137->82138 82138->82091 82163 5df780 5 API calls 2 library calls 82139->82163 82141 5e13d6 82142 64d0d5 _ValidateLocalCookies 5 API calls 82141->82142 82143 5e13e8 82142->82143 82143->82091 82145 689a72 82144->82145 82149 689a42 __dosmaperr 82144->82149 82165 6778e2 14 API calls __dosmaperr 82145->82165 82146 689a5d RtlAllocateHeap 82148 689a70 82146->82148 82146->82149 82148->82092 82149->82145 82149->82146 82164 684e77 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 82149->82164 82151->82095 82152->82097 82153->82103 82154->82103 82155->82105 82156->82108 82157->82112 82158->82112 82159->82116 82160->82100 82161->82131 82162->82135 82163->82141 82164->82149 82165->82148 82178 669c50 82166->82178 82168 5e21a9 GetVersionExW 82169 5e21de 82168->82169 82170 5e21c7 GetVersionExW 82168->82170 82171 5e220c __fread_nolock 82169->82171 82172 5e21e9 GetModuleHandleW GetProcAddress 82169->82172 82170->82169 82174 5e223b RtlGetVersion 82171->82174 82172->82171 82176 5e2241 82172->82176 82173 64d0d5 _ValidateLocalCookies 5 API calls 82175 5e20e2 82173->82175 82174->82176 82177 5e2e60 60 API calls 2 library calls 82175->82177 82176->82173 82177->82058 82179 669c67 82178->82179 82179->82168 82179->82179 82180 649e20 82212 64d3b9 82180->82212 82183 64a004 82372 64dbf0 4 API calls 2 library calls 82183->82372 82184 649e65 82186 64a00b 82184->82186 82190 649e90 82184->82190 82373 64dbf0 4 API calls 2 library calls 82186->82373 82188 64a012 82374 6853b5 23 API calls CallUnexpected 82188->82374 82192 649eb4 82190->82192 82199 649edc ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 82190->82199 82366 64d57f 44 API calls 82190->82366 82191 64a018 82375 685379 23 API calls CallUnexpected 82191->82375 82195 64a020 82196 649f55 82220 64dd05 82196->82220 82198 649f5d 82224 5a8c30 82198->82224 82199->82196 82367 678fab 41 API calls 4 library calls 82199->82367 82213 64d3c2 82212->82213 82376 64d6b7 IsProcessorFeaturePresent 82213->82376 82215 64d3ce 82377 66b4ed 10 API calls 2 library calls 82215->82377 82217 64d3d3 82219 649e5a 82217->82219 82378 66b50c 7 API calls 2 library calls 82217->82378 82219->82183 82219->82184 82221 669c50 __fread_nolock 82220->82221 82222 64dd18 GetStartupInfoW 82221->82222 82223 64dd2b 82222->82223 82223->82198 82225 5a8cd2 82224->82225 82379 5f52a0 82225->82379 82227 5c8440 41 API calls 82228 5a8db4 82227->82228 82386 5f7860 82228->82386 82232 5a8f10 __fread_nolock 82391 5aa8b0 82232->82391 82248 5c8440 41 API calls 82251 5a911d 82248->82251 82249 5ee3b0 144 API calls 82250 5a917e 82249->82250 82252 5ec550 144 API calls 82250->82252 82251->82249 82253 5a91a2 82252->82253 82254 5c8440 41 API calls 82253->82254 82264 5a91b4 82254->82264 82255 5a9242 82556 5c8660 82255->82556 82264->82255 82268 5c8440 41 API calls 82264->82268 82268->82255 82366->82199 82367->82196 82372->82186 82373->82188 82374->82191 82375->82195 82376->82215 82377->82217 82378->82219 82764 64d313 82379->82764 82384 64d0d5 _ValidateLocalCookies 5 API calls 82385 5a8d08 82384->82385 82385->82227 82387 64d313 std::_Facet_Register 16 API calls 82386->82387 82388 5f789e 82387->82388 82927 5f7900 82388->82927 82392 5aa8eb 82391->82392 82396 5aa8f0 82391->82396 82393 5c8440 41 API calls 82392->82393 82393->82396 82394 5aa942 84114 5ab1e0 82394->84114 82395 5c8440 41 API calls 82397 5aa916 82395->82397 82396->82397 82399 5c8440 41 API calls 82396->82399 82397->82394 82397->82395 82399->82396 82401 5aade0 82402 5ab390 41 API calls 82401->82402 82403 5aade8 82402->82403 82407 64d0d5 _ValidateLocalCookies 5 API calls 82403->82407 82404 5aa9be 82406 5aa9bc 82404->82406 82409 5c8440 41 API calls 82404->82409 82405 5aa9b0 84119 5ad5b0 41 API calls 82405->84119 82410 5c8440 41 API calls 82406->82410 82411 5a8f87 82407->82411 82409->82406 82412 5aa9d9 82410->82412 82420 5fd9f0 82411->82420 84120 5ab410 41 API calls 82412->84120 82415 5aae05 82416 5b6700 83 API calls 82415->82416 82417 5aae0a 82416->82417 82419 5aa9e8 82419->82401 82419->82415 84121 5aaeb0 88 API calls 82419->84121 84122 5ad900 43 API calls 3 library calls 82419->84122 82421 64d313 std::_Facet_Register 16 API calls 82420->82421 82422 5a8fab 82421->82422 82423 5aa000 82422->82423 82424 5aa890 88 API calls 82423->82424 82425 5aa079 82424->82425 82426 5aafb0 88 API calls 82425->82426 82427 5aa150 82425->82427 82430 5aa091 82426->82430 82429 5aa890 88 API calls 82427->82429 82428 5aa0e7 84134 5aa320 88 API calls _ValidateLocalCookies 82428->84134 82435 5aa18b 82429->82435 82430->82428 84133 5aaeb0 88 API calls 82430->84133 82431 5aa295 82436 5aa29b 82431->82436 82437 5f1770 23 API calls 82431->82437 82434 5aa114 82442 5c8440 41 API calls 82434->82442 82445 5aa124 82434->82445 82435->82431 82441 5aafb0 88 API calls 82435->82441 82440 5c8440 41 API calls 82436->82440 82439 5aa2df 82437->82439 82438 5c8440 41 API calls 82438->82427 82443 5c7c60 43 API calls 82439->82443 82444 5aa2fb 82440->82444 82448 5aa1ba 82441->82448 82442->82445 82443->82436 82446 64d0d5 _ValidateLocalCookies 5 API calls 82444->82446 82445->82438 82447 5a9013 82446->82447 82456 5a8a40 GetCurrentProcess 82447->82456 82449 5aa210 82448->82449 84135 5aaeb0 88 API calls 82448->84135 84136 5aa320 88 API calls _ValidateLocalCookies 82449->84136 82452 5aa259 82453 5aa269 82452->82453 82454 5c8440 41 API calls 82452->82454 82455 5c8440 41 API calls 82453->82455 82454->82453 82455->82431 84137 5cc030 82456->84137 82458 5a8abc 82459 5a8ad4 GetCurrentProcess 82458->82459 82460 5cc030 89 API calls 82459->82460 82461 5a8ae1 82460->82461 84149 5ad080 82461->84149 82464 5a8b2e 82466 5c8440 41 API calls 82464->82466 82465 5c8440 41 API calls 82465->82464 82467 5a8b5b 82466->82467 82468 5c8440 41 API calls 82467->82468 82469 5a8b63 82468->82469 82470 5aa890 82469->82470 82471 5aafb0 88 API calls 82470->82471 82472 5a90aa 82471->82472 82473 5ee3b0 82472->82473 82474 5b73e0 43 API calls 82473->82474 82475 5ee420 GetCurrentProcess K32GetMappedFileNameW 82474->82475 82477 5ee4ab 82475->82477 82478 5ee5f6 GetLastError 82475->82478 82479 5ee4b2 82477->82479 82481 5b73e0 43 API calls 82477->82481 82480 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 82478->82480 84291 5ef630 82479->84291 82482 5ee60a 82480->82482 82481->82479 82483 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 82482->82483 82485 5ee618 GetLastError 82483->82485 82487 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 82485->82487 82489 5ee62c 82487->82489 82488 5c8440 41 API calls 82490 5ee52a 82488->82490 82491 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 82489->82491 82493 64d0d5 _ValidateLocalCookies 5 API calls 82490->82493 82492 5ee63a GetLastError 82491->82492 82494 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 82492->82494 82495 5a90e4 82493->82495 82496 5ee64e 82494->82496 82499 5ec550 82495->82499 82497 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 82496->82497 82498 5ee65c 82497->82498 82500 5b7ba0 53 API calls 82499->82500 82501 5ec5e3 82500->82501 82502 5ec735 GetFileVersionInfoSizeW 82501->82502 84500 5edc10 88 API calls Concurrency::cancel_current_task 82501->84500 82504 5eca58 GetLastError 82502->82504 82510 5ec76f 82502->82510 82507 5eca12 82504->82507 82506 5ec612 82506->82502 82515 5ec61d 82506->82515 82508 5cdec0 83 API calls 82507->82508 82511 5eca72 82508->82511 82509 5ec78b GetFileVersionInfoW 82512 5ec7af 82509->82512 82513 5ec79c GetLastError 82509->82513 82510->82509 82514 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 82511->82514 82519 5ec7df 82512->82519 82520 5ec7cc GetLastError 82512->82520 82513->82507 82516 5eca83 82514->82516 84501 5eac20 82515->84501 84531 5ada80 43 API calls SimpleUString::operator= 82516->84531 82519->82516 82550 5ec839 82519->82550 84525 5e9ef0 43 API calls 82519->84525 82520->82507 82525 5ec6a7 82529 5ec9ea 82534 5c8440 41 API calls 82529->82534 82530 5ec9bf 82530->82529 84529 5ed8a0 GetFileAttributesW SetFileAttributesW DeleteFileW Sleep 82530->84529 82536 5ec9f5 82534->82536 82537 64d0d5 _ValidateLocalCookies 5 API calls 82536->82537 82539 5a910b 82537->82539 82539->82248 82542 5ec932 GetLastError 82542->82507 82542->82550 82547 5c9ae0 44 API calls 82547->82550 82548 5c8440 41 API calls 82548->82550 82550->82530 82550->82542 82550->82547 82550->82548 84526 5d1060 53 API calls _vsnprintf 82550->84526 84527 5ad900 43 API calls 3 library calls 82550->84527 84528 5ec4c0 41 API calls 82550->84528 84574 5c9eb0 82556->84574 82766 64d318 82764->82766 82765 678fa0 _Yarn 15 API calls 82765->82766 82766->82765 82767 5f52e1 82766->82767 82770 5c8370 Concurrency::cancel_current_task 82766->82770 82818 684e77 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 82766->82818 82774 5f5390 82767->82774 82769 64d33e 82769->82769 82770->82769 82771 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 82770->82771 82772 5c838c 82771->82772 82817 5c8370 KiUserExceptionDispatcher Concurrency::cancel_current_task 82772->82817 82775 5f53d5 __fread_nolock 82774->82775 82776 5aa8b0 90 API calls 82775->82776 82777 5f5424 82776->82777 82778 5aa890 88 API calls 82777->82778 82781 5f545a 82778->82781 82779 5f583d 82819 5ab390 82779->82819 82781->82779 82833 5aafb0 82781->82833 82782 5f5845 82826 5aae20 82782->82826 82786 5f584d 82787 5f585b 82786->82787 82788 5c8440 41 API calls 82786->82788 82789 64d0d5 _ValidateLocalCookies 5 API calls 82787->82789 82788->82787 82790 5f5335 82789->82790 82790->82384 82791 5f54ab GetFileAttributesW 82793 5f54b7 82791->82793 82792 5f54a9 82792->82791 82793->82779 82840 63c580 116 API calls 4 library calls 82793->82840 82795 5f54de 82796 5f54ff 82795->82796 82816 5f582f 82795->82816 82841 5f5910 181 API calls 5 library calls 82795->82841 82799 5f551c 82796->82799 82800 5f5512 82796->82800 82843 5f6b70 43 API calls std::_Throw_Cpp_error 82799->82843 82842 5f6160 44 API calls 82800->82842 82801 5f54fb 82801->82796 82804 5f552d 82801->82804 82805 5b9e00 75 API calls 82804->82805 82810 5f5517 82805->82810 82807 5f564e 82845 5f6430 75 API calls 82807->82845 82809 5f56e0 82846 5f6430 75 API calls 82809->82846 82810->82816 82844 5f6380 75 API calls _ValidateLocalCookies 82810->82844 82812 5f5769 82847 5f6450 75 API calls _ValidateLocalCookies 82812->82847 82814 5f57d2 82848 5f6570 165 API calls 3 library calls 82814->82848 82849 5f7590 41 API calls 2 library calls 82816->82849 82818->82766 82820 5ab39a 82819->82820 82823 5ab3e7 _AnonymousOriginator 82819->82823 82821 5ab3b0 82820->82821 82822 5c8440 41 API calls 82820->82822 82821->82823 82824 67343f std::_Throw_Cpp_error 41 API calls 82821->82824 82822->82820 82823->82782 82825 5ab40f 82824->82825 82828 5aae7f _AnonymousOriginator 82826->82828 82829 5aae2a 82826->82829 82827 5aae48 82827->82828 82830 67343f std::_Throw_Cpp_error 41 API calls 82827->82830 82828->82786 82829->82827 82831 5c8440 41 API calls 82829->82831 82832 5aaea7 82830->82832 82831->82829 82834 5ab0a8 82833->82834 82838 5aaffc 82833->82838 82834->82779 82834->82791 82834->82792 82835 64d907 3 API calls 82835->82838 82838->82834 82838->82835 82850 64a9f2 47 API calls 82838->82850 82851 64d8b6 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 82838->82851 82852 5b8350 82838->82852 82840->82795 82841->82801 82842->82810 82843->82810 82844->82807 82845->82809 82846->82812 82847->82814 82848->82816 82849->82779 82850->82838 82851->82838 82862 5b7ba0 82852->82862 82854 5b8387 82855 5b8418 82854->82855 82856 5b8397 82854->82856 82861 5b839d 82855->82861 82891 677ab3 82855->82891 82870 5b81f0 82856->82870 82859 64d0d5 _ValidateLocalCookies 5 API calls 82860 5b845e 82859->82860 82860->82838 82861->82859 82863 5b7bd7 82862->82863 82869 5b7c08 82862->82869 82864 64d907 3 API calls 82863->82864 82865 5b7be1 82864->82865 82865->82869 82901 64a9f2 47 API calls 82865->82901 82867 5b7bf9 82902 64d8b6 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 82867->82902 82869->82854 82903 64aaa7 82870->82903 82873 64aaa7 std::_Lockit::_Lockit 7 API calls 82874 5b824e 82873->82874 82909 64aaff 82874->82909 82875 64aaff std::_Lockit::~_Lockit 2 API calls 82877 5b8302 82875->82877 82879 64d0d5 _ValidateLocalCookies 5 API calls 82877->82879 82878 5b826e Concurrency::cancel_current_task 82888 5b82b8 82878->82888 82916 5b7fe0 80 API calls 10 library calls 82878->82916 82881 5b831c 82879->82881 82881->82861 82882 5b82c8 82883 5b8320 82882->82883 82884 5b82d0 82882->82884 82918 5c65e0 79 API calls 5 library calls 82883->82918 82917 64a812 16 API calls std::_Facet_Register 82884->82917 82887 5b8325 82919 64bdbd LCMapStringEx ___crtLCMapStringW 82887->82919 82888->82875 82890 5b833f 82890->82861 82892 677ac1 82891->82892 82893 677ae4 82891->82893 82892->82893 82894 677ac7 82892->82894 82926 677aff 51 API calls 4 library calls 82893->82926 82924 6778e2 14 API calls __dosmaperr 82894->82924 82897 677afa 82897->82861 82898 677acc 82925 67342f 41 API calls __fread_nolock 82898->82925 82900 677ad7 82900->82861 82901->82867 82902->82869 82904 64aab6 82903->82904 82905 64aabd 82903->82905 82920 683fb8 6 API calls std::_Lockit::_Lockit 82904->82920 82908 5b822b 82905->82908 82921 64c960 EnterCriticalSection 82905->82921 82908->82873 82908->82878 82910 64ab09 82909->82910 82911 683fc6 82909->82911 82915 64ab1c 82910->82915 82922 64c96e LeaveCriticalSection 82910->82922 82923 683fa1 LeaveCriticalSection 82911->82923 82914 683fcd 82914->82878 82915->82878 82916->82882 82917->82888 82918->82887 82919->82890 82920->82908 82921->82908 82922->82915 82923->82914 82924->82898 82925->82900 82926->82897 82928 5f7980 82927->82928 82929 64d313 std::_Facet_Register 16 API calls 82928->82929 82930 5f7a1d 82929->82930 82931 5c8080 std::_Throw_Cpp_error 43 API calls 82930->82931 82932 5f7ad2 82931->82932 82933 5c8080 std::_Throw_Cpp_error 43 API calls 82932->82933 82934 5f7b5c 82933->82934 82935 64d313 std::_Facet_Register 16 API calls 82934->82935 82936 5f7bd6 82935->82936 82950 6797bc 82936->82950 82938 5f7c05 82939 5f7c0f 82938->82939 82940 5f7c40 82938->82940 82941 5f7c4e 82939->82941 82942 5f7c15 82939->82942 82943 64c501 std::_Throw_Cpp_error 43 API calls 82940->82943 82965 678fab 41 API calls 3 library calls 82941->82965 82945 64d0d5 _ValidateLocalCookies 5 API calls 82942->82945 82943->82941 82947 5a8e40 GetCommandLineW 82945->82947 82947->82232 82951 6797dd 82950->82951 82952 6797c9 82950->82952 82966 67976c 82951->82966 82975 6778e2 14 API calls __dosmaperr 82952->82975 82956 6797ce 82976 67342f 41 API calls __fread_nolock 82956->82976 82957 6797f2 CreateThread 82959 679811 GetLastError 82957->82959 82960 67981d 82957->82960 82997 679660 82957->82997 82977 677888 14 API calls __dosmaperr 82959->82977 82978 6796de 82960->82978 82961 6797d9 82961->82938 82986 68acec 82966->82986 82969 6899fa ___free_lconv_mon 14 API calls 82970 67978a 82969->82970 82971 679791 GetModuleHandleExW 82970->82971 82972 6797ae 82970->82972 82971->82972 82973 6796de 16 API calls 82972->82973 82974 6797b6 82973->82974 82974->82957 82974->82960 82975->82956 82976->82961 82977->82960 82979 6796ea 82978->82979 82985 67970e 82978->82985 82980 6796f0 CloseHandle 82979->82980 82981 6796f9 82979->82981 82980->82981 82982 6796ff FreeLibrary 82981->82982 82983 679708 82981->82983 82982->82983 82984 6899fa ___free_lconv_mon 14 API calls 82983->82984 82984->82985 82985->82938 82987 68acf9 82986->82987 82988 68ad39 82987->82988 82989 68ad24 HeapAlloc 82987->82989 82992 68ad0d __dosmaperr 82987->82992 82996 6778e2 14 API calls __dosmaperr 82988->82996 82990 68ad37 82989->82990 82989->82992 82993 67977d 82990->82993 82992->82988 82992->82989 82995 684e77 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 82992->82995 82993->82969 82995->82992 82996->82993 82998 67966c ___unDNameEx 82997->82998 82999 679673 GetLastError ExitThread 82998->82999 83000 679680 82998->83000 83013 689709 GetLastError 83000->83013 83005 67969c 83045 5fc800 83005->83045 83007 6796b8 83052 67983f 17 API calls 83007->83052 83014 68971f 83013->83014 83017 689725 83013->83017 83053 68c372 6 API calls std::_Lockit::_Lockit 83014->83053 83037 689729 SetLastError 83017->83037 83054 68c3b1 6 API calls std::_Lockit::_Lockit 83017->83054 83018 689741 83020 68acec __dosmaperr 14 API calls 83018->83020 83018->83037 83023 689756 83020->83023 83021 679685 83040 68c6c6 83021->83040 83022 6897be 83024 6798a7 CallUnexpected 39 API calls 83022->83024 83025 68975e 83023->83025 83026 68976f 83023->83026 83028 6897c3 83024->83028 83055 68c3b1 6 API calls std::_Lockit::_Lockit 83025->83055 83056 68c3b1 6 API calls std::_Lockit::_Lockit 83026->83056 83030 68976c 83035 6899fa ___free_lconv_mon 14 API calls 83030->83035 83031 68977b 83032 68977f 83031->83032 83033 689796 83031->83033 83057 68c3b1 6 API calls std::_Lockit::_Lockit 83032->83057 83058 689534 14 API calls __dosmaperr 83033->83058 83035->83037 83037->83021 83037->83022 83038 6897a1 83039 6899fa ___free_lconv_mon 14 API calls 83038->83039 83039->83037 83041 68c6d8 GetPEB 83040->83041 83042 679690 83040->83042 83041->83042 83043 68c6eb 83041->83043 83042->83005 83051 68c5be 5 API calls std::_Lockit::_Lockit 83042->83051 83059 68c1e4 83043->83059 83046 5fc838 83045->83046 83077 5f7ca0 83046->83077 83047 5fc83c 83140 64c5f6 WakeAllConditionVariable ReleaseSRWLockExclusive GetCurrentThreadId EnterCriticalSection LeaveCriticalSection 83047->83140 83049 5fc841 _AnonymousOriginator 83049->83007 83051->83005 83053->83017 83054->83018 83055->83030 83056->83031 83057->83030 83058->83038 83062 68c121 83059->83062 83063 68c14f 83062->83063 83067 68c14b 83062->83067 83063->83067 83069 68c056 83063->83069 83066 68c169 GetProcAddress 83066->83067 83068 68c179 std::_Lockit::_Lockit 83066->83068 83067->83042 83068->83067 83075 68c067 ___vcrt_FlsSetValue 83069->83075 83070 68c0fd 83070->83066 83070->83067 83071 68c085 LoadLibraryExW 83072 68c0a0 GetLastError 83071->83072 83073 68c104 83071->83073 83072->83075 83073->83070 83074 68c116 FreeLibrary 83073->83074 83074->83070 83075->83070 83075->83071 83076 68c0d3 LoadLibraryExW 83075->83076 83076->83073 83076->83075 83078 64c340 12 API calls 83077->83078 83079 5f7ce4 83078->83079 83080 5f7cef 83079->83080 83081 5f7f88 83079->83081 83083 5f7f8f 83080->83083 83084 5f7cfd 83080->83084 83082 64c501 std::_Throw_Cpp_error 43 API calls 83081->83082 83082->83083 83085 64c501 std::_Throw_Cpp_error 43 API calls 83083->83085 83193 64c0bc WakeConditionVariable 83084->83193 83129 5f7f22 83085->83129 83087 5f7d0d 83088 64c365 ReleaseSRWLockExclusive 83087->83088 83090 5f7d13 83088->83090 83096 5f7d24 _AnonymousOriginator 83090->83096 83194 5d9d70 48 API calls std::_Throw_Cpp_error 83090->83194 83091 5f7f9f 83092 67343f std::_Throw_Cpp_error 41 API calls 83091->83092 83138 5f7fa4 _AnonymousOriginator 83092->83138 83094 5c8440 41 API calls 83097 5f7d84 83094->83097 83095 64c340 12 API calls 83095->83138 83096->83091 83096->83094 83098 5c8440 41 API calls 83097->83098 83104 5f7d8f _AnonymousOriginator 83098->83104 83099 5f8688 83100 64c501 std::_Throw_Cpp_error 43 API calls 83099->83100 83101 5f868f 83100->83101 83102 64c501 std::_Throw_Cpp_error 43 API calls 83101->83102 83106 5f869a 83102->83106 83103 5c8440 41 API calls 83118 5f7def _AnonymousOriginator 83103->83118 83104->83091 83104->83103 83105 5f865e 83108 64c365 ReleaseSRWLockExclusive 83105->83108 83107 67343f std::_Throw_Cpp_error 41 API calls 83106->83107 83110 5f869f 83107->83110 83112 5f8664 83108->83112 83237 5fd830 43 API calls Concurrency::cancel_current_task 83110->83237 83113 64d0d5 _ValidateLocalCookies 5 API calls 83112->83113 83115 5f8681 83113->83115 83115->83047 83117 5c8440 41 API calls 83119 5f7ef9 83117->83119 83118->83091 83118->83117 83120 5c8440 41 API calls 83119->83120 83121 5f7f04 83120->83121 83123 5c8440 41 API calls 83121->83123 83122 5b9e00 75 API calls 83122->83138 83124 5f7f0f 83123->83124 83125 5c8440 41 API calls 83124->83125 83126 5f7f1a 83125->83126 83195 5fbb30 41 API calls 2 library calls 83126->83195 83134 5f7f31 83129->83134 83196 678fab 41 API calls 3 library calls 83129->83196 83132 5c8440 41 API calls 83132->83138 83133 64c365 ReleaseSRWLockExclusive 83133->83138 83134->83047 83138->83095 83138->83099 83138->83101 83138->83105 83138->83106 83138->83110 83138->83122 83138->83132 83138->83133 83141 5c7e70 83138->83141 83150 5fbc30 83138->83150 83163 5f7680 83138->83163 83166 603600 83138->83166 83180 5fbd50 83138->83180 83197 64c0d0 43 API calls 83138->83197 83198 5c7da0 83138->83198 83203 5fbe70 165 API calls 3 library calls 83138->83203 83204 5f86b0 83138->83204 83140->83049 83142 5c7e99 83141->83142 83143 5c7f13 83142->83143 83147 5c7ea3 83142->83147 83239 5c82c0 43 API calls SimpleUString::operator= 83143->83239 83145 5c7eaf 83145->83138 83147->83145 83238 5c8020 43 API calls 3 library calls 83147->83238 83149 5c7eed _Yarn 83149->83138 83151 5b9e00 75 API calls 83150->83151 83155 5fbc70 83151->83155 83152 64d0d5 _ValidateLocalCookies 5 API calls 83153 5fbd3a 83152->83153 83153->83138 83154 5fbcdc _AnonymousOriginator 83154->83152 83155->83154 83240 5f6eb0 83155->83240 83160 5fbd3e 83161 67343f std::_Throw_Cpp_error 41 API calls 83160->83161 83162 5fbd43 83161->83162 83289 63d7c0 83163->83289 83167 603640 83166->83167 83406 603480 83167->83406 83170 5c9ae0 44 API calls 83171 60365c 83170->83171 83416 6036f0 83171->83416 83174 5c8440 41 API calls 83175 6036c0 83174->83175 83176 5f86b0 385 API calls 83175->83176 83177 6036cb 83176->83177 83178 64d0d5 _ValidateLocalCookies 5 API calls 83177->83178 83179 6036e4 83178->83179 83179->83138 83181 5b9e00 75 API calls 83180->83181 83185 5fbd90 83181->83185 83182 64d0d5 _ValidateLocalCookies 5 API calls 83183 5fbe5a 83182->83183 83183->83138 83184 5fbdfc _AnonymousOriginator 83184->83182 83185->83184 83596 5f7190 83185->83596 83188 5aeb00 134 API calls 83189 5fbdd6 83188->83189 83189->83184 83190 5fbe5e 83189->83190 83191 67343f std::_Throw_Cpp_error 41 API calls 83190->83191 83192 5fbe63 83191->83192 83193->83087 83194->83096 83195->83129 83197->83138 83199 5c7dcb 83198->83199 83202 5c7dd8 _Yarn 83199->83202 83601 5c82c0 43 API calls SimpleUString::operator= 83199->83601 83202->83138 83203->83138 83205 5f86bb _AnonymousOriginator 83204->83205 83206 67343f std::_Throw_Cpp_error 41 API calls 83205->83206 83207 5f87a4 _AnonymousOriginator 83205->83207 83208 5f87c8 83206->83208 83207->83138 83209 64c340 12 API calls 83208->83209 83210 5f8819 83209->83210 83211 5f89b7 83210->83211 83212 5f8824 83210->83212 83213 64c501 std::_Throw_Cpp_error 43 API calls 83211->83213 83214 5f89be 83212->83214 83215 5f8832 83212->83215 83213->83214 83216 64c501 std::_Throw_Cpp_error 43 API calls 83214->83216 83217 5f883f 83215->83217 83218 5f885c 83215->83218 83219 5f89c9 83216->83219 83220 64c365 ReleaseSRWLockExclusive 83217->83220 83602 5f9050 83218->83602 83222 67343f std::_Throw_Cpp_error 41 API calls 83219->83222 83223 5f8845 83220->83223 83226 5f89ce 83222->83226 83223->83138 83229 5f89f2 83226->83229 83232 5c9ae0 44 API calls 83226->83232 83229->83138 83232->83229 83238->83149 83241 5f6f10 83240->83241 83250 5b6930 83241->83250 83244 64d0d5 _ValidateLocalCookies 5 API calls 83245 5f6f91 83244->83245 83246 5aeb00 83245->83246 83247 5aeb1a 83246->83247 83258 5d77d0 83247->83258 83253 5b69ce 83250->83253 83251 5b7040 43 API calls 83252 5b6a20 __fread_nolock 83251->83252 83254 5b6650 83 API calls 83252->83254 83253->83251 83257 5b6aad 83254->83257 83255 64d0d5 _ValidateLocalCookies 5 API calls 83256 5b6b6e 83255->83256 83256->83244 83257->83255 83259 5d781e 83258->83259 83260 64d313 std::_Facet_Register 16 API calls 83259->83260 83278 5d796c _AnonymousOriginator 83259->83278 83261 5d7845 83260->83261 83262 5db830 123 API calls 83261->83262 83264 5d7860 83262->83264 83263 64d0d5 _ValidateLocalCookies 5 API calls 83265 5aeb32 83263->83265 83266 5d78bc 83264->83266 83267 5d7888 EnterCriticalSection 83264->83267 83265->83154 83265->83160 83270 5d7925 83266->83270 83286 5d79b3 _AnonymousOriginator 83266->83286 83268 5d789d LeaveCriticalSection 83267->83268 83269 5d7899 83267->83269 83268->83266 83269->83268 83271 5d7dc0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 83270->83271 83274 5d7932 83271->83274 83272 64c340 12 API calls 83273 5d7a6b 83272->83273 83275 5d7aaa 83273->83275 83276 5d7a72 83273->83276 83274->83278 83281 5d7ab1 83274->83281 83277 64c501 std::_Throw_Cpp_error 43 API calls 83275->83277 83279 5d7a7c 83276->83279 83280 5d7ab6 83276->83280 83277->83281 83278->83263 83283 5d7a93 83279->83283 83287 64c0bc WakeConditionVariable 83279->83287 83282 64c501 std::_Throw_Cpp_error 43 API calls 83280->83282 83284 67343f std::_Throw_Cpp_error 41 API calls 83281->83284 83285 5d7ac1 83282->83285 83288 64c365 ReleaseSRWLockExclusive 83283->83288 83284->83280 83286->83272 83286->83278 83286->83281 83287->83283 83288->83278 83292 63d856 83289->83292 83290 63d877 83378 5cdec0 83290->83378 83292->83290 83354 5b6d00 83292->83354 83293 63ddbc 83295 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83293->83295 83297 63ddca 83295->83297 83296 63d8c8 83373 5c5c50 83296->83373 83299 67343f std::_Throw_Cpp_error 41 API calls 83297->83299 83300 63ddcf 83299->83300 83301 67343f std::_Throw_Cpp_error 41 API calls 83300->83301 83302 63ddd4 83301->83302 83306 67343f std::_Throw_Cpp_error 41 API calls 83302->83306 83303 5c8440 41 API calls 83304 63d93d 83303->83304 83304->83290 83307 63d951 83304->83307 83305 63d8d9 _AnonymousOriginator 83305->83297 83305->83303 83308 63ddd9 83306->83308 83312 5b6d00 47 API calls 83307->83312 83386 5b6700 83308->83386 83310 63ddde 83311 67343f std::_Throw_Cpp_error 41 API calls 83310->83311 83313 63dde3 83311->83313 83314 63d995 83312->83314 83315 5b6700 83 API calls 83313->83315 83316 5c5c50 41 API calls 83314->83316 83317 63dde8 83315->83317 83318 63d9a7 83316->83318 83319 67343f std::_Throw_Cpp_error 41 API calls 83317->83319 83318->83300 83320 63d9d7 _AnonymousOriginator 83318->83320 83321 63dded 83319->83321 83322 5c8440 41 API calls 83320->83322 83323 63da0b 83322->83323 83324 5b6d00 47 API calls 83323->83324 83332 63dafb 83323->83332 83325 63da85 83324->83325 83326 5c5c50 41 API calls 83325->83326 83328 63da97 83326->83328 83327 64d0d5 _ValidateLocalCookies 5 API calls 83329 5f7737 83327->83329 83328->83302 83330 63dac7 _AnonymousOriginator 83328->83330 83329->83138 83331 5c8440 41 API calls 83330->83331 83331->83332 83333 63dc84 83332->83333 83334 63dbad 83332->83334 83353 63dc7f 83332->83353 83333->83313 83336 63dca8 83333->83336 83334->83308 83335 63dbc8 83334->83335 83337 5b6d00 47 API calls 83335->83337 83338 5b6d00 47 API calls 83336->83338 83339 63dc08 83337->83339 83340 63dcf8 83338->83340 83342 5c5c50 41 API calls 83339->83342 83341 5c5c50 41 API calls 83340->83341 83343 63dd0a 83341->83343 83344 63dc1a 83342->83344 83343->83317 83346 63dd3a _AnonymousOriginator 83343->83346 83344->83310 83345 63dc4a _AnonymousOriginator 83344->83345 83347 5c8440 41 API calls 83345->83347 83348 5c8440 41 API calls 83346->83348 83349 63dc77 83347->83349 83350 63dd6a 83348->83350 83351 5c8440 41 API calls 83349->83351 83352 5c8440 41 API calls 83350->83352 83351->83353 83352->83353 83353->83327 83355 5b6d4c 83354->83355 83356 5b6e74 83355->83356 83357 5b6e2b 83355->83357 83358 5b6dc7 83355->83358 83359 5b6da5 WideCharToMultiByte 83355->83359 83361 5b6e3e 83355->83361 83360 5b7130 42 API calls 83356->83360 83357->83296 83364 5b6b80 45 API calls 83358->83364 83367 5b6de4 WideCharToMultiByte 83358->83367 83359->83358 83359->83361 83362 5b6e81 83360->83362 83363 5c7320 42 API calls 83361->83363 83366 5b6e66 83361->83366 83365 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83362->83365 83363->83366 83364->83367 83368 5b6e8f 83365->83368 83369 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83366->83369 83367->83357 83367->83361 83371 5b6d00 45 API calls 83368->83371 83369->83356 83372 5b6ea9 83371->83372 83372->83296 83374 5c5c81 _AnonymousOriginator 83373->83374 83375 5c5c5e 83373->83375 83374->83305 83375->83374 83376 67343f std::_Throw_Cpp_error 41 API calls 83375->83376 83377 5c5ccc 83376->83377 83379 5b6930 83 API calls 83378->83379 83380 5cdf3d 83379->83380 83381 5c8160 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 83380->83381 83383 5cdf56 83381->83383 83382 5cdf7c _AnonymousOriginator 83382->83293 83383->83382 83384 67343f std::_Throw_Cpp_error 41 API calls 83383->83384 83385 5cdfa9 83384->83385 83387 64a687 43 API calls 83386->83387 83388 5b670a 83387->83388 83389 5b683a 83388->83389 83390 5b6738 83388->83390 83391 5c82c0 SimpleUString::operator= 43 API calls 83389->83391 83394 5c8020 std::_Throw_Cpp_error 43 API calls 83390->83394 83392 5b6776 _Yarn 83391->83392 83393 67343f std::_Throw_Cpp_error 41 API calls 83392->83393 83396 5b67e7 _Yarn _AnonymousOriginator 83392->83396 83395 5b6844 83393->83395 83394->83392 83397 5b6700 83 API calls 83395->83397 83398 5b6869 _Yarn 83395->83398 83396->83310 83401 5b6920 83397->83401 83398->83310 83399 5b7040 43 API calls 83400 5b6a20 __fread_nolock 83399->83400 83402 5b6650 83 API calls 83400->83402 83401->83399 83405 5b6aad 83402->83405 83403 64d0d5 _ValidateLocalCookies 5 API calls 83404 5b6b6e 83403->83404 83404->83310 83405->83403 83407 6034a1 83406->83407 83408 60348e 83406->83408 83409 6034bd 83407->83409 83423 5b8490 43 API calls 4 library calls 83407->83423 83422 5b8490 43 API calls 4 library calls 83408->83422 83411 6034e1 83409->83411 83424 5b8490 43 API calls 4 library calls 83409->83424 83412 6034fd 83411->83412 83425 5b8490 43 API calls 4 library calls 83411->83425 83412->83170 83417 60375f 83416->83417 83426 603b00 83417->83426 83419 60377e 83420 64d0d5 _ValidateLocalCookies 5 API calls 83419->83420 83421 6036b8 83420->83421 83421->83174 83422->83407 83423->83409 83424->83411 83425->83412 83427 5f22e0 98 API calls 83426->83427 83428 603b71 83427->83428 83429 604815 GetLastError 83428->83429 83437 603baf 83428->83437 83579 604752 83429->83579 83430 604b00 47 API calls 83431 60482c 83430->83431 83432 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83431->83432 83435 60483d GetLastError 83432->83435 83433 5b74a0 45 API calls 83434 603c30 83433->83434 83439 5c8440 41 API calls 83434->83439 83436 604b00 47 API calls 83435->83436 83438 604854 83436->83438 83437->83433 83440 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83438->83440 83444 603c68 83439->83444 83441 604865 83440->83441 83442 67343f std::_Throw_Cpp_error 41 API calls 83441->83442 83443 60486a GetLastError 83442->83443 83445 604b00 47 API calls 83443->83445 83444->83435 83447 63e0c0 43 API calls 83444->83447 83446 604881 83445->83446 83448 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83446->83448 83449 603caa 83447->83449 83450 604892 GetLastError 83448->83450 83453 5b74a0 45 API calls 83449->83453 83451 604b00 47 API calls 83450->83451 83452 6048a9 83451->83452 83454 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83452->83454 83455 603cc9 83453->83455 83456 6048ba GetLastError 83454->83456 83457 5b74a0 45 API calls 83455->83457 83458 604b00 47 API calls 83456->83458 83459 603cf5 83457->83459 83460 6048d1 83458->83460 83461 5ca0b0 43 API calls 83459->83461 83462 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83460->83462 83463 603d15 83461->83463 83464 6048e2 GetLastError 83462->83464 83465 5c8440 41 API calls 83463->83465 83466 604b00 47 API calls 83464->83466 83467 603d20 83465->83467 83468 6048f9 83466->83468 83469 5c8440 41 API calls 83467->83469 83470 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83468->83470 83475 603d28 _AnonymousOriginator 83469->83475 83471 60490a 83470->83471 83472 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83471->83472 83473 604933 83472->83473 83474 67343f std::_Throw_Cpp_error 41 API calls 83473->83474 83476 604938 GetLastError 83474->83476 83475->83441 83475->83443 83475->83450 83480 5f2260 98 API calls 83475->83480 83477 604b00 47 API calls 83476->83477 83478 60494f 83477->83478 83479 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83478->83479 83481 604960 GetLastError 83479->83481 83482 603de6 83480->83482 83483 604b00 47 API calls 83481->83483 83485 5f23f0 98 API calls 83482->83485 83484 604977 83483->83484 83486 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83484->83486 83487 603df6 83485->83487 83488 604988 GetLastError 83486->83488 83491 603e14 GetLastError 83487->83491 83500 603e7a 83487->83500 83489 604b00 47 API calls 83488->83489 83490 60499f 83489->83490 83492 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83490->83492 83493 6051a0 75 API calls 83491->83493 83494 6049b0 GetLastError 83492->83494 83493->83500 83495 605480 47 API calls 83494->83495 83496 6049d0 83495->83496 83497 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83496->83497 83498 6049e1 83497->83498 83501 604b30 47 API calls 83498->83501 83499 604c90 84 API calls 83539 604205 83499->83539 83500->83456 83500->83464 83502 60418a 83500->83502 83503 603f3f GetFileSizeEx 83500->83503 83536 603fd7 _AnonymousOriginator 83500->83536 83504 604a07 83501->83504 83508 5f7300 43 API calls 83502->83508 83502->83536 83505 603f60 83503->83505 83506 6040e3 GetLastError 83503->83506 83507 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83504->83507 83511 603f76 SetFilePointerEx 83505->83511 83505->83536 83510 6040f5 83506->83510 83506->83536 83509 604a18 GetLastError 83507->83509 83512 6041ac 83508->83512 83513 604b00 47 API calls 83509->83513 83514 63ddf0 43 API calls 83510->83514 83515 603f94 83511->83515 83516 604007 GetLastError 83511->83516 83521 5ab620 SimpleUString::operator= 43 API calls 83512->83521 83517 604a2f 83513->83517 83518 604022 83514->83518 83520 6052c0 43 API calls 83515->83520 83519 63ddf0 43 API calls 83516->83519 83522 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83517->83522 83523 605360 165 API calls 83518->83523 83519->83518 83524 603fa9 83520->83524 83526 6041cb 83521->83526 83525 604a40 GetLastError 83522->83525 83523->83536 83529 5ab620 SimpleUString::operator= 43 API calls 83524->83529 83528 604b00 47 API calls 83525->83528 83527 5c8440 41 API calls 83526->83527 83527->83536 83530 604a57 83528->83530 83531 603fc8 83529->83531 83532 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83530->83532 83533 5c8440 41 API calls 83531->83533 83534 604a68 GetLastError 83532->83534 83533->83536 83535 604b00 47 API calls 83534->83535 83537 604a7f 83535->83537 83536->83471 83536->83473 83536->83499 83540 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83537->83540 83538 60431e 83545 60433a SetFilePointerEx 83538->83545 83551 60436b 83538->83551 83539->83476 83539->83481 83539->83488 83539->83494 83539->83498 83539->83538 83542 6042d5 83539->83542 83541 604a90 83540->83541 83544 5ada80 43 API calls 83541->83544 83543 5c8440 41 API calls 83542->83543 83547 6042e4 83543->83547 83546 604a95 GetLastError 83544->83546 83545->83509 83548 604351 SetEndOfFile 83545->83548 83549 604b00 47 API calls 83546->83549 83555 5c8440 41 API calls 83547->83555 83548->83525 83548->83551 83552 604aac 83549->83552 83550 6043ce GetLastError 83550->83534 83560 6043df 83550->83560 83551->83550 83551->83560 83556 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83552->83556 83553 60442c 83554 5d0fc0 43 API calls 83553->83554 83557 60445d __fread_nolock 83554->83557 83594 6042f6 83555->83594 83558 604abd GetLastError 83556->83558 83562 5d0f60 41 API calls 83557->83562 83559 604b00 47 API calls 83558->83559 83561 604ad4 83559->83561 83560->83541 83560->83553 83564 605840 43 API calls 83560->83564 83563 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 83561->83563 83583 60448e 83562->83583 83565 604ae5 83563->83565 83564->83553 83567 5b9bc0 43 API calls 83565->83567 83566 64d0d5 _ValidateLocalCookies 5 API calls 83568 60480f 83566->83568 83569 604af5 83567->83569 83568->83419 83570 6045c1 GetLastError 83571 6045cc 83570->83571 83572 5f4b50 47 API calls 83571->83572 83577 6045f2 83572->83577 83573 604501 WriteFile 83575 6045b4 GetLastError 83573->83575 83573->83583 83574 604679 83578 604693 SetFilePointerEx 83574->83578 83585 6046c9 83574->83585 83575->83571 83576 604746 83576->83579 83587 6046c7 __fread_nolock 83576->83587 83582 64bbc5 15 API calls 83577->83582 83578->83546 83581 6046ad SetEndOfFile 83578->83581 83579->83430 83580 6059a0 43 API calls 83580->83583 83581->83558 83581->83587 83584 604628 83582->83584 83583->83570 83583->83573 83583->83580 83592 6045af 83583->83592 83595 6186a0 107 API calls 83583->83595 83586 6690c8 ___std_exception_destroy 14 API calls 83584->83586 83585->83587 83588 5cea90 43 API calls 83585->83588 83586->83592 83587->83473 83587->83565 83589 604798 _AnonymousOriginator 83587->83589 83588->83587 83590 5c8440 41 API calls 83589->83590 83591 6047c2 83590->83591 83593 5c8440 41 API calls 83591->83593 83592->83574 83592->83576 83593->83594 83594->83566 83595->83583 83597 5b6930 83 API calls 83596->83597 83598 5f7212 83597->83598 83599 64d0d5 _ValidateLocalCookies 5 API calls 83598->83599 83600 5f7263 83599->83600 83600->83188 83933 5d4080 83602->83933 83604 5f90ef 83605 5d4080 std::_Throw_Cpp_error 43 API calls 83604->83605 83606 5f90fd 83605->83606 83968 5fc6a0 83606->83968 83608 5f9152 83609 5d4080 std::_Throw_Cpp_error 43 API calls 83608->83609 83610 5f9177 83609->83610 83611 5f91ab _AnonymousOriginator 83610->83611 83613 5fb508 83610->83613 83612 5fc6a0 60 API calls 83611->83612 83614 5f920a 83612->83614 83615 67343f std::_Throw_Cpp_error 41 API calls 83613->83615 83616 5d4080 std::_Throw_Cpp_error 43 API calls 83614->83616 83617 5fb585 83615->83617 83621 5f922f _AnonymousOriginator 83616->83621 83618 5b6700 83 API calls 83617->83618 83620 5fb58a 83618->83620 83623 67343f std::_Throw_Cpp_error 41 API calls 83620->83623 83978 5f1770 83621->83978 83625 5fb5a3 83623->83625 83628 5f92ac 83629 5fc6a0 60 API calls 83628->83629 83630 5f9305 83629->83630 83631 5d4080 std::_Throw_Cpp_error 43 API calls 83630->83631 83634 5f932a _AnonymousOriginator 83631->83634 83632 5c8440 41 API calls 83633 5f93d5 83632->83633 83995 64c7f9 83633->83995 83634->83632 83636 5f93da __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 83637 5d4080 std::_Throw_Cpp_error 43 API calls 83636->83637 83640 5f9461 _AnonymousOriginator 83637->83640 83638 5d4080 std::_Throw_Cpp_error 43 API calls 83639 5f94b7 83638->83639 83641 5d4080 std::_Throw_Cpp_error 43 API calls 83639->83641 83640->83638 83642 5f94c5 83641->83642 83643 5d4080 std::_Throw_Cpp_error 43 API calls 83642->83643 83644 5f94d3 83643->83644 83998 5f8de0 83644->83998 83647 5fc6a0 60 API calls 83648 5f9543 83647->83648 83649 5d4080 std::_Throw_Cpp_error 43 API calls 83648->83649 83651 5f9568 _AnonymousOriginator 83649->83651 83650 5f8d30 60 API calls 83652 5f9613 83650->83652 83651->83650 83653 5fc6a0 60 API calls 83652->83653 83654 5f9673 83653->83654 83655 5d4080 std::_Throw_Cpp_error 43 API calls 83654->83655 83657 5f9698 _AnonymousOriginator 83655->83657 83656 5f8de0 60 API calls 83658 5f9742 83656->83658 83657->83656 83659 5fc6a0 60 API calls 83658->83659 83660 5f97a2 83659->83660 83661 5d4080 std::_Throw_Cpp_error 43 API calls 83660->83661 83664 5f97c7 _AnonymousOriginator 83661->83664 83662 5f8d30 60 API calls 83663 5f9872 83662->83663 83665 5fc6a0 60 API calls 83663->83665 83664->83662 83666 5f98d2 83665->83666 83667 5d4080 std::_Throw_Cpp_error 43 API calls 83666->83667 83668 5f98f7 _AnonymousOriginator 83667->83668 83669 5d4080 std::_Throw_Cpp_error 43 API calls 83668->83669 83670 5f99a0 83669->83670 83671 5f9b14 83670->83671 83673 5d4080 std::_Throw_Cpp_error 43 API calls 83670->83673 83672 5d4080 std::_Throw_Cpp_error 43 API calls 83671->83672 83674 5f9b22 83672->83674 83675 5f99bb 83673->83675 83676 5fc6a0 60 API calls 83674->83676 83677 5f8de0 60 API calls 83675->83677 83678 5f9b75 83676->83678 83680 5f99cb 83677->83680 83679 5d4080 std::_Throw_Cpp_error 43 API calls 83678->83679 83684 5f9b9a _AnonymousOriginator 83679->83684 84101 5d35c0 43 API calls std::_Throw_Cpp_error 83680->84101 83682 5d4080 std::_Throw_Cpp_error 43 API calls 83685 5f9bf0 83682->83685 83683 5f9a3b 84102 5c84b0 41 API calls 2 library calls 83683->84102 83684->83682 83687 5d4080 std::_Throw_Cpp_error 43 API calls 83685->83687 83688 5f9a46 84103 5c84b0 41 API calls 2 library calls 83688->84103 83693 5f9a52 83934 5d40e1 83933->83934 83938 5d40a8 _Yarn 83933->83938 83935 5d41df 83934->83935 83936 5d40f0 83934->83936 83937 5c82c0 SimpleUString::operator= 43 API calls 83935->83937 83940 5c8020 std::_Throw_Cpp_error 43 API calls 83936->83940 83943 5d4136 _Yarn 83937->83943 83938->83604 83939 67343f std::_Throw_Cpp_error 41 API calls 83941 5d41e9 83939->83941 83940->83943 83942 5c7e70 std::_Throw_Cpp_error 43 API calls 83941->83942 83944 5d4248 83942->83944 83943->83939 83947 5d4196 _Yarn _AnonymousOriginator 83943->83947 83945 5d4270 83944->83945 83946 5d4080 std::_Throw_Cpp_error 43 API calls 83944->83946 83948 5d4080 std::_Throw_Cpp_error 43 API calls 83945->83948 83946->83945 83947->83604 83949 5d42a4 83948->83949 83950 5d42ce _AnonymousOriginator 83949->83950 83952 5d4399 83949->83952 83951 669065 ___std_exception_copy 42 API calls 83950->83951 83953 5d432c 83951->83953 83954 67343f std::_Throw_Cpp_error 41 API calls 83952->83954 83955 5d435b _AnonymousOriginator 83953->83955 83956 5d439e 83953->83956 83954->83956 83957 64d0d5 _ValidateLocalCookies 5 API calls 83955->83957 83959 67343f std::_Throw_Cpp_error 41 API calls 83956->83959 83958 5d4390 83957->83958 83958->83604 83960 5d43a3 83959->83960 83961 5c8080 std::_Throw_Cpp_error 43 API calls 83960->83961 83962 5d4434 83961->83962 83963 5d41f0 std::_Throw_Cpp_error 43 API calls 83962->83963 83965 5d444a 83963->83965 83964 5d4470 _AnonymousOriginator 83964->83604 83965->83964 83966 67343f std::_Throw_Cpp_error 41 API calls 83965->83966 83967 5d449d _AnonymousOriginator 83966->83967 83967->83604 83969 5fc870 60 API calls 83968->83969 83970 5fc6b9 83969->83970 83971 5c5c50 41 API calls 83970->83971 83973 5fc6c4 83971->83973 83972 5fc6eb _AnonymousOriginator 83972->83608 83973->83972 83974 67343f std::_Throw_Cpp_error 41 API calls 83973->83974 83975 5fc6fe 83974->83975 83976 5fc6a0 60 API calls 83975->83976 83977 5fc716 83976->83977 83977->83608 83979 5f1670 23 API calls 83978->83979 83980 5f177d 83979->83980 83981 5f1670 23 API calls 83980->83981 83982 5f178a 83981->83982 83983 5c7c60 83982->83983 83984 5c7b40 43 API calls 83983->83984 83985 5c7d77 83984->83985 83986 5f8d30 83985->83986 83987 5f8d68 83986->83987 83988 5b6d00 47 API calls 83987->83988 83989 5f8d76 83988->83989 83990 5f8de0 60 API calls 83989->83990 83991 5f8d8a 83990->83991 83992 5f8db0 _AnonymousOriginator 83991->83992 83993 67343f std::_Throw_Cpp_error 41 API calls 83991->83993 83992->83628 83994 5f8dd3 83993->83994 83996 64cc05 __Xtime_get_ticks GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime 83995->83996 83997 64c807 83996->83997 83997->83636 83999 5f8e52 _AnonymousOriginator 83998->83999 84000 5f8fb0 83999->84000 84001 5d4080 43 API calls std::_Throw_Cpp_error 83999->84001 84002 5d34a0 43 API calls 83999->84002 84003 5fc6a0 60 API calls 83999->84003 84004 5f8fc5 83999->84004 84000->83647 84001->83999 84002->83999 84003->83999 84005 67343f std::_Throw_Cpp_error 41 API calls 84004->84005 84006 5f8fca 84005->84006 84101->83683 84102->83688 84103->83693 84115 5aa969 84114->84115 84118 5ab25f 84114->84118 84115->82401 84115->82404 84115->82405 84115->82419 84118->84115 84123 5ad7a0 43 API calls 3 library calls 84118->84123 84124 5ab4f0 84118->84124 84119->82406 84120->82419 84121->82419 84122->82419 84123->84118 84125 5ab52b 84124->84125 84126 5ab507 84124->84126 84130 5ab53d _Yarn 84125->84130 84132 5c82c0 43 API calls SimpleUString::operator= 84125->84132 84126->84118 84128 67343f std::_Throw_Cpp_error 41 API calls 84129 5ab615 84128->84129 84130->84128 84131 5ab5cc _Yarn _AnonymousOriginator 84130->84131 84131->84118 84133->82428 84134->82434 84135->82449 84136->82452 84156 5cbf70 84137->84156 84139 5cc04d NtQueryInformationProcess 84141 5cc07e 84139->84141 84142 5cc069 84139->84142 84183 5c9c10 84141->84183 84143 64d0d5 _ValidateLocalCookies 5 API calls 84142->84143 84146 5cc07a 84143->84146 84146->82458 84147 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84148 5cc09c 84147->84148 84226 5adbc0 84149->84226 84152 5ad0ac 84154 5c8440 41 API calls 84152->84154 84153 5c8440 41 API calls 84153->84152 84155 5a8b1d 84154->84155 84155->82464 84155->82465 84157 5cbf9c GetModuleHandleW 84156->84157 84158 5cbfce 84156->84158 84159 5cbfdf GetLastError 84157->84159 84160 5cbfb2 GetProcAddress 84157->84160 84161 64d0d5 _ValidateLocalCookies 5 API calls 84158->84161 84194 5ce4b0 84159->84194 84162 5cbfc9 84160->84162 84163 5cc007 GetLastError 84160->84163 84164 5cbfd8 84161->84164 84162->84158 84186 5cf210 84163->84186 84164->84139 84167 5cbff9 84168 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84167->84168 84168->84163 84169 5cc021 84170 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84169->84170 84171 5cc02f 84170->84171 84172 5cbf70 83 API calls 84171->84172 84173 5cc04d NtQueryInformationProcess 84172->84173 84175 5cc07e 84173->84175 84176 5cc069 84173->84176 84178 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 84175->84178 84177 64d0d5 _ValidateLocalCookies 5 API calls 84176->84177 84180 5cc07a 84177->84180 84179 5cc08d 84178->84179 84181 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84179->84181 84180->84139 84182 5cc09c 84181->84182 84184 5c8160 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 84183->84184 84185 5c9c21 84184->84185 84185->84147 84187 5b6930 83 API calls 84186->84187 84188 5cf288 84187->84188 84202 5c8160 84188->84202 84190 5cf2c7 _AnonymousOriginator 84190->84169 84192 67343f std::_Throw_Cpp_error 41 API calls 84193 5cf2f4 84192->84193 84195 5b6930 83 API calls 84194->84195 84196 5ce52d 84195->84196 84197 5c8160 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 84196->84197 84199 5ce546 84197->84199 84198 5ce56c _AnonymousOriginator 84198->84167 84199->84198 84200 67343f std::_Throw_Cpp_error 41 API calls 84199->84200 84201 5ce599 84200->84201 84213 669065 84202->84213 84206 6690c8 ___std_exception_destroy 14 API calls 84208 5c81bd 84206->84208 84210 669065 ___std_exception_copy 42 API calls 84208->84210 84209 64d0d5 _ValidateLocalCookies 5 API calls 84211 5c81eb 84209->84211 84212 5c81c7 84210->84212 84211->84190 84211->84192 84221 6690c8 84212->84221 84214 669072 84213->84214 84220 5c81ad 84213->84220 84215 678fa0 _Yarn 15 API calls 84214->84215 84214->84220 84216 66908f 84215->84216 84217 66909f 84216->84217 84225 67984d 41 API calls 2 library calls 84216->84225 84219 677900 std::exception_ptr::~exception_ptr 14 API calls 84217->84219 84219->84220 84220->84206 84220->84212 84222 6690d5 84221->84222 84223 5c81da 84221->84223 84224 677900 std::exception_ptr::~exception_ptr 14 API calls 84222->84224 84223->84209 84224->84223 84225->84217 84227 5adc4f _vsnprintf 84226->84227 84238 6777c3 84227->84238 84230 5adccc 84244 5b6f20 84230->84244 84233 5adc84 84236 6777c3 53 API calls 84233->84236 84234 5adcef 84235 64d0d5 _ValidateLocalCookies 5 API calls 84234->84235 84237 5ad09a 84235->84237 84236->84230 84237->84152 84237->84153 84239 6777d7 _vsnprintf 84238->84239 84258 6738fb 84239->84258 84246 5b6f85 _AnonymousOriginator 84244->84246 84250 5b6f2e _AnonymousOriginator 84244->84250 84245 5b6f62 84245->84246 84247 67343f std::_Throw_Cpp_error 41 API calls 84245->84247 84246->84234 84249 5b6fb0 84247->84249 84248 5c8440 41 API calls 84248->84250 84251 6690c8 ___std_exception_destroy 14 API calls 84249->84251 84250->84245 84250->84248 84252 5b6fd5 _AnonymousOriginator 84251->84252 84252->84234 84253 5b73e0 84254 5b73f9 84253->84254 84255 5b743d 84253->84255 84254->84233 84280 5b7280 84255->84280 84257 5b744c 84257->84233 84259 673927 84258->84259 84260 67394a 84258->84260 84275 6733b2 29 API calls 2 library calls 84259->84275 84260->84259 84263 673952 84260->84263 84262 67393f 84264 64d0d5 _ValidateLocalCookies 5 API calls 84262->84264 84276 6760ce 53 API calls _vsnprintf 84263->84276 84265 673a7c 84264->84265 84269 67316b 84265->84269 84267 6739d3 84277 6755f0 14 API calls ___free_lconv_mon 84267->84277 84270 673177 84269->84270 84271 67318e 84270->84271 84278 673216 41 API calls 2 library calls 84270->84278 84272 5adc6c 84271->84272 84279 673216 41 API calls 2 library calls 84271->84279 84272->84230 84272->84233 84272->84253 84275->84262 84276->84267 84277->84262 84278->84271 84279->84272 84281 5b73c6 84280->84281 84288 5b72a4 _Yarn 84280->84288 84290 5c82c0 43 API calls SimpleUString::operator= 84281->84290 84283 67343f std::_Throw_Cpp_error 41 API calls 84284 5b73d0 84283->84284 84286 5b7280 43 API calls 84284->84286 84289 5b73f9 84284->84289 84285 5b7361 _Yarn _AnonymousOriginator 84285->84257 84287 5b744c 84286->84287 84287->84257 84288->84283 84288->84285 84289->84257 84292 5ef90a 84291->84292 84293 5ef681 84291->84293 84294 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84292->84294 84295 5b7ba0 53 API calls 84293->84295 84296 5ef921 84294->84296 84297 5ef6ae 84295->84297 84466 5c82c0 43 API calls SimpleUString::operator= 84296->84466 84346 5ef950 84297->84346 84302 5ef6ca 84414 5b79f0 84302->84414 84305 5c9ae0 44 API calls 84307 5ef71a 84305->84307 84309 5b7ba0 53 API calls 84307->84309 84311 5ef71f 84309->84311 84310 5c7da0 43 API calls 84312 5ef706 84310->84312 84313 5ef950 88 API calls 84311->84313 84315 5c8440 41 API calls 84312->84315 84314 5ef734 84313->84314 84314->84302 84316 5ef765 84314->84316 84318 5ef859 84315->84318 84317 5c9ae0 44 API calls 84316->84317 84319 5ef774 84317->84319 84320 5c8440 41 API calls 84318->84320 84321 5b7ba0 53 API calls 84319->84321 84322 5ef861 84320->84322 84323 5ef779 84321->84323 84324 64d0d5 _ValidateLocalCookies 5 API calls 84322->84324 84325 5ef950 88 API calls 84323->84325 84326 5ee51f 84324->84326 84327 5ef78e 84325->84327 84326->82488 84328 5ef87f 84327->84328 84329 5ef799 84327->84329 84331 5c7da0 43 API calls 84328->84331 84420 5ee770 SHGetFolderPathW 84329->84420 84333 5ef892 84331->84333 84350 5eefc0 FindFirstVolumeW 84333->84350 84334 5ab620 SimpleUString::operator= 43 API calls 84336 5ef7bf 84334->84336 84338 5b79f0 83 API calls 84336->84338 84340 5ef833 84338->84340 84341 5c7da0 43 API calls 84340->84341 84342 5ef83e 84341->84342 84343 5c8440 41 API calls 84342->84343 84344 5ef846 84343->84344 84345 5c8440 41 API calls 84344->84345 84345->84312 84347 5ef961 84346->84347 84347->84347 84348 5b8350 88 API calls 84347->84348 84349 5ef6c3 84348->84349 84349->84302 84349->84305 84351 5ef33b GetLastError 84350->84351 84368 5ef026 ___vcrt_FlsSetValue 84350->84368 84352 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 84351->84352 84353 5ef352 84352->84353 84354 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84353->84354 84355 5ef363 84354->84355 84359 5cdec0 83 API calls 84355->84359 84356 5ef10f FindNextVolumeW 84357 5ef127 GetLastError 84356->84357 84356->84368 84357->84355 84358 5ef136 GetLastError 84357->84358 84358->84355 84364 5ef37b 84359->84364 84360 5ef38c 84476 64d213 5 API calls std::_Locinfo::_Locinfo_dtor 84360->84476 84361 5ef08b QueryDosDeviceW 84361->84356 84361->84368 84365 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84364->84365 84365->84360 84366 5ef391 84368->84356 84368->84360 84368->84361 84369 677ab3 51 API calls 84368->84369 84370 5ef13b 84368->84370 84467 67e4cd 84368->84467 84369->84368 84371 5ab620 SimpleUString::operator= 43 API calls 84370->84371 84372 5ef1c8 84371->84372 84373 5b79f0 83 API calls 84372->84373 84374 5ef2c4 84373->84374 84375 5c7da0 43 API calls 84374->84375 84376 5ef2cf 84375->84376 84377 5c8440 41 API calls 84376->84377 84378 5ef2da 84377->84378 84379 5c8440 41 API calls 84378->84379 84380 5ef2e5 84379->84380 84381 5c8440 41 API calls 84380->84381 84382 5ef2f0 84381->84382 84383 5c8440 41 API calls 84382->84383 84384 5ef2fb FindVolumeClose 84383->84384 84385 5c8440 41 API calls 84384->84385 84386 5ef30a 84385->84386 84387 64d0d5 _ValidateLocalCookies 5 API calls 84386->84387 84388 5ef323 84387->84388 84389 5ef3a0 84388->84389 84390 5ef3f3 84389->84390 84391 5ef459 GetVolumePathNamesForVolumeNameW 84390->84391 84480 64d6ae 84391->84480 84415 5b7ac7 84414->84415 84416 5b7a14 84414->84416 84415->84310 84416->84415 84417 5b7a73 84416->84417 84481 5b9f70 84416->84481 84417->84415 84488 5b7840 83 API calls _Yarn 84417->84488 84421 5ee803 84420->84421 84422 5ee7d3 84420->84422 84443 64d0d5 _ValidateLocalCookies 5 API calls 84421->84443 84423 5ee7de GetWindowsDirectoryW 84422->84423 84424 5ee808 84422->84424 84425 5ee7f8 84423->84425 84426 5ee9c0 GetLastError 84423->84426 84427 5ee80d GetSystemDirectoryW 84424->84427 84428 5ee837 84424->84428 84425->84421 84431 5ee9f1 84425->84431 84496 5eee40 85 API calls 5 library calls 84426->84496 84432 5ee827 84427->84432 84433 5eea20 GetLastError 84427->84433 84429 5ee83c 84428->84429 84430 5ee848 84428->84430 84490 5eea90 100 API calls _ValidateLocalCookies 84429->84490 84438 5ee84d 84430->84438 84439 5ee859 84430->84439 84497 5eee40 85 API calls 5 library calls 84431->84497 84432->84421 84441 5eea51 84432->84441 84498 5eee40 85 API calls 5 library calls 84433->84498 84435 5ee9e0 84442 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84435->84442 84491 5eebd0 100 API calls _ValidateLocalCookies 84438->84491 84446 5ee85e 84439->84446 84447 5ee87f 84439->84447 84499 5eee40 85 API calls 5 library calls 84441->84499 84442->84431 84450 5ee93c 84443->84450 84444 5eea0f 84451 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84444->84451 84492 5ee660 96 API calls 84446->84492 84454 5ee888 84447->84454 84455 5ee940 84447->84455 84448 5eea40 84453 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84448->84453 84450->84334 84451->84433 84453->84441 84493 5ee660 96 API calls 84454->84493 84457 5ee995 84455->84457 84458 5ee945 84455->84458 84456 5eea6f 84460 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84456->84460 84495 5eee40 85 API calls 5 library calls 84457->84495 84494 5ee660 96 API calls 84458->84494 84463 5eea80 84460->84463 84464 5ee9af 84465 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84464->84465 84465->84426 84473 67e455 84467->84473 84468 67e471 84477 6778e2 14 API calls __dosmaperr 84468->84477 84471 67e4a1 84472 67e485 84471->84472 84479 6778e2 14 API calls __dosmaperr 84471->84479 84472->84368 84473->84468 84473->84471 84475 67e47b 84478 67342f 41 API calls __fread_nolock 84475->84478 84476->84366 84477->84475 84478->84472 84479->84475 84482 5b9f89 84481->84482 84487 5ba025 _Yarn _AnonymousOriginator 84481->84487 84486 5b9fa2 _Yarn 84482->84486 84489 5c82c0 43 API calls SimpleUString::operator= 84482->84489 84484 67343f std::_Throw_Cpp_error 41 API calls 84485 5ba075 84484->84485 84486->84484 84486->84487 84487->84417 84488->84417 84490->84421 84491->84421 84492->84421 84493->84421 84494->84421 84495->84464 84496->84435 84497->84444 84498->84448 84499->84456 84500->82506 84502 5c8390 84501->84502 84503 5eac82 ExpandEnvironmentStringsW 84502->84503 84504 5eaccf 84503->84504 84505 5eaf3d GetLastError 84503->84505 84504->84505 84507 5eacda 84504->84507 84546 5d0f20 47 API calls 84505->84546 84509 5eacdf 84507->84509 84511 5b73e0 43 API calls 84507->84511 84508 5eaf51 84510 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84508->84510 84532 5eaf90 84509->84532 84512 5eaf5f GetLastError 84510->84512 84511->84509 84547 5ed5e0 47 API calls 84512->84547 84515 5ead0b 84517 5c8440 41 API calls 84515->84517 84516 5eaf76 84518 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84516->84518 84519 5ead4c 84517->84519 84521 5eaf84 84518->84521 84520 64d0d5 _ValidateLocalCookies 5 API calls 84519->84520 84522 5ead66 84520->84522 84523 5eb030 63 API calls 84522->84523 84523->82525 84525->82550 84526->82550 84527->82550 84529->82529 84548 5ea7b0 84532->84548 84534 5eafa6 84535 5eb004 GetLastError 84534->84535 84537 5eafb4 CreateFileW 84534->84537 84572 5ed540 47 API calls 84535->84572 84538 5eafcf FindCloseChangeNotification 84537->84538 84539 5eafdd GetLastError 84537->84539 84538->84515 84571 5ed540 47 API calls 84539->84571 84540 5eb01c 84542 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84540->84542 84544 5eb02b 84542->84544 84543 5eaff5 84545 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 84543->84545 84545->84535 84546->84508 84547->84516 84549 5ea7cb CreateDirectoryW 84548->84549 84550 5ea7c9 84548->84550 84551 5ea8ef 84549->84551 84552 5ea7db GetLastError 84549->84552 84550->84549 84551->84534 84553 5ea7e8 GetFileAttributesW 84552->84553 84558 5ea817 84552->84558 84556 5ea7fc 84553->84556 84557 5ea804 SetLastError 84553->84557 84555 5ea80f 84555->84534 84556->84551 84556->84557 84557->84555 84558->84555 84560 5ea8a8 84558->84560 84563 5ea870 84558->84563 84573 5ad640 5 API calls 2 library calls 84558->84573 84561 5ea8af 84560->84561 84562 5ea8b1 CreateDirectoryW 84560->84562 84561->84562 84562->84551 84564 5ea8c0 GetLastError 84562->84564 84563->84558 84565 5ea87d CreateDirectoryW 84563->84565 84566 5ea8ce 84564->84566 84567 5ea8d0 GetFileAttributesW 84564->84567 84568 5c8440 41 API calls 84565->84568 84566->84567 84569 5ea8dc 84567->84569 84570 5ea8e0 SetLastError 84567->84570 84568->84563 84569->84551 84569->84570 84570->84534 84571->84543 84572->84540 84573->84558 85296 64a301 85322 64a05f 85296->85322 85299 64a36e 85300 64a29f DloadReleaseSectionWriteAccess 8 API calls 85299->85300 85301 64a379 RaiseException 85300->85301 85302 64a567 85301->85302 85303 64a40a LoadLibraryExA 85304 64a41d GetLastError 85303->85304 85305 64a46b 85303->85305 85307 64a446 85304->85307 85308 64a430 85304->85308 85306 64a476 FreeLibrary 85305->85306 85309 64a47d 85305->85309 85306->85309 85313 64a29f DloadReleaseSectionWriteAccess 8 API calls 85307->85313 85308->85305 85308->85307 85310 64a4db GetProcAddress 85309->85310 85317 64a539 85309->85317 85312 64a4eb GetLastError 85310->85312 85310->85317 85311 64a392 85311->85303 85311->85305 85311->85309 85311->85317 85315 64a4fe 85312->85315 85314 64a451 RaiseException 85313->85314 85314->85302 85315->85317 85318 64a29f DloadReleaseSectionWriteAccess 8 API calls 85315->85318 85328 64a29f 85317->85328 85319 64a51f RaiseException 85318->85319 85320 64a05f ___delayLoadHelper2@8 7 API calls 85319->85320 85321 64a536 85320->85321 85321->85317 85323 64a06b 85322->85323 85326 64a08c 85322->85326 85336 64a108 85323->85336 85325 64a070 85325->85326 85341 64a231 85325->85341 85326->85299 85326->85311 85329 64a2b1 85328->85329 85330 64a2d3 85328->85330 85331 64a108 DloadReleaseSectionWriteAccess 4 API calls 85329->85331 85330->85302 85332 64a2b6 85331->85332 85333 64a2ce 85332->85333 85334 64a231 DloadProtectSection 3 API calls 85332->85334 85348 64a2d5 GetModuleHandleW GetProcAddress GetProcAddress ReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 85333->85348 85334->85333 85346 64a092 GetModuleHandleW GetProcAddress GetProcAddress 85336->85346 85338 64a10d 85339 64a125 AcquireSRWLockExclusive 85338->85339 85340 64a129 85338->85340 85339->85325 85340->85325 85343 64a246 DloadProtectSection 85341->85343 85342 64a24c 85342->85326 85343->85342 85344 64a281 VirtualProtect 85343->85344 85347 64a147 VirtualQuery GetSystemInfo 85343->85347 85344->85342 85346->85338 85347->85344 85348->85330 85349 5d6650 85350 5d668e 85349->85350 85367 5d67a8 _AnonymousOriginator 85349->85367 85371 5d6e00 EnterCriticalSection 85350->85371 85352 64d0d5 _ValidateLocalCookies 5 API calls 85354 5d67ca 85352->85354 85353 5d6693 85433 5db8e0 FileTimeToSystemTime 85353->85433 85357 5d66d4 LeaveCriticalSection 85359 5d6707 WriteFile 85357->85359 85358 5d66d0 85358->85357 85361 5d6727 85359->85361 85362 5d67d0 GetLastError 85359->85362 85364 5d673f FlushFileBuffers 85361->85364 85366 5d6746 85361->85366 85363 5d67df 85362->85363 85365 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 85363->85365 85364->85366 85368 5d67ec 85365->85368 85366->85367 85366->85368 85367->85352 85369 67343f std::_Throw_Cpp_error 41 API calls 85368->85369 85370 5d67f1 85369->85370 85372 5d6e4d LeaveCriticalSection 85371->85372 85373 5d6e49 85371->85373 85374 5d6e6b GetFileSizeEx 85372->85374 85373->85372 85376 5d6feb GetLastError 85374->85376 85377 5d6e85 85374->85377 85378 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 85376->85378 85380 5d6eb2 EnterCriticalSection 85377->85380 85388 5d6f99 85377->85388 85379 5d6fff 85378->85379 85381 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 85379->85381 85382 5d6eca GetFileSizeEx 85380->85382 85384 5d700d GetLastError 85381->85384 85382->85384 85389 5d6ee4 85382->85389 85383 64d0d5 _ValidateLocalCookies 5 API calls 85386 5d6fe7 85383->85386 85387 5c9c10 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 42 API calls 85384->85387 85386->85353 85390 5d7021 85387->85390 85388->85383 85391 5d6f92 LeaveCriticalSection 85389->85391 85393 5d6f15 85389->85393 85392 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 85390->85392 85391->85388 85397 5d702f 85392->85397 85439 5d60f0 132 API calls 5 library calls 85393->85439 85395 5d6f24 85396 5d6800 19 API calls 85395->85396 85413 5d6f3e 85396->85413 85399 5c8080 std::_Throw_Cpp_error 43 API calls 85397->85399 85419 5d71c3 _AnonymousOriginator 85397->85419 85400 5d70ed 85399->85400 85404 5d4080 std::_Throw_Cpp_error 43 API calls 85400->85404 85402 5d71e3 85402->85402 85408 5d4080 std::_Throw_Cpp_error 43 API calls 85402->85408 85425 5d7291 _AnonymousOriginator 85402->85425 85403 5d72b8 85405 5d72c3 85403->85405 85443 5d9d40 43 API calls _unexpected 85403->85443 85407 5d7113 85404->85407 85405->85353 85409 5d4080 std::_Throw_Cpp_error 43 API calls 85407->85409 85410 5d7226 85408->85410 85418 5d715d _AnonymousOriginator 85409->85418 85441 5d9110 83 API calls _ValidateLocalCookies 85410->85441 85413->85391 85414 5d7245 85420 5d4080 std::_Throw_Cpp_error 43 API calls 85414->85420 85417 5d7353 85422 67343f std::_Throw_Cpp_error 41 API calls 85417->85422 85418->85417 85418->85419 85440 699c80 KiUserExceptionDispatcher PMDtoOffset Concurrency::cancel_current_task ___unDNameEx std::__non_rtti_object::__construct_from_string_literal 85419->85440 85421 5d7263 85420->85421 85424 5d7358 85421->85424 85421->85425 85422->85424 85426 67343f std::_Throw_Cpp_error 41 API calls 85424->85426 85442 699c80 KiUserExceptionDispatcher PMDtoOffset Concurrency::cancel_current_task ___unDNameEx std::__non_rtti_object::__construct_from_string_literal 85425->85442 85426->85403 85434 5db969 85433->85434 85438 5db94a 85433->85438 85444 5dbac0 83 API calls 85434->85444 85435 64d0d5 _ValidateLocalCookies 5 API calls 85437 5d66b0 EnterCriticalSection 85435->85437 85437->85357 85437->85358 85438->85435 85439->85395 85440->85402 85441->85414 85442->85403 85444->85438 85445 5eb2a0 85446 5eb2dc 85445->85446 85447 5eb4b8 85445->85447 85446->85447 85452 5eb2e6 _Yarn 85446->85452 85449 669660 Concurrency::cancel_current_task KiUserExceptionDispatcher 85447->85449 85448 678fa0 _Yarn 15 API calls 85448->85452 85450 5eb4cf 85449->85450 85451 64d313 std::_Facet_Register 16 API calls 85451->85452 85452->85448 85452->85451 85453 5eb39c SetFileInformationByHandle 85452->85453 85454 5eb3bc GetLastError 85452->85454 85456 5eb3d6 Sleep 85452->85456 85458 5eb3d1 85452->85458 85459 5eb423 85452->85459 85453->85452 85453->85459 85454->85452 85454->85458 85455 64d0d5 _ValidateLocalCookies 5 API calls 85457 5eb476 85455->85457 85456->85452 85456->85458 85458->85452 85458->85456 85459->85455 85460 5f51d0 HeapSetInformation GetModuleHandleW GetProcAddress 85461 5f520f SetDllDirectoryW GetModuleHandleW GetProcAddress 85460->85461 85468 5f51fc 85460->85468 85462 5f524a IsProcessorFeaturePresent 85461->85462 85465 5f5237 85461->85465 85463 5f5256 ExitProcess 85462->85463 85464 5f5261 85462->85464 85469 64a030 85464->85469 85465->85462 85468->85461 85468->85462 85472 6687db GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 85469->85472 85471 64a035 85471->85471 85472->85471 85473 68f207 85478 68ef19 85473->85478 85476 68f246 85483 68ef47 ___vcrt_FlsSetValue 85478->85483 85480 68f172 85494 67342f 41 API calls __fread_nolock 85480->85494 85482 68f0a2 85482->85476 85490 69791d 85482->85490 85484 677ab3 51 API calls 85483->85484 85488 68f097 85483->85488 85485 68f0ff 85484->85485 85486 677ab3 51 API calls 85485->85486 85485->85488 85487 68f11d 85486->85487 85487->85488 85489 677ab3 51 API calls 85487->85489 85488->85482 85493 6778e2 14 API calls __dosmaperr 85488->85493 85489->85488 85495 696f9d 85490->85495 85493->85480 85494->85482 85498 696fa9 ___unDNameEx 85495->85498 85496 696fb0 85552 6778e2 14 API calls __dosmaperr 85496->85552 85498->85496 85499 696fdb 85498->85499 85506 6975f3 85499->85506 85500 696fb5 85553 67342f 41 API calls __fread_nolock 85500->85553 85505 696fbf 85505->85476 85507 697610 85506->85507 85508 69763e 85507->85508 85509 697625 85507->85509 85555 6938d9 85508->85555 85569 6778cf 14 API calls __dosmaperr 85509->85569 85513 69764c 85571 6778cf 14 API calls __dosmaperr 85513->85571 85514 697663 85568 6972ac CreateFileW 85514->85568 85515 69762a 85570 6778e2 14 API calls __dosmaperr 85515->85570 85519 696fff 85554 697032 LeaveCriticalSection __wsopen_s 85519->85554 85520 697651 85572 6778e2 14 API calls __dosmaperr 85520->85572 85522 697719 GetFileType 85523 69776b 85522->85523 85524 697724 GetLastError 85522->85524 85577 693824 15 API calls 2 library calls 85523->85577 85575 677888 14 API calls __dosmaperr 85524->85575 85525 6976ee GetLastError 85574 677888 14 API calls __dosmaperr 85525->85574 85528 69769c 85528->85522 85528->85525 85573 6972ac CreateFileW 85528->85573 85529 697732 CloseHandle 85529->85515 85533 69775b 85529->85533 85532 6976e1 85532->85522 85532->85525 85576 6778e2 14 API calls __dosmaperr 85533->85576 85534 69778c 85536 6977d8 85534->85536 85578 6974bb 82 API calls 3 library calls 85534->85578 85541 6977df 85536->85541 85580 69705e 82 API calls 4 library calls 85536->85580 85537 697760 85537->85515 85540 69780d 85540->85541 85542 69781b 85540->85542 85579 68e261 44 API calls 2 library calls 85541->85579 85542->85519 85544 697897 CloseHandle 85542->85544 85581 6972ac CreateFileW 85544->85581 85546 6978c2 85547 6978cc GetLastError 85546->85547 85548 6978f8 85546->85548 85582 677888 14 API calls __dosmaperr 85547->85582 85548->85519 85550 6978d8 85583 6939ec 15 API calls 2 library calls 85550->85583 85552->85500 85553->85505 85554->85505 85556 6938e5 ___unDNameEx 85555->85556 85584 683f51 EnterCriticalSection 85556->85584 85558 693911 85588 6936b3 15 API calls 3 library calls 85558->85588 85559 6938ec 85559->85558 85564 693980 EnterCriticalSection 85559->85564 85567 693933 85559->85567 85563 693916 85563->85567 85589 693801 EnterCriticalSection 85563->85589 85565 69398d LeaveCriticalSection 85564->85565 85564->85567 85565->85559 85585 6939e3 85567->85585 85568->85528 85569->85515 85570->85519 85571->85520 85572->85515 85573->85532 85574->85515 85575->85529 85576->85537 85577->85534 85578->85536 85579->85519 85580->85540 85581->85546 85582->85550 85583->85548 85584->85559 85590 683fa1 LeaveCriticalSection 85585->85590 85587 693953 85587->85513 85587->85514 85588->85563 85589->85567 85590->85587

                                                      Executed Functions

                                                      Function 005FED40 Relevance: 105.8, APIs: 15, Strings: 44, Instructions: 2564libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,kernel32.dll), ref: 005FEE7C
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005FEE8E
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005FEE9D
                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 005FF3BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$AttributesFileHandleModule
                                                      • String ID: "$... $03E7$@Sfx_Starting$@Sfx_Title$A3F703E7$A3F703E7$COLOR$Execute setup master process '{}' failed!$F$GIF$N$Restart is required$SFX started with command line '{}'$Unable to verify DSA signature for gep:'{}' $Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$clear$csm$ga_clientid$geps$icarus-info-path$icarus-info.xml$install$isfx$isfx$kernel32.dll$lang-id$lang-id$language$process-path$proxy_ini$session-id$sfx-cmd$sfx-dir$sfx-finish$sfx-preparing$sfx-running-icarus$silent$silent$splash$sssid$stub_loading$tmp-path
                                                      • API String ID: 1668155531-2969693249
                                                      • Opcode ID: ca19b7779ba0dac04f36ad5ffd33089187d4b8eb7c6c9c3a13102bc422d651ab
                                                      • Instruction ID: 2e4bcada8488a37ae62007c3c95befa54cda7f438da72972a1485e8ad926c58c
                                                      • Opcode Fuzzy Hash: ca19b7779ba0dac04f36ad5ffd33089187d4b8eb7c6c9c3a13102bc422d651ab
                                                      • Instruction Fuzzy Hash: 26337A74E00219CFDB14DF64C858BADBBB6BF89314F14418AE805AB391DB74AE85CF91
                                                      Function 005F9050 Relevance: 102.0, APIs: 7, Strings: 50, Instructions: 2274timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Xtime_get_ticks.LIBCPMT ref: 005F93D5
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005F93E3
                                                        • Part of subcall function 005D4080: ___std_exception_copy.LIBVCRUNTIME ref: 005D4327
                                                      • GetSystemInfo.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?), ref: 005FA102
                                                      • __Xtime_get_ticks.LIBCPMT ref: 005FA83C
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005FA84A
                                                      • GetUserDefaultUILanguage.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 005FAD3C
                                                      • GetTimeZoneInformation.KERNELBASE(?,?,00000000,00000000,?,?,00000000,FFFFFFFF,006D0126,?,00000000,00000000,?,?,00000000,00000000), ref: 005FB0DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@$DefaultInfoInformationLanguageSystemTimeUserZone___std_exception_copy
                                                      • String ID: "action":"%s",$"aiid":"%s",$"architecture":"%ls",$"available":%I64d$"build":"%d",$"cmdline":"%s"$"common":{$"config":{$"crash_msg":"%s"$"edition":%d,$"endpoint_id":"%ls"$"event":{$"fingerprint":"%ls",$"finish_state":{$"hdd":{$"hwid":"%ls",$"id":%d,$"identity":{$"installation":{$"lang":"%s",$"main_products":[$"memory":%I64d,$"name":"sfx"$"operation":"%s",$"os":"WINDOWS",$"platform":{$"processors":%lu,$"product":{$"reboot":"%s",$"request_id":"%s",$"ret_code":"%s",$"session_id":"%s",$"setup":{$"sfx_ver":"%s",$"stage":"%s",$"subtype":%d,$"system":{$"time_zone":%d$"title":"%s"$"trigger":"%s",$"type":%d,$"version":"%d.%d",$"version_app":"%s"$"workstation":%s$INSTALL$false$ga_clientid$true${"record":[{$}]}
                                                      • API String ID: 1490075515-1594892893
                                                      • Opcode ID: 6e52d09ebb8b0fb08fcf088d38e07dab939c5fb01ab2686370292f970283258e
                                                      • Instruction ID: 1c18c9b880e4e2178e5167617b7570e5dd267e4b3f139dfd635b8e4ddb0a07c0
                                                      • Opcode Fuzzy Hash: 6e52d09ebb8b0fb08fcf088d38e07dab939c5fb01ab2686370292f970283258e
                                                      • Instruction Fuzzy Hash: 60239B71D002188BDB25DB24CC98BEDBBB6BF49304F1481D9E24DAB292D7785B84DF91
                                                      Function 00627140 Relevance: 77.6, APIs: 38, Strings: 6, Instructions: 619windowtimecomCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1746 627140-6271a0 1747 6271a2-6271a5 1746->1747 1748 6271c1-6271c4 1746->1748 1747->1748 1751 6271a7-6271be 1747->1751 1749 627776-627779 1748->1749 1750 6271ca 1748->1750 1754 6278d0 1749->1754 1755 62777f-627784 1749->1755 1752 6271d0-6271d5 1750->1752 1753 627767-627771 KillTimer 1750->1753 1751->1748 1757 6271db-6271de 1752->1757 1758 6274ac-6274b7 1752->1758 1760 62780d 1753->1760 1759 6278d5-6278f0 call 64d0d5 1754->1759 1761 627810-627816 1755->1761 1762 62778a-627790 1755->1762 1763 627473-627478 1757->1763 1764 6271e4-6271e7 1757->1764 1768 627520-627523 1758->1768 1769 6274b9-6274ed 1758->1769 1760->1761 1765 6278b4-6278ce DefWindowProcW 1761->1765 1766 62781c-627825 call 5f21d0 1761->1766 1762->1760 1770 627792-6277b6 KillTimer 1762->1770 1772 62747a-627498 1763->1772 1773 62749f-6274a7 PostQuitMessage 1763->1773 1764->1761 1774 6271ed-627231 BeginPaint call 64c340 1764->1774 1765->1759 1766->1765 1788 62782b-62783d 1766->1788 1768->1759 1796 627528-62755c call 627e00 1769->1796 1797 6274ef-6274f1 1769->1797 1777 6277d6-6277de 1770->1777 1778 6277b8-6277cb GdipImageSelectActiveFrame 1770->1778 1772->1773 1773->1760 1790 6278f3-6278f5 call 64c501 1774->1790 1791 627237-62723f 1774->1791 1780 6277f0 1777->1780 1781 6277e0-6277ee 1777->1781 1778->1777 1779 6277cd-6277d3 1778->1779 1779->1777 1785 6277f2-627807 SetTimer InvalidateRect 1780->1785 1781->1785 1785->1760 1792 627855-627870 CoCreateInstance 1788->1792 1793 62783f-627853 1788->1793 1801 6278fa-627900 call 64c501 1790->1801 1800 627245-62724d 1791->1800 1791->1801 1794 627876-627886 1792->1794 1795 62790f-62793b call 5c8120 call 5c8210 call 669660 1792->1795 1793->1792 1825 627888-62788a 1794->1825 1833 627940-627987 call 6279f0 call 5c8120 call 5c8210 call 669660 1795->1833 1843 627563-62756b 1796->1843 1844 62755e-627561 1796->1844 1797->1768 1802 6274f3-627500 1797->1802 1804 627278-627289 call 64c365 1800->1804 1805 62724f-627256 1800->1805 1814 627905 call 5cfd10 1801->1814 1809 627502-627510 1802->1809 1810 627516-62751d call 64d0e3 1802->1810 1826 62728f-6272ed CreateCompatibleDC CreateCompatibleBitmap SelectObject 1804->1826 1827 62744c-62746e EndPaint call 5c8440 1804->1827 1805->1814 1815 62725c-627261 1805->1815 1809->1810 1817 62790a call 67343f 1809->1817 1810->1768 1814->1817 1815->1804 1821 627263-62726a 1815->1821 1817->1795 1822 62726e-627273 call 5c9ae0 1821->1822 1823 62726c 1821->1823 1822->1804 1823->1822 1825->1833 1834 627890 1825->1834 1835 6272f3 1826->1835 1836 6272ef-6272f1 1826->1836 1827->1760 1867 627994-627997 1833->1867 1868 627989-62798f call 627a50 1833->1868 1834->1765 1840 6272f6-627446 BitBlt SetBkMode SetTextColor call 669c50 call 678f33 CreateFontIndirectW SelectObject DrawTextW BitBlt SelectObject DeleteObject SelectObject DeleteObject DeleteDC 1835->1840 1836->1840 1840->1827 1846 6275cb 1843->1846 1847 62756d-627583 GdipGetImageWidth 1843->1847 1844->1797 1852 6275d1-627633 GetSystemMetrics * 2 MoveWindow 1846->1852 1850 627585 1847->1850 1851 627588-6275b8 GdipGetImageHeight 1847->1851 1850->1851 1854 6275c3-6275c9 1851->1854 1855 6275ba-6275c0 1851->1855 1869 627657-62766d 1852->1869 1870 627635-627651 SendMessageW * 2 1852->1870 1854->1852 1855->1854 1868->1867 1874 627685-6276c5 call 628070 1869->1874 1875 62766f-627673 1869->1875 1870->1869 1879 6276c7-6276cb 1874->1879 1880 6276eb-6276f4 call 5f21d0 1874->1880 1875->1874 1876 627675-62767f SetWindowTextW 1875->1876 1876->1874 1879->1880 1881 6276cd-6276e8 SetTimer 1879->1881 1884 6276f6-627703 GetModuleHandleW 1880->1884 1885 62772c-627731 1880->1885 1881->1880 1884->1885 1888 627705-627715 GetProcAddress 1884->1888 1886 627733-627740 1885->1886 1887 627760-627762 1885->1887 1889 627742-627750 1886->1889 1890 627756-62775d call 64d0e3 1886->1890 1887->1759 1888->1885 1891 627717-62772a 1888->1891 1889->1817 1889->1890 1890->1887 1891->1885
                                                      APIs
                                                      • BeginPaint.USER32(?,?,945323AF,00000000,?,?), ref: 006271F5
                                                      • CreateCompatibleDC.GDI32(?), ref: 00627295
                                                      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 006272C0
                                                      • SelectObject.GDI32(00000000,00000000), ref: 006272CE
                                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00627311
                                                      • SetBkMode.GDI32(00000000,00000001), ref: 0062731A
                                                      • SetTextColor.GDI32(?,00000000), ref: 00627339
                                                      • CreateFontIndirectW.GDI32(FFFFFFF3), ref: 00627380
                                                      • SelectObject.GDI32(?,00000000), ref: 0062738A
                                                      • DrawTextW.USER32(?,?,00000000,00000000,00000801), ref: 006273D8
                                                      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0062740E
                                                      • SelectObject.GDI32(?,00000000), ref: 00627419
                                                      • DeleteObject.GDI32(00000000), ref: 00627420
                                                      • SelectObject.GDI32(?,?), ref: 0062742D
                                                      • DeleteObject.GDI32(?), ref: 00627439
                                                      • DeleteDC.GDI32(?), ref: 00627440
                                                      • EndPaint.USER32(?,?), ref: 00627459
                                                      • PostQuitMessage.USER32(00000000), ref: 006274A1
                                                      • GdipGetImageWidth.GDIPLUS(00000000,?,?,?), ref: 0062757B
                                                      • GdipGetImageHeight.GDIPLUS(00000000,00000000), ref: 006275AE
                                                      • GetSystemMetrics.USER32(00000000), ref: 006275D3
                                                      • GetSystemMetrics.USER32(00000001), ref: 006275E9
                                                      • MoveWindow.USER32(?,00000000,00000000,?,?,00000001), ref: 0062760F
                                                      • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00627640
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00627651
                                                      • SetWindowTextW.USER32(?,00000000), ref: 0062767F
                                                      • SetTimer.USER32(?,?,?,00000000), ref: 006276E2
                                                      • GetModuleHandleW.KERNEL32(user32.dll), ref: 006276FB
                                                      • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilterEx), ref: 0062770B
                                                      • KillTimer.USER32(?,?,945323AF,00000000,?,?), ref: 0062776B
                                                      • CoCreateInstance.OLE32(006C89C8,00000000,00000017,006DE594,-00000050,945323AF,00000000,?,?), ref: 00627868
                                                      • DefWindowProcW.USER32(?,?,?,?,945323AF,00000000,?,?), ref: 006278C8
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 006278F5
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00627900
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Object$CreateSelect$DeleteMessageTextWindow$CompatibleCpp_errorGdipImageMetricsPaintProcSendSystemThrow_Timerstd::_$AddressBeginBitmapColorDrawFontHandleHeightIndirectInstanceKillModeModuleMovePostQuitWidth
                                                      • String ID: ChangeWindowMessageFilterEx$Create taskbar interface fail.$Initialize taskbar interface fail$Tahoma$d$user32.dll
                                                      • API String ID: 2439645583-1789042967
                                                      • Opcode ID: 4c2d6f584cab6eb63a3ec53aa392cc12fb666d4cc00642cc7417a4987043c084
                                                      • Instruction ID: eabf69d21c43592c15ab130f89644036297813b8af2dfcea7f84d286bf7a2b86
                                                      • Opcode Fuzzy Hash: 4c2d6f584cab6eb63a3ec53aa392cc12fb666d4cc00642cc7417a4987043c084
                                                      • Instruction Fuzzy Hash: D3424A71A046299FDB24DF64DC48FAEBBB6FF09310F144199E909A7291DB31AD41CFA0
                                                      Function 0060CBD0 Relevance: 60.3, APIs: 1, Strings: 32, Instructions: 2504COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 64E867B7$64E867B7$:$DSA verification check of file data '{}' fail!$File is not DSA signed (alias:{})!$PPI dialog return {}$The file name is not specified in product-info.xml for hash '{}', fail!$The product-info.xml '{}' has been correctly unpacked from SFX archive.$The product-info.xml '{}' has not been found in SFX, fail!$The sfx-info.xml does not contain any product data!$\product-info.xml$average-download-speed$base-url$base-url$branding-url$clear$clear$common$isfx$lang-id$n$nosplash$nosplash$online$package$ppi_icd$report-url$silent$silent$splash$stub_loading$verysilent
                                                      • API String ID: 0-3887457418
                                                      • Opcode ID: a11bc3a3ac2d20646815aabf7660781b77ed1b2bc1be10a8b2d9dd76c6f5a719
                                                      • Instruction ID: d638fbc1ae73f0739d774b47080f82eef333393defaf3086b9761aa8247a042f
                                                      • Opcode Fuzzy Hash: a11bc3a3ac2d20646815aabf7660781b77ed1b2bc1be10a8b2d9dd76c6f5a719
                                                      • Instruction Fuzzy Hash: CA334974E002198FCB25DF64C858BEDBBB6BF49314F14419AE409AB391DB70AE85CF91
                                                      Function 005F3250 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 198memorysleepregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,945323AF,00000005,00000000), ref: 005F32AB
                                                      • GetClassInfoExW.USER32(00000000), ref: 005F32B2
                                                      • GetLastError.KERNEL32 ref: 005F32C0
                                                      • Sleep.KERNELBASE(00000001), ref: 005F32CA
                                                      • GetProcessHeap.KERNEL32 ref: 005F32E2
                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 005F32F7
                                                      • asw_process_storage_allocate_connector.SECURITEINFO.COM.TROJAN.SIGGEN29.7508.16428.4641 ref: 005F3307
                                                      • InitializeCriticalSection.KERNEL32(00000000), ref: 005F331A
                                                      • GetProcessHeap.KERNEL32 ref: 005F3320
                                                      • GetProcessHeap.KERNEL32 ref: 005F333E
                                                      • RegisterClassExW.USER32(00000030), ref: 005F3360
                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 005F3394
                                                      • asw_process_storage_deallocate_connector.SECURITEINFO.COM.TROJAN.SIGGEN29.7508.16428.4641 ref: 005F33A4
                                                      • DeleteCriticalSection.KERNEL32(?), ref: 005F33BF
                                                      • GetProcessHeap.KERNEL32 ref: 005F33C5
                                                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 005F33DB
                                                      • asw_process_storage_deallocate_connector.SECURITEINFO.COM.TROJAN.SIGGEN29.7508.16428.4641 ref: 005F33EB
                                                      • GetLastError.KERNEL32 ref: 005F33F0
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005F3439
                                                      • GetLastError.KERNEL32(Failed to create new process-local storage.,?,006F88C4,?,006F8810,00000000,Failed to get exiting process-local storage.), ref: 005F3467
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005F3471
                                                      Strings
                                                      • Failed to get exiting process-local storage., xrefs: 005F3430
                                                      • Failed to create new process-local storage., xrefs: 005F3462
                                                      • {9C7565A2-47C2-4869-B388-8C7F9AD8E577}, xrefs: 005F32A4, 005F3359
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$ErrorLastN29.7508.16428$ClassConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCriticalFreeSectionasw_process_storage_deallocate_connector.$AllocDeleteHandleInfoInitializeModuleRegisterSleepasw_process_storage_allocate_connector.
                                                      • String ID: Failed to create new process-local storage.$Failed to get exiting process-local storage.${9C7565A2-47C2-4869-B388-8C7F9AD8E577}
                                                      • API String ID: 4292832751-3522392211
                                                      • Opcode ID: 95539de67362a7184af6240e8acfaef8adbd2ff7f1f3077958df59e76a95de5b
                                                      • Instruction ID: 576360e7cc97642909da90ebc07b5bc2ad11d15ad6fbc9d9515c0084b27379a2
                                                      • Opcode Fuzzy Hash: 95539de67362a7184af6240e8acfaef8adbd2ff7f1f3077958df59e76a95de5b
                                                      • Instruction Fuzzy Hash: EC618F71A006189BDB11EFA4DC4CBAEBFBAFB45710F004529F906A7690DB34AA40CF95
                                                      Function 00645620 Relevance: 35.9, APIs: 13, Strings: 7, Instructions: 874filelibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersion.KERNEL32(945323AF,00000001,00000000), ref: 006456AA
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemFirmwareTable), ref: 006456DB
                                                      • GetProcAddress.KERNEL32(00000000), ref: 006456E2
                                                      • GetSystemFirmwareTable.KERNELBASE ref: 00645705
                                                      • UnmapViewOfFile.KERNEL32(?), ref: 00645FF4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressFileFirmwareHandleModuleProcSystemTableUnmapVersionView
                                                      • String ID: %d/%d/%d$GetSystemFirmwareTable$NtOpenSection$_DMI$_SM_$kernel32.dll$ntdll.dll
                                                      • API String ID: 1721071831-240571430
                                                      • Opcode ID: 0523a6c32951d8eb6a70bae07d3b1916df076efca51953a73c4844d640208455
                                                      • Instruction ID: 0bd54a4be3d0b1a13be3754363e16a3a098532c3fa2932ec140cfe6e2080c1f7
                                                      • Opcode Fuzzy Hash: 0523a6c32951d8eb6a70bae07d3b1916df076efca51953a73c4844d640208455
                                                      • Instruction Fuzzy Hash: 4762FEB1D04A898BDB25CFA4C8447EDBBB7AF05314F28411DE447AB383E735A946CB85
                                                      Function 005A8C30 Relevance: 34.2, APIs: 8, Strings: 11, Instructions: 970COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3001 5a8c30-5a8ccf 3002 5a8cd2-5a8cdb 3001->3002 3002->3002 3003 5a8cdd-5a8d2d call 5b8750 call 5f52a0 3002->3003 3008 5a8d2f-5a8d36 3003->3008 3009 5a8d67-5a8d6f 3003->3009 3008->3009 3010 5a8d38-5a8d53 3008->3010 3011 5a8da9-5a8e62 call 5c8440 call 5f7860 3009->3011 3012 5a8d71-5a8d78 3009->3012 3010->3009 3022 5a8d55-5a8d62 3010->3022 3025 5a8e9c-5a8ea7 3011->3025 3026 5a8e64-5a8e6b 3011->3026 3012->3011 3014 5a8d7a-5a8d95 3012->3014 3014->3011 3024 5a8d97-5a8da4 3014->3024 3022->3009 3024->3011 3027 5a8ea9-5a8eb0 3025->3027 3028 5a8ee6-5a8f0f GetCommandLineW 3025->3028 3026->3025 3030 5a8e6d-5a8e88 3026->3030 3027->3028 3033 5a8eb2-5a8ed3 3027->3033 3031 5a8f10-5a8f19 3028->3031 3030->3025 3040 5a8e8a-5a8e97 3030->3040 3031->3031 3035 5a8f1b-5a8fb4 call 5b8750 call 669c50 call 5aa8b0 call 5fd9f0 3031->3035 3033->3028 3044 5a8ed5-5a8ee2 3033->3044 3051 5a8fee-5a90ac call 5aa000 call 5a8a40 call 5aa890 3035->3051 3052 5a8fb6-5a8fda 3035->3052 3040->3025 3044->3028 3069 5a90ae-5a90c0 3051->3069 3070 5a90c4-5a913c call 5ee3b0 call 5ec550 call 5c8440 3051->3070 3052->3051 3058 5a8fdc-5a8fea 3052->3058 3058->3051 3069->3070 3078 5a913e-5a914c call 5aba20 3070->3078 3079 5a9164-5a91cd call 5ee3b0 call 5ec550 call 5c8440 3070->3079 3078->3079 3084 5a914e-5a9160 3078->3084 3090 5a91cf-5a91dd call 5aba20 3079->3090 3091 5a9242-5a9259 call 5c8660 call 5c8ee0 3079->3091 3084->3079 3090->3091 3097 5a91df-5a923d call 5b8750 call 5c8440 3090->3097 3100 5a925b-5a9283 call 5c8440 3091->3100 3101 5a9286-5a92ca call 5c8440 call 5ab620 call 5b9e00 3091->3101 3097->3091 3100->3101 3114 5a92ec-5a92fb 3101->3114 3115 5a92cc-5a92ea call 5d7440 3101->3115 3116 5a92fd-5a9304 3114->3116 3117 5a9335-5a934e call 5b9e00 3114->3117 3115->3114 3116->3117 3118 5a9306-5a9321 3116->3118 3123 5a9350-5a935f 3117->3123 3124 5a9364-5a9370 3117->3124 3118->3117 3131 5a9323-5a9330 3118->3131 3123->3124 3125 5a93aa-5a93c8 call 5f25c0 3124->3125 3126 5a9372-5a9379 3124->3126 3133 5a93ca-5a93de call 64d907 3125->3133 3134 5a940d-5a9419 3125->3134 3126->3125 3128 5a937b-5a9396 3126->3128 3128->3125 3146 5a9398-5a93a5 3128->3146 3131->3117 3133->3134 3144 5a93e0-5a940a call 5f1a00 call 64d57f call 64d8b6 3133->3144 3138 5a941b-5a9422 3134->3138 3139 5a9453-5a95cf call 5ee3b0 call 5eb540 call 5c8440 call 5b8890 call 5aba80 call 5c8440 call 5abba0 call 5c8080 call 5f86b0 3134->3139 3138->3139 3143 5a9424-5a943f 3138->3143 3174 5a9669-5a9675 call 5f21d0 3139->3174 3175 5a95d5-5a95e4 3139->3175 3143->3139 3156 5a9441-5a944e 3143->3156 3144->3134 3146->3125 3156->3139 3184 5a967b-5a969d GetCurrentProcess OpenProcessToken 3174->3184 3185 5a9f02-5a9f8e call 5f2000 call 5f1f90 call 5f1f20 call 5b9f20 call 5b9f40 call 5abbc0 call 5fe710 call 669660 3174->3185 3177 5a965f-5a9666 call 64d0e3 3175->3177 3178 5a95e6-5a95f4 3175->3178 3177->3174 3180 5a95fa 3178->3180 3181 5a9efd call 67343f 3178->3181 3180->3177 3181->3185 3188 5a969f-5a96a1 3184->3188 3189 5a96a6-5a9717 GetTokenInformation call 64d6ae GetTokenInformation 3184->3189 3194 5a9f93-5a9ffa call 5b9f20 call 5b9f40 call 5abce0 call 5fe770 call 669660 3185->3194 3191 5a979e-5a97aa 3188->3191 3200 5a9719-5a972a call 64d6a9 3189->3200 3201 5a9744-5a9755 IsValidSid 3189->3201 3191->3194 3195 5a97b0-5a9816 call 5fe790 call 5aa650 3191->3195 3221 5a981a-5a9821 3195->3221 3222 5a9818 3195->3222 3216 5a972c-5a973b call 5accb0 3200->3216 3217 5a9740-5a9742 3200->3217 3201->3200 3206 5a9757-5a9788 GetSidSubAuthorityCount GetSidSubAuthority call 64d6a9 3201->3206 3206->3191 3218 5a978a-5a9799 call 5accb0 3206->3218 3216->3217 3217->3191 3218->3191 3227 5a9823-5a9832 call 67e4f9 3221->3227 3228 5a9835-5a984b call 5fed40 3221->3228 3222->3221 3227->3228 3238 5a984d-5a98d3 call 5c8440 call 5abe00 3228->3238 3247 5a9916-5a9959 call 5ab390 * 2 call 5c8440 * 2 call 5ab390 call 5aae20 3238->3247 3248 5a98d5-5a98dc 3238->3248 3266 5a995b-5a9961 call 5c8440 3247->3266 3267 5a9966-5a9984 call 5c8440 * 2 3247->3267 3248->3247 3250 5a98de-5a98ff 3248->3250 3250->3247 3258 5a9901-5a990e 3250->3258 3258->3247 3266->3267 3273 5a9986-5a998d 3267->3273 3274 5a99c7-5a99d2 3267->3274 3273->3274 3277 5a998f-5a99b0 3273->3277 3275 5a9a14-5a9b5d call 64d0d5 3274->3275 3276 5a99d4-5a99db 3274->3276 3276->3275 3278 5a99dd-5a99fd 3276->3278 3277->3274 3286 5a99b2-5a99bf 3277->3286 3278->3275 3287 5a99ff-5a9a0c 3278->3287 3286->3274 3287->3275
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: launched by:'{}'$*** Ending SFX ({}, {:x}) ***$*** Starting SFX ({}), System({}) ***$7D2020FC$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe$Insufficient integrity level ({})$This operating system ({}.{}.{}) is not supported.$\sfx.log$isfx$sfx-start$op
                                                      • API String ID: 0-3595204317
                                                      • Opcode ID: 96f98d881ded1a351d5e49fdae6c0628c6ffadeeb988e222ca3976795b407baf
                                                      • Instruction ID: 444197fcee4b9d7acbbbd26030d2528e29facb21ec9a96f392d854bf9c461357
                                                      • Opcode Fuzzy Hash: 96f98d881ded1a351d5e49fdae6c0628c6ffadeeb988e222ca3976795b407baf
                                                      • Instruction Fuzzy Hash: 95928674E002298FCF24DF64C854BEDBBB5BF8A314F14419AE449AB291DB746E85CF90
                                                      Function 00616FA0 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 593COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Xtime_get_ticks.LIBCPMT ref: 00616FE4
                                                      • __Xtime_get_ticks.LIBCPMT ref: 00617079
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006170A5
                                                        • Part of subcall function 005B74A0: MultiByteToWideChar.KERNEL32(005E64FC,00000000,?,00000002,00000000,00000000,945323AF,00000000), ref: 005B753D
                                                        • Part of subcall function 005B74A0: MultiByteToWideChar.KERNEL32(005E64FC,00000000,00000000,00000002,?,0000FFFE,00000000,00000000), ref: 005B75A4
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      • F795, xrefs: 006174CF
                                                      • Download of '{}' succeeded. (speed current: {:6.4f}, total: {:6.4f}), xrefs: 006171C5
                                                      • 1891, xrefs: 006171BA
                                                      • DSA verification check of downloaded LZMA file (url {}) fail, xrefs: 00617502
                                                      • Download of '{}' failed. HTTP status:'{}' err:'{}'., xrefs: 0061736B
                                                      • DSA signature of LZMA file is invalid:'{}', xrefs: 00617532
                                                      • isfx, xrefs: 006171CA
                                                      • No content, xrefs: 00617475
                                                      • ://, xrefs: 0061774B
                                                      • isfx, xrefs: 00617370
                                                      • No content for '{}' status: {}, xrefs: 00617456
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWideXtime_get_ticks$DispatcherExceptionUnothrow_t@std@@@User__ehfuncinfo$??2@
                                                      • String ID: 1891$://$DSA signature of LZMA file is invalid:'{}'$DSA verification check of downloaded LZMA file (url {}) fail$Download of '{}' failed. HTTP status:'{}' err:'{}'.$Download of '{}' succeeded. (speed current: {:6.4f}, total: {:6.4f})$F795$No content$No content for '{}' status: {}$isfx$isfx
                                                      • API String ID: 2911324042-2516153512
                                                      • Opcode ID: d1bddfb1248cf54fedaa927ad44078fb4b1a12978300693b6a2d3a9dd43d0842
                                                      • Instruction ID: 66315568d3390f1c4ccc242f4e58b4715b884e91bf5dbce7e25602d0aace1589
                                                      • Opcode Fuzzy Hash: d1bddfb1248cf54fedaa927ad44078fb4b1a12978300693b6a2d3a9dd43d0842
                                                      • Instruction Fuzzy Hash: 34428B71E002199FCB14DFA8C845BEDBBB6BF49310F14419AE509AB391DB30AE85CF91
                                                      Function 005CBF70 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 105librarynativeloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(ntdll), ref: 005CBFA8
                                                      • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 005CBFBF
                                                      • GetLastError.KERNEL32 ref: 005CBFDF
                                                      • GetLastError.KERNEL32(?,006F8810,00000000,GetModuleHandleW ({}),00000015,ntdll), ref: 005CC007
                                                      • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 005CC063
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005CC088
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$AddressConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorHandleInformationModuleProcProcessQuery
                                                      • String ID: GetModuleHandleW ({})$GetProcAddress ({})$NtQueryInformationProcess$System$System Idle Process$Unable to get image path of process {}!$Unable to retrieve basic process information!$ntdll
                                                      • API String ID: 990396675-4279731967
                                                      • Opcode ID: b137f49f081da17cec8f87842b6aa0ff58b4ef9121acb484e88b515e4620412a
                                                      • Instruction ID: 7812f29b3f4d10cadc58fbd8473da17684a3a6380a0bdc2e9e90b16e3f119b75
                                                      • Opcode Fuzzy Hash: b137f49f081da17cec8f87842b6aa0ff58b4ef9121acb484e88b515e4620412a
                                                      • Instruction Fuzzy Hash: F331A471A0420CAFD714EFA5DC4AEAEBBADBB44710F00451DF91597291EF70AA04CBA6
                                                      Function 00610DF0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 283libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNELBASE(?,006D0120,00000000,945323AF), ref: 00610E7E
                                                      • GetProcAddress.KERNEL32(00000000,CheckChannelCompatibility), ref: 00610E95
                                                      • FreeLibrary.KERNEL32(?), ref: 00610FCF
                                                      • FreeLibrary.KERNELBASE(?,?,?,00000064,00000000), ref: 0061107B
                                                      • FreeLibrary.KERNEL32(?), ref: 0061112C
                                                      • GetLastError.KERNEL32 ref: 00611134
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$AddressErrorLastLoadProc
                                                      • String ID: 64E867B7$Calling MOD.dll function fail {}$CheckChannelCompatibility$Loading MOD:'{}' fail {}.$MOD.dll function not found$d$isfx
                                                      • API String ID: 1432623064-1777001326
                                                      • Opcode ID: f148f4224e076c407b11133122622115b74166b7eddeed663ad9197d7b1ff142
                                                      • Instruction ID: 51d1bf6cb1267552a4daaad1354b012eda16bc8e0d6d242d5e724c8bd9e81742
                                                      • Opcode Fuzzy Hash: f148f4224e076c407b11133122622115b74166b7eddeed663ad9197d7b1ff142
                                                      • Instruction Fuzzy Hash: F6C136B0E01209EFDF14DF94D955AEEBBB6FF49300F24451AE511AB290DB70AA85CF90
                                                      Function 005A8E19 Relevance: 21.7, APIs: 3, Strings: 9, Instructions: 721COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCommandLineW.KERNEL32(?,00000000,?,?,?,?,945323AF), ref: 005A8EE6
                                                      • GetCurrentProcess.KERNEL32(00000008,006D0B18,?,?,?,\sfx.log,00000008), ref: 005A968E
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,\sfx.log,00000008), ref: 005A9695
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Process$CommandCurrentLineOpenToken
                                                      • String ID: launched by:'{}'$*** Ending SFX ({}, {:x}) ***$*** Starting SFX ({}), System({}) ***$7D2020FC$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exe$\sfx.log$isfx$sfx-start$op
                                                      • API String ID: 2917920145-470741721
                                                      • Opcode ID: 53a3e03be3b718519f00cf7fc13f800c1fc9f26bff18d4d80ab950079d8eac68
                                                      • Instruction ID: 172c23b2210ae6ba681eb3e1f2185e1d3f5a645c6e5a94606a7d75b71631c81f
                                                      • Opcode Fuzzy Hash: 53a3e03be3b718519f00cf7fc13f800c1fc9f26bff18d4d80ab950079d8eac68
                                                      • Instruction Fuzzy Hash: 3A626774E002298FCF24DB64C854BEDBBB6BF8A314F14418AE549A7391DB746E85CF90
                                                      Function 005F1450 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 153encryptiontimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 005F147A
                                                      • GetCurrentProcessId.KERNEL32 ref: 005F1493
                                                      • GetCurrentThreadId.KERNEL32 ref: 005F14AF
                                                      • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 005F14EC
                                                      • GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000), ref: 005F1523
                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 005F154C
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 005F15BD
                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000040), ref: 005F1607
                                                      • CryptGenRandom.ADVAPI32(?,00000008,?), ref: 005F1622
                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 005F1644
                                                      Strings
                                                      • Microsoft Base Cryptographic Provider v1.0, xrefs: 005F15FF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Crypt$ContextCurrentSystemTime$AcquireCounterDiskFileFreeGlobalMemoryPerformanceProcessQueryRandomReleaseSpaceStatusThreadTimes
                                                      • String ID: Microsoft Base Cryptographic Provider v1.0
                                                      • API String ID: 1216455848-291530887
                                                      • Opcode ID: 79d365df05af4c0361d378d26e112c66891936314f71d44b7a5482241c0704f6
                                                      • Instruction ID: d0bb6879e824b575e389b66c971fd9014455df4cab800c208137e6963e175904
                                                      • Opcode Fuzzy Hash: 79d365df05af4c0361d378d26e112c66891936314f71d44b7a5482241c0704f6
                                                      • Instruction Fuzzy Hash: 1A513970E4020E9BDB10EB60DE46FEFBB79BF54704F408564E605A6092EBB46B48CF95
                                                      Function 0061D9E0 Relevance: 18.1, Strings: 14, Instructions: 646COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: F878$FC6A$Failed to parse product-info data, {}.$Product-info data are empty.$Product-info data can't be parsed.$lfp$nag$progress$shellicon$silent$silent$splash$toaster$x86
                                                      • API String ID: 0-825227871
                                                      • Opcode ID: d7937400ef258fe6e760567b7a782c8b6d8464e15e38d7c12e2a99e373337e21
                                                      • Instruction ID: 212d82788fec2b40ab0be7f6d3b6494cc849801d5aba6f61c55f5f78ff8b71f4
                                                      • Opcode Fuzzy Hash: d7937400ef258fe6e760567b7a782c8b6d8464e15e38d7c12e2a99e373337e21
                                                      • Instruction Fuzzy Hash: E5529C70D00209DFDB10DFA8C845BDDBBB2BF49314F15829AE405AB391DBB5A985CF91
                                                      Function 006262E0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 164encryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptProtectData.CRYPT32(?,00000000,?), ref: 00626330
                                                      • GetLastError.KERNEL32(Failed to encrypt data), ref: 00626367
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00626372
                                                      • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000005,?), ref: 006263FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CryptData$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorLastProtectUnprotect
                                                      • String ID: Failed to decrypt data$Failed to encrypt data
                                                      • API String ID: 1281369097-2906240006
                                                      • Opcode ID: a561a74cc18b3fb6221e38d9196fc01772ef283a88f92cf311837c636a6deb41
                                                      • Instruction ID: c942fe65d80ca525917f6907d2c2d28a764b9072e31c011e7e4e728bf6f7653d
                                                      • Opcode Fuzzy Hash: a561a74cc18b3fb6221e38d9196fc01772ef283a88f92cf311837c636a6deb41
                                                      • Instruction Fuzzy Hash: 6851F971A04308AFDB10EF94D945B9EBBE9FB48710F00852EF955A7281DB71AA04CBA5
                                                      Function 005CFD40 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115librarynativeloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 005CFD93
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005CFD9A
                                                        • Part of subcall function 0064D8B6: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,005B7C08,00707650), ref: 0064D8C0
                                                        • Part of subcall function 0064D8B6: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,005B7C08,00707650), ref: 0064D8F3
                                                        • Part of subcall function 0064D8B6: WakeAllConditionVariable.KERNEL32(00706D38,?,005B7C08,00707650), ref: 0064D8FE
                                                      • VerSetConditionMask.NTDLL ref: 005CFDFD
                                                      • VerSetConditionMask.NTDLL ref: 005CFE05
                                                      • VerSetConditionMask.NTDLL ref: 005CFE0D
                                                      • VerifyVersionInfoW.KERNEL32(?), ref: 005CFE36
                                                      • GetCurrentProcess.KERNEL32(0000003D,?,00000001,00000000), ref: 005CFE5C
                                                      • NtQueryInformationProcess.NTDLL ref: 005CFE6B
                                                        • Part of subcall function 0064D907: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D912
                                                        • Part of subcall function 0064D907: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D94C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ConditionExclusiveLock$Mask$AcquireProcessRelease$AddressCurrentHandleInfoInformationModuleProcQueryVariableVerifyVersionWake
                                                      • String ID: NtQueryInformationProcess$ntdll.dll
                                                      • API String ID: 1799421408-2906145389
                                                      • Opcode ID: c6893b7edea7a69623dfdf85baef4cdf453b724f86cc4a45623cee9ee748dcdf
                                                      • Instruction ID: 186c8bfd457dc6f4c569d291a469fca49d39618bfba75cf4289864285b1d3c1b
                                                      • Opcode Fuzzy Hash: c6893b7edea7a69623dfdf85baef4cdf453b724f86cc4a45623cee9ee748dcdf
                                                      • Instruction Fuzzy Hash: 24410871A483009FD320EF64EC0ABABBBEDEB89714F00455EF949C71D1CA75A500CB56
                                                      Function 00644540 Relevance: 16.8, APIs: 11, Instructions: 278fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00644648
                                                      • GetLastError.KERNEL32(?,?,006A5B5D), ref: 00644652
                                                      • GetVolumePathNameW.KERNELBASE(00000000,00000010,00000104,?,?,?,006A5B5D), ref: 006446C9
                                                      • GetLastError.KERNEL32(?,?,?,006A5B5D), ref: 006446D3
                                                      • GetVolumeNameForVolumeMountPointW.KERNELBASE(00000010,00000010,00000104,?,?,?,?,?,006A5B5D), ref: 00644737
                                                      • GetLastError.KERNEL32(?,?,?,?,?,006A5B5D), ref: 00644741
                                                      • CreateFileW.KERNELBASE(00000000,00000000,00000003,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,?,006A5B5D), ref: 0064478B
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,006A5B5D), ref: 00644799
                                                      • DeviceIoControl.KERNELBASE(00000000,002D1080,00000000,00000000,?,0000000C,00000000,00000000), ref: 006447BC
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,006A5B5D), ref: 006447C6
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,006A5B5D), ref: 006447DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Volume$Name$CloseControlCreateDeviceDirectoryFileHandleHeapMountPathPointProcessSystem
                                                      • String ID:
                                                      • API String ID: 204137380-0
                                                      • Opcode ID: 85153fe14d7bcde5ef6e69ece839e8e8a866150b86459657503565d318e823b9
                                                      • Instruction ID: fc08a7e56853f19a4cf452867eba216ec6a9c98247566060c1d3b458ae4d09e3
                                                      • Opcode Fuzzy Hash: 85153fe14d7bcde5ef6e69ece839e8e8a866150b86459657503565d318e823b9
                                                      • Instruction Fuzzy Hash: 84A18F70A006059FDB44DFA8DC9ABAEBBB6FF49324F14421DE901A7391DB74A941CF90
                                                      Function 00644B80 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 282fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00644C91
                                                      • GetLastError.KERNEL32 ref: 00644C9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorFileHeapLastProcess
                                                      • String ID: \\.\PhysicalDrive%u
                                                      • API String ID: 2202902945-3292898883
                                                      • Opcode ID: b73b81ce111645e6d24ca4f1722a4ad2bdef9a7cb1858d74f2f87987a940b34f
                                                      • Instruction ID: a7c7a5766ed0e767acf3ebcbcf71999b6b622bc2c0258e428c82c35b09ba2896
                                                      • Opcode Fuzzy Hash: b73b81ce111645e6d24ca4f1722a4ad2bdef9a7cb1858d74f2f87987a940b34f
                                                      • Instruction Fuzzy Hash: A2A1AA71E043099BEB10DFA4DC46BEEBBB6BF05310F144219E515AB392DB70AA05CB95
                                                      Function 00644EE0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 238fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00644FDD
                                                      • GetLastError.KERNEL32 ref: 00644FEB
                                                      • DeviceIoControl.KERNELBASE(00000000,00074080,00000000,00000000,?,00000018,00000000,00000000), ref: 0064500F
                                                      • GetLastError.KERNEL32 ref: 00645019
                                                      • CloseHandle.KERNEL32(?,00000000), ref: 0064512D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CloseControlCreateDeviceFileHandleHeapProcess
                                                      • String ID: \\.\PhysicalDrive%u
                                                      • API String ID: 3681805340-3292898883
                                                      • Opcode ID: 11adba5f7c8c3312aaf6b7e02e55fea60ecc5506e315d93e27dde3dffa2f4c8c
                                                      • Instruction ID: c824b94d35a6f771ffb82dff0906380a4104e9b1efb327c0acd09ebdf44815e0
                                                      • Opcode Fuzzy Hash: 11adba5f7c8c3312aaf6b7e02e55fea60ecc5506e315d93e27dde3dffa2f4c8c
                                                      • Instruction Fuzzy Hash: F691DC71E007099FDB10DFA4CC45BAEBBB6EF49310F144219E506AB392EB70AA01CF91
                                                      Function 005E2140 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 206libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE(?), ref: 005E215A
                                                      • GetVersionExW.KERNEL32(0000011C), ref: 005E21BD
                                                      • GetVersionExW.KERNEL32(0000011C), ref: 005E21D8
                                                      • GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlGetVersion), ref: 005E21F3
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005E21FA
                                                      • RtlGetVersion.NTDLL ref: 005E223B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Version$AddressHandleInfoModuleProcSystem
                                                      • String ID: NTDLL.DLL$RtlGetVersion$ ^
                                                      • API String ID: 335284197-2147294162
                                                      • Opcode ID: 45ff3c6a227d26ad12011e1e4b349ecdc5dadae05974c80c42f9ed57bc86c0e5
                                                      • Instruction ID: a573332e9ab37f15adb05d74d9429f9efb29aae4122721ebfd392e492ee461f9
                                                      • Opcode Fuzzy Hash: 45ff3c6a227d26ad12011e1e4b349ecdc5dadae05974c80c42f9ed57bc86c0e5
                                                      • Instruction Fuzzy Hash: 9871FA74A0418D87EF3CCA06CC587ED7B6EFB15300F1484BAE686976D5D6388E809F5A
                                                      Function 006448A0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • GetVersion.KERNEL32 ref: 00644920
                                                      • CreateFileW.KERNELBASE(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00644949
                                                      • GetLastError.KERNEL32 ref: 00644959
                                                      • CloseHandle.KERNEL32(?), ref: 00644B08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateErrorFileHandleHeapLastProcessVersion
                                                      • String ID: \\.\PhysicalDrive%u
                                                      • API String ID: 516677361-3292898883
                                                      • Opcode ID: f1f055f8b339cd5abe195e969f2c29ec6b5324e038b34ab6809c11d7f6118b1e
                                                      • Instruction ID: 4f6faa50c330c44daa210cc23804dadb90e6aad0caea21a269dcb23d986803b8
                                                      • Opcode Fuzzy Hash: f1f055f8b339cd5abe195e969f2c29ec6b5324e038b34ab6809c11d7f6118b1e
                                                      • Instruction Fuzzy Hash: AB819271A042099FDB14EFA4DC86BAEBBB6EF49310F14411DF901A7391DB70AA41CFA5
                                                      Function 00602A10 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,945323AF,00000000,0000000C,?), ref: 00602A4D
                                                      • FindResourceW.KERNEL32(00000000,0000012C,LZMA), ref: 00602A60
                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00602A72
                                                      • LockResource.KERNEL32(00000000), ref: 00602A81
                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00602A93
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindHandleLoadLockModuleSizeof
                                                      • String ID: LZMA$Xf
                                                      • API String ID: 1601749889-3087653585
                                                      • Opcode ID: c86347e5fcafde6a9cd5d363d4248561093c98a39bbf14b86b87582d51ed3fa2
                                                      • Instruction ID: c60c20202f21edb9fb8d4b5f43a0a4514b5773ba6943b21d3847142126fbdaf5
                                                      • Opcode Fuzzy Hash: c86347e5fcafde6a9cd5d363d4248561093c98a39bbf14b86b87582d51ed3fa2
                                                      • Instruction Fuzzy Hash: C371BD71E002099BEB18DF68CD59BEFBBB6EF49314F10825DE405A7390DB745A848FA4
                                                      Function 006164C0 Relevance: 11.7, Strings: 9, Instructions: 476COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .lzma$/universe/$Base url path is undefined.$F7951891$Fail unpack data, wrong checksum ('{}', hash:{})$Missing hash info for '{}'$Q$base-url$isfx
                                                      • API String ID: 0-292042332
                                                      • Opcode ID: 44c9c068a4a992abc2d2cdbe5abff6c0089770d7f2bd8bfbe7b972b295321612
                                                      • Instruction ID: 4e720d7cc1959936867b2826254ddc435d30a5b9a07dd7f302d5eefc4d695cbc
                                                      • Opcode Fuzzy Hash: 44c9c068a4a992abc2d2cdbe5abff6c0089770d7f2bd8bfbe7b972b295321612
                                                      • Instruction Fuzzy Hash: 17129B70D003599FDB14DFA4C849BEEBBB5FF55308F10429DE409AB291EB74AA88CB51
                                                      Function 00625A40 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00625F1E
                                                      Strings
                                                      • C06AEB9D-8774-46E7-8160-8321BCD14D9F, xrefs: 00625C00
                                                      • PSK contains null, xrefs: 00625F11
                                                      • SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198, xrefs: 00625B35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: C06AEB9D-8774-46E7-8160-8321BCD14D9F$PSK contains null$SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
                                                      • API String ID: 116670465-1085722610
                                                      • Opcode ID: 7451b6783aa6644766c969eb7d438a1fa4ae25b299485d46fea99420dcad16f3
                                                      • Instruction ID: 2de80b796362e207126f2fb0f685552f13b52455c0b2360fb07741ff63d4b430
                                                      • Opcode Fuzzy Hash: 7451b6783aa6644766c969eb7d438a1fa4ae25b299485d46fea99420dcad16f3
                                                      • Instruction Fuzzy Hash: CF026B70D00659CBDB14DFA4C948BEDBBB5FF99314F20825AE805AB381EB746A85CF50
                                                      Function 005CC030 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005CBF70: GetModuleHandleW.KERNEL32(ntdll), ref: 005CBFA8
                                                        • Part of subcall function 005CBF70: GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 005CBFBF
                                                      • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 005CC063
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005CC088
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorHandleInformationModuleProcProcessQuery
                                                      • String ID:
                                                      • API String ID: 893103165-0
                                                      • Opcode ID: 980bb206f6bfa4d0c85e5124872ca84cc7ff7a912a43c4663bce427ae700cb85
                                                      • Instruction ID: 4aaf721e0316ab75e5965b723a2718d31e5e701c4988e8aaa4cc198d59369f2c
                                                      • Opcode Fuzzy Hash: 980bb206f6bfa4d0c85e5124872ca84cc7ff7a912a43c4663bce427ae700cb85
                                                      • Instruction Fuzzy Hash: 05F0A7317042085BD310AB398C0AF6BBBEDAB85B24F00061EF954D7290DE51E9018BD6
                                                      Function 0068C6C6 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4up
                                                      • API String ID: 0-3731777745
                                                      • Opcode ID: faee857cbf4551a962df0ac9773e170681ce526b750736d6132e3fd8249baa56
                                                      • Instruction ID: 2617791dc2ad28dc2d93816dc616f4e8111fceef233dfa86fc0dc6804d459e13
                                                      • Opcode Fuzzy Hash: faee857cbf4551a962df0ac9773e170681ce526b750736d6132e3fd8249baa56
                                                      • Instruction Fuzzy Hash: 22F0E531A21260EFCB26EB4CD805B9973ADEB04B20F1111A6F100E7251D7B0EE40C7E4
                                                      Function 005E1860 Relevance: .6, Instructions: 638COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: afb4e94f82526ab9f1cbdf83d340653103cee702c73fabeffdcd7d2c4e995b7a
                                                      • Instruction ID: d2052fd7de61029764c661c6fff435fdbdb41d6268cb631be1514e8d364e0b11
                                                      • Opcode Fuzzy Hash: afb4e94f82526ab9f1cbdf83d340653103cee702c73fabeffdcd7d2c4e995b7a
                                                      • Instruction Fuzzy Hash: 55329271A005698FDB28CE15CC84BEDBBBAFBC8354F0541E5E849E7241DA329E95CF84
                                                      Function 006407B0 Relevance: .3, Instructions: 307COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3ead193e703d79a764b57aab19975035c0674ab223ca40a9ca8c3c3baa30bb7
                                                      • Instruction ID: a05b73a6eecc52f0e283bb6ddff31174b1e0c0880f1e38ea4419b5a8a9e5a1be
                                                      • Opcode Fuzzy Hash: d3ead193e703d79a764b57aab19975035c0674ab223ca40a9ca8c3c3baa30bb7
                                                      • Instruction Fuzzy Hash: 17B1B87290012C9FEF20DE54DC45FEAB37AFF85314F1455EAE60A93242DA719E89CB90
                                                      Function 00603B00 Relevance: 113.0, APIs: 29, Strings: 35, Instructions: 1048fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 00603E14
                                                      • GetFileSizeEx.KERNEL32(?,00000000,?,?,?,?), ref: 00603F52
                                                      • SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000002,?,?,?,?), ref: 00603F8A
                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 00604007
                                                      • SetFilePointerEx.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00604343
                                                      • SetEndOfFile.KERNEL32(000000FF,?,?,?,?), ref: 0060435D
                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 006043CE
                                                      • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,?,00010000,?,?,?,?), ref: 0060450D
                                                      • GetLastError.KERNEL32(?,?,?,00010000,?,?,?,?), ref: 006045B4
                                                      • GetLastError.KERNEL32(?,?,?,00010000,?,?,?,?), ref: 006045C1
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00604639
                                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,?,?,?,?,?,?,Unable to read data), ref: 0060469F
                                                      • SetEndOfFile.KERNEL32(000000FF,?,?,?,?,?,?,?,Unable to read data,?,?,?,00010000), ref: 006046B9
                                                      • GetLastError.KERNEL32(Unable to open session), ref: 0060481A
                                                      • GetLastError.KERNEL32(Unable to create connection,?,006F8D24,00000000), ref: 00604842
                                                      • GetLastError.KERNEL32(Unable to open request,?,006F8D24,00000000), ref: 0060486F
                                                      • GetLastError.KERNEL32(Unable to set TLS1,?,006F8D24,00000000), ref: 00604897
                                                      • GetLastError.KERNEL32(Unable to set security flags,?,006F8D24,00000000), ref: 006048BF
                                                      • GetLastError.KERNEL32(Unable to set WinHTTP timeouts,?,006F8D24,00000000), ref: 006048E7
                                                      • GetLastError.KERNEL32(Unable to send request,?,006F857C,?,006F8D24,00000000), ref: 0060493D
                                                      • GetLastError.KERNEL32(Unable to receive response,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 00604965
                                                      • GetLastError.KERNEL32(Unable to query status header,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 0060498D
                                                      • GetLastError.KERNEL32(?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 006049B0
                                                      • GetLastError.KERNEL32(Unable to set file pointer to start,?,006F8D14,?,No content,?,006F8D24,00000000,Receive fail status:'{}',00000018,?,?,006F857C,?,006F8D24,00000000), ref: 00604A1D
                                                      • GetLastError.KERNEL32(Unable to set end of file,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 00604A45
                                                      • GetLastError.KERNEL32(Unable to query content length,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 00604A6D
                                                      • GetLastError.KERNEL32(Unable to set position to end,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 00604A9A
                                                      • GetLastError.KERNEL32(Unable to set file end,?,006F8D24,00000000,?,006F857C,?,006F8D24,00000000), ref: 00604AC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$File$Pointer$SizeWrite___std_exception_destroy
                                                      • String ID: 073B$073B188C$188C$Cannot get file size for '{}' (no resume): error: {}$Cannot set file to end (no resume) for '{}': error: {}$Download less than expected$GET$Icarus Http/1.0$No content$P$Range: bytes={}-$Receive fail status:'{}'$Unable to create connection$Unable to open request$Unable to open session$Unable to query content length$Unable to query status header$Unable to read data$Unable to receive response$Unable to send request$Unable to set TLS1$Unable to set WinHTTP timeouts$Unable to set end of file$Unable to set file end$Unable to set file pointer to start$Unable to set other TLS ({})$Unable to set position to end$Unable to set security flags$Unable to write data to file$http$https$isfx$lYm$~7`$~7`
                                                      • API String ID: 1381021637-72213727
                                                      • Opcode ID: 0a242b51514afd7ed4ada814533056af17b76e91899dc417885d7eddce543e52
                                                      • Instruction ID: 76b6a350a96bb0977c7224834aae6f0a889d41476e8773e4c1e70a7484a425ca
                                                      • Opcode Fuzzy Hash: 0a242b51514afd7ed4ada814533056af17b76e91899dc417885d7eddce543e52
                                                      • Instruction Fuzzy Hash: F3A22E70A40219DFEB68DFA4CC45FEEB7B6BF44300F108199E509A7291DB74AA84CF65
                                                      Function 005CABD0 Relevance: 49.1, APIs: 3, Strings: 25, Instructions: 121libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2608 5cabd0-5cac0f GetModuleHandleW GetProcAddress 2609 5cac67-5cac7d call 5cb950 2608->2609 2610 5cac11-5cac34 GetModuleHandleW call 5cb950 2608->2610 2615 5cac80-5cac82 2609->2615 2616 5cac36-5cac3c 2610->2616 2617 5cacbc-5cace1 call 5c7f20 call 5c9510 call 669660 2615->2617 2618 5cac84-5cac9d call 5cb950 2615->2618 2619 5cac5c-5cac5e 2616->2619 2620 5cac3e-5cac41 2616->2620 2631 5cace6-5cad10 call 5c7f20 call 5c9510 call 669660 2617->2631 2630 5cac9f-5caca1 call 5cad20 2618->2630 2618->2631 2621 5cac61-5cac63 2619->2621 2623 5cac58-5cac5a 2620->2623 2624 5cac43-5cac4b 2620->2624 2621->2615 2626 5cac65 2621->2626 2623->2621 2624->2619 2628 5cac4d-5cac56 2624->2628 2626->2609 2628->2616 2628->2623 2638 5caca6-5cacbb 2630->2638
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,945323AF,?), ref: 005CABF9
                                                      • GetProcAddress.KERNEL32(00000000,on_avast_dll_unload), ref: 005CAC05
                                                      • GetModuleHandleW.KERNEL32(00000000,00000001), ref: 005CAC13
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: HandleModule$AddressProc
                                                      • String ID: AVG$AVG$AVG$AVG Technologies$Avast$Avast Software$Avg$Avg$Avira$ModuleId$Piriform$Privax$ProductId$asw$avast$avg$avg$avg$avira$avr$on_avast_dll_unload$piriform$prf$privax$pvx
                                                      • API String ID: 1883125708-2937535294
                                                      • Opcode ID: 7dd08e830bed85cb64096b7a0fc580aedb43a75a893393aa5377c2227439d5d4
                                                      • Instruction ID: a383027b8351c96c34ebda6ca876cba085a25aaf2263ebfad80f0ab10061b89f
                                                      • Opcode Fuzzy Hash: 7dd08e830bed85cb64096b7a0fc580aedb43a75a893393aa5377c2227439d5d4
                                                      • Instruction Fuzzy Hash: 1231D071A0020D9FDB10EFE4DC46FEEBBA9FB45704F508129F912A7681EA31AE05C761
                                                      Function 00626E60 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 180libraryloaderregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2693 626e60-626e8f 2694 626e91-626e93 2693->2694 2695 626e98-626ef5 LoadCursorW 2693->2695 2696 62709f-6270b9 call 64d0d5 2694->2696 2697 626ef7-626f0c 2695->2697 2698 626f0e 2695->2698 2699 626f15-626f3e RegisterClassExW 2697->2699 2698->2699 2702 627086-62708d 2699->2702 2703 626f44-626f70 CreateWindowExW 2699->2703 2705 62708f-627098 call 627a50 2702->2705 2706 62709d 2702->2706 2707 626f76-626f7f call 5f21d0 2703->2707 2708 627078-627080 UnregisterClassW 2703->2708 2705->2706 2706->2696 2713 626f81-626f8e GetModuleHandleW 2707->2713 2714 626fb9-626fc0 call 5f2360 2707->2714 2708->2702 2713->2714 2716 626f90-626fa0 GetProcAddress 2713->2716 2719 626fc2-626fd1 LoadLibraryW 2714->2719 2720 62700a-62700e 2714->2720 2716->2714 2718 626fa2-626fb7 2716->2718 2718->2714 2719->2720 2722 626fd3-626fe4 GetProcAddress 2719->2722 2723 627010-62701e ShowWindow KiUserCallbackDispatcher 2720->2723 2724 627024-627029 2720->2724 2727 627003-627004 FreeLibrary 2722->2727 2728 626fe6-627000 2722->2728 2723->2724 2725 627036-627048 KiUserCallbackDispatcher 2724->2725 2726 62702b-627032 SetEvent 2724->2726 2725->2708 2729 62704a 2725->2729 2726->2725 2727->2720 2728->2727 2730 627050-627076 TranslateMessage DispatchMessageW KiUserCallbackDispatcher 2729->2730 2730->2708 2730->2730
                                                      APIs
                                                      • LoadCursorW.USER32(?,00007F00), ref: 00626EE4
                                                      • RegisterClassExW.USER32(00000030), ref: 00626F35
                                                      • CreateWindowExW.USER32(00000000,aswSfxSplashClass,006D0120,80000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00626F65
                                                      • GetModuleHandleW.KERNEL32(user32.dll), ref: 00626F86
                                                      • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilterEx), ref: 00626F96
                                                      • LoadLibraryW.KERNEL32(dwmapi.dll), ref: 00626FC7
                                                      • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 00626FD9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressLoadProc$ClassCreateCursorHandleLibraryModuleRegisterWindow
                                                      • String ID: 0$ChangeWindowMessageFilterEx$DwmSetWindowAttribute$aswSfxSplashClass$dwmapi.dll$user32.dll
                                                      • API String ID: 4148564498-3650145448
                                                      • Opcode ID: edb101d341e868c145132dad566f60fed821a7ac7a24701a285e5d978753b0f4
                                                      • Instruction ID: d8edcad070d4ca9b28915ecd56c06abdeb74e1fd9cd04ebd0e97b56e4087e9cd
                                                      • Opcode Fuzzy Hash: edb101d341e868c145132dad566f60fed821a7ac7a24701a285e5d978753b0f4
                                                      • Instruction Fuzzy Hash: CA614F70E04719ABDB21AFA5DC09B9EBFBAFF09704F004119F901AB290DB75A945CF90
                                                      Function 005EB540 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 249COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3293 5eb540-5eb5b5 call 5b7ba0 3296 5eb6ee-5eb6fe 3293->3296 3297 5eb5bb-5eb5c1 3293->3297 3298 5eb702-5eb712 GetFileVersionInfoSizeW 3296->3298 3299 5eb700 3296->3299 3300 5eb5c5-5eb5e1 call 5edc10 3297->3300 3301 5eb5c3 3297->3301 3302 5eb84f-5eb872 GetLastError call 5c9c10 call 669660 3298->3302 3303 5eb718-5eb72e call 64d6ae 3298->3303 3299->3298 3300->3296 3310 5eb5e7 call 5cfd40 3300->3310 3301->3300 3316 5eb877-5eb89a GetLastError call 5c9c10 call 669660 3302->3316 3313 5eb732-5eb741 GetFileVersionInfoW 3303->3313 3314 5eb730 3303->3314 3315 5eb5ec-5eb5ee 3310->3315 3313->3316 3317 5eb747-5eb75d 3313->3317 3314->3313 3318 5eb7f4-5eb813 call 5ed450 call 669660 3315->3318 3319 5eb5f4-5eb67b call 5b8750 * 2 call 5eac20 call 5eb030 3315->3319 3328 5eb89f-5eb8c2 GetLastError call 5c9c10 call 669660 3316->3328 3317->3328 3329 5eb763-5eb76c 3317->3329 3335 5eb818-5eb84a call 5c8120 call 5c8210 call 669660 3318->3335 3359 5eb67d-5eb6a5 call 5c8440 3319->3359 3360 5eb6a8-5eb6e8 call 5c8440 * 4 call 5eb190 3319->3360 3333 5eb8c7-5eb8ef GetLastError call 5c9c10 call 669660 3328->3333 3329->3333 3334 5eb772-5eb7a1 call 64d6a9 3329->3334 3348 5eb7a3-5eb7ac call 5ed8a0 3334->3348 3349 5eb7b1-5eb7d6 call 5c8440 call 64d0d5 3334->3349 3335->3302 3348->3349 3359->3360 3360->3296 3360->3335
                                                      APIs
                                                      • GetFileVersionInfoSizeW.KERNELBASE(00000002,0069DBCE,945323AF,?,?), ref: 005EB707
                                                      • GetFileVersionInfoW.KERNELBASE(00000002,00000000,?,00000000), ref: 005EB739
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: FileInfoVersion$Size
                                                      • String ID: .sys$Cannot query a .sys file version from PPL process '{}'$GetFileVersionInfoSizeW$GetFileVersionInfoW$Unable to make a .sys copy$VerQueryValueW$VerQueryValueW signature is invalid$asw$tmp
                                                      • API String ID: 2104008232-2823418111
                                                      • Opcode ID: 385075aae205e95149ebc1a1c1668f70dd56b2796b3d76a1f4bba9315c42c762
                                                      • Instruction ID: f957dc75949e2c816f67f570edbb900feafd5b3d7bfa37d79a83da446011672c
                                                      • Opcode Fuzzy Hash: 385075aae205e95149ebc1a1c1668f70dd56b2796b3d76a1f4bba9315c42c762
                                                      • Instruction Fuzzy Hash: 6AA1D070D002599EDB14EFA5CC49BEEBBB9FF44304F10855AE445A3281EF706A88CFA1
                                                      Function 005D60F0 Relevance: 32.0, APIs: 10, Strings: 8, Instructions: 531fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3375 5d60f0-5d6152 call 5d5bf0 3378 5d6158-5d615d 3375->3378 3379 5d6611-5d6636 call 5c8440 call 64d0d5 3375->3379 3381 5d6637 call 5b6700 3378->3381 3382 5d6163-5d618e call 5d0b90 3378->3382 3386 5d663c-5d6688 call 5c82c0 3381->3386 3382->3379 3390 5d6194-5d61c5 call 5f1670 call 5d8db0 3382->3390 3396 5d668e-5d66ce call 5d6e00 call 5db8e0 EnterCriticalSection 3386->3396 3397 5d67b2-5d67cd call 64d0d5 3386->3397 3404 5d61c9-5d6226 call 5ea4f0 call 5c9130 call 5c8440 call 5d5e30 3390->3404 3405 5d61c7 3390->3405 3410 5d66d4-5d6705 LeaveCriticalSection 3396->3410 3411 5d66d0 3396->3411 3432 5d622c-5d6239 3404->3432 3433 5d65fe-5d660c call 5c8440 * 2 3404->3433 3405->3404 3413 5d670b 3410->3413 3414 5d6707-5d6709 3410->3414 3411->3410 3416 5d670e-5d6721 WriteFile 3413->3416 3414->3416 3418 5d6727-5d672f 3416->3418 3419 5d67d0-5d67e7 GetLastError call 5d1700 call 669660 3416->3419 3422 5d6746-5d674b 3418->3422 3423 5d6731-5d6736 3418->3423 3441 5d67ec-5d67f1 call 67343f 3419->3441 3428 5d674d-5d6757 3422->3428 3429 5d6782-5d6788 3422->3429 3425 5d673c 3423->3425 3426 5d6738-5d673a 3423->3426 3431 5d673f-5d6740 FlushFileBuffers 3425->3431 3426->3431 3428->3429 3434 5d6759-5d676f 3428->3434 3429->3397 3436 5d678a-5d6796 3429->3436 3431->3422 3432->3386 3439 5d623f-5d627e call 5c9450 call 5d5e30 3432->3439 3433->3379 3434->3429 3454 5d6771-5d677e 3434->3454 3437 5d67a8-5d67af call 64d0e3 3436->3437 3438 5d6798-5d67a6 3436->3438 3437->3397 3438->3437 3438->3441 3455 5d6284-5d628a 3439->3455 3456 5d65f6-5d65f9 call 5c8440 3439->3456 3454->3429 3458 5d628c 3455->3458 3459 5d628e-5d62f6 call 5ea4f0 call 5c9130 call 5c8440 CreateFileW 3455->3459 3456->3433 3458->3459 3467 5d62fc-5d6309 call 5d6010 3459->3467 3468 5d6394-5d63cb call 5f1670 call 5d8db0 3459->3468 3473 5d630f-5d633d 3467->3473 3474 5d65eb-5d65f1 call 5c8440 3467->3474 3479 5d63cd 3468->3479 3480 5d63cf-5d6420 call 5ea4f0 call 5c9130 call 5c8440 call 5d5e30 3468->3480 3478 5d6340-5d6349 3473->3478 3474->3456 3478->3478 3481 5d634b-5d6363 call 5b8750 3478->3481 3479->3480 3496 5d6545-5d6552 call 5d6010 3480->3496 3497 5d6426-5d642f call 5d6010 3480->3497 3487 5d6365-5d637e MoveFileExW 3481->3487 3488 5d6384-5d638f call 5c8440 3481->3488 3487->3488 3488->3474 3502 5d6554-5d657f 3496->3502 3503 5d65d1-5d65e5 call 5c8440 * 2 CloseHandle 3496->3503 3504 5d6435-5d646c 3497->3504 3505 5d64c3-5d64e4 call 5d5e30 3497->3505 3506 5d6582-5d658b 3502->3506 3503->3474 3509 5d6470-5d6479 3504->3509 3505->3503 3516 5d64ea-5d64f3 call 5d6010 3505->3516 3506->3506 3511 5d658d-5d6599 call 5b8750 3506->3511 3509->3509 3510 5d647b-5d6493 call 5b8750 3509->3510 3522 5d6495-5d64ae MoveFileExW 3510->3522 3523 5d64b4-5d64be call 5c8440 3510->3523 3520 5d659e-5d65a5 3511->3520 3516->3503 3529 5d64f9-5d6524 3516->3529 3524 5d65a7-5d65c0 MoveFileExW 3520->3524 3525 5d65c6-5d65cc call 5c8440 3520->3525 3522->3523 3523->3505 3524->3525 3525->3503 3530 5d6527-5d6530 3529->3530 3530->3530 3531 5d6532-5d6543 call 5b8750 3530->3531 3531->3520
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00010000,00000007,00000000,00000003,00000000,00000000,?,?,?,.old,00000004), ref: 005D62E4
                                                      • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,.old,00000004), ref: 005D637E
                                                      • MoveFileExW.KERNEL32(?,00000000,00000004,?,?), ref: 005D64AE
                                                        • Part of subcall function 005D6010: SetLastError.KERNEL32(00000000,?,945323AF,?,00000001,0000000D,945323AF), ref: 005D60C4
                                                      • MoveFileExW.KERNEL32(?,00000000,00000004,?,?), ref: 005D65C0
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,.old,00000004), ref: 005D65E5
                                                      • EnterCriticalSection.KERNEL32(00000001,?), ref: 005D66C3
                                                      • LeaveCriticalSection.KERNEL32(00000001), ref: 005D66E4
                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 005D6719
                                                      • FlushFileBuffers.KERNEL32(?), ref: 005D6740
                                                        • Part of subcall function 005F1670: EnterCriticalSection.KERNEL32(00708730,?,?), ref: 005F1691
                                                        • Part of subcall function 005F1670: LeaveCriticalSection.KERNEL32(00708730), ref: 005F1748
                                                      • GetLastError.KERNEL32 ref: 005D67D0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$CriticalSection$Move$EnterErrorLastLeave$BuffersCloseCreateFlushHandleWrite
                                                      • String ID: .log$.old$.tmp.$BOM not present in '{}'$Failed to create new log file '{}'$Failed to open log file '{}'${}.to_delete.{:016x}${}.to_rotate.{:016x}
                                                      • API String ID: 3410606403-1439687905
                                                      • Opcode ID: b54ed762abd5bbec724b66ac2fc92b486611a37768476962b532615788f8a6fa
                                                      • Instruction ID: 520b13ebd167c442d738fcbde3f1863d7817e9d2a7b035edb7daa4d64181c078
                                                      • Opcode Fuzzy Hash: b54ed762abd5bbec724b66ac2fc92b486611a37768476962b532615788f8a6fa
                                                      • Instruction Fuzzy Hash: 33126C709002199BDF24DBA8DC59BEDBBB5FF84304F04459AE50AA7281EB706E85CF91
                                                      Function 005F7CA0 Relevance: 30.4, APIs: 4, Strings: 13, Instructions: 611COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3534 5f7ca0-5f7ce9 call 64c340 3537 5f7cef-5f7cf7 3534->3537 3538 5f7f88-5f7f8a call 64c501 3534->3538 3540 5f7f8f-5f7f95 call 64c501 3537->3540 3541 5f7cfd-5f7d1a call 64c0bc call 64c365 3537->3541 3538->3540 3544 5f7f9a call 678fab 3540->3544 3550 5f7d1c-5f7d1f call 5d9d70 3541->3550 3551 5f7d24-5f7d2d 3541->3551 3549 5f7f9f-5f801a call 67343f 3544->3549 3557 5f8020-5f803d call 64c340 3549->3557 3550->3551 3555 5f7d2f-5f7d3c 3551->3555 3556 5f7d5e-5f7d98 call 5c8440 * 2 3551->3556 3558 5f7d3e-5f7d4c 3555->3558 3559 5f7d54-5f7d5b call 64d0e3 3555->3559 3571 5f7d9a-5f7da7 3556->3571 3572 5f7dc9-5f7df8 call 5c8440 3556->3572 3568 5f8688-5f868a call 64c501 3557->3568 3569 5f8043-5f804e 3557->3569 3558->3549 3562 5f7d52 3558->3562 3559->3556 3562->3559 3574 5f868f-5f8695 call 64c501 3568->3574 3569->3574 3575 5f8054-5f8058 3569->3575 3576 5f7dbf-5f7dc6 call 64d0e3 3571->3576 3577 5f7da9-5f7db7 3571->3577 3589 5f7dfa-5f7e07 3572->3589 3590 5f7e29-5f7e4d 3572->3590 3585 5f869a call 67343f 3574->3585 3580 5f805c-5f8066 3575->3580 3576->3572 3577->3549 3581 5f7dbd 3577->3581 3583 5f865e-5f8687 call 64c365 call 64d0d5 3580->3583 3584 5f806c-5f8073 3580->3584 3581->3576 3591 5f8075-5f8082 call 64c0d0 3584->3591 3592 5f8084-5f80c9 call 5c7e70 3584->3592 3597 5f869f-5f86a4 call 5fd830 3585->3597 3598 5f7e1f-5f7e26 call 64d0e3 3589->3598 3599 5f7e09-5f7e17 3589->3599 3594 5f7e4f-5f7e5c 3590->3594 3595 5f7e7e-5f7ea2 3590->3595 3591->3580 3620 5f80cb-5f80d4 3592->3620 3621 5f8102-5f811a 3592->3621 3602 5f7e5e-5f7e6c 3594->3602 3603 5f7e74-5f7e7b call 64d0e3 3594->3603 3605 5f7ea4-5f7eb1 3595->3605 3606 5f7ed3-5f7f2f call 5c8440 * 4 call 5fbb30 call 5d5460 3595->3606 3598->3590 3599->3549 3608 5f7e1d 3599->3608 3602->3549 3613 5f7e72 3602->3613 3603->3595 3615 5f7ec9-5f7ed0 call 64d0e3 3605->3615 3616 5f7eb3-5f7ec1 3605->3616 3606->3544 3672 5f7f31-5f7f3f call 5d5460 3606->3672 3608->3598 3613->3603 3615->3606 3616->3549 3625 5f7ec7 3616->3625 3628 5f80ec-5f80fc call 64d0e3 3620->3628 3629 5f80d6-5f80e4 3620->3629 3623 5f811c-5f8126 3621->3623 3624 5f8128 3621->3624 3633 5f812e-5f8147 call 5b9e00 3623->3633 3624->3633 3625->3615 3628->3621 3629->3585 3631 5f80ea 3629->3631 3631->3628 3641 5f821f-5f822e 3633->3641 3642 5f814d-5f8174 3633->3642 3644 5f8279-5f8280 3641->3644 3645 5f8230-5f8238 3641->3645 3661 5f81b9-5f81c0 3642->3661 3662 5f8176-5f817e 3642->3662 3647 5f8282-5f82bf call 5b8750 3644->3647 3648 5f82c1-5f82d7 call 5c7da0 3644->3648 3645->3644 3650 5f823a-5f825c 3645->3650 3659 5f82da-5f82f7 call 5f7680 3647->3659 3648->3659 3668 5f8273 3650->3668 3670 5f825e-5f826b 3650->3670 3673 5f82f9-5f830a call 5c8440 3659->3673 3674 5f8310-5f8316 3659->3674 3667 5f81c6-5f8215 call 5fbc30 3661->3667 3661->3668 3662->3661 3664 5f8180-5f81a2 3662->3664 3664->3661 3689 5f81a4-5f81b1 3664->3689 3677 5f821a-5f821d 3667->3677 3668->3644 3670->3668 3687 5f7f76-5f7f87 3672->3687 3688 5f7f41-5f7f4b 3672->3688 3673->3674 3679 5f832c-5f8331 3674->3679 3680 5f8318-5f8327 call 5c8440 3674->3680 3677->3668 3679->3597 3686 5f8337-5f83e0 call 64c365 call 603600 3679->3686 3680->3679 3704 5f8457-5f84e7 call 5fbe70 3686->3704 3705 5f83e2-5f8443 call 5fbd50 3686->3705 3688->3687 3691 5f7f4d-5f7f63 3688->3691 3689->3661 3691->3687 3698 5f7f65-5f7f72 3691->3698 3698->3687 3710 5f8505-5f850a 3704->3710 3708 5f8448-5f8452 3705->3708 3708->3710 3711 5f851e-5f8533 call 5f86b0 3710->3711 3712 5f850c-5f851a 3710->3712 3716 5f8535-5f8541 3711->3716 3717 5f8561-5f8571 3711->3717 3712->3711 3718 5f8557-5f855e call 64d0e3 3716->3718 3719 5f8543-5f8551 3716->3719 3717->3557 3718->3717 3719->3585 3719->3718
                                                      APIs
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 005F7F8A
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 005F7F95
                                                        • Part of subcall function 0064C0BC: WakeConditionVariable.KERNEL32(?,?,005F894F,?,?,?), ref: 0064C0C6
                                                        • Part of subcall function 0064C365: ReleaseSRWLockExclusive.KERNEL32(005FBB1F,?,005FBB27), ref: 0064C379
                                                        • Part of subcall function 005D9D70: GetCurrentThreadId.KERNEL32 ref: 005D9D80
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorThrow_std::_$ConditionCurrentExclusiveLockReleaseThreadVariableWake
                                                      • String ID: 240B$240B$240B$AFBD$AFBD$AFBD$Sending report data: ({})$Sent report fail, status:'{}' error:'{}'.$Sent report success, status:'{}'.$https://analytics.avcdn.net/v4/receive/json/25$isfx$isfx$isfx
                                                      • API String ID: 3982938615-2076072031
                                                      • Opcode ID: 88ba5769017ed8e59784bae4eac88aee899b29664c55a3fbce8188a0e7cd98e8
                                                      • Instruction ID: fed83a3dba3a5a13943f5d8454e34840c350444005891c225b784327be32970e
                                                      • Opcode Fuzzy Hash: 88ba5769017ed8e59784bae4eac88aee899b29664c55a3fbce8188a0e7cd98e8
                                                      • Instruction Fuzzy Hash: 6142CE70A00619DFDB28DF24CC48BADBBB5BF49314F148299E519AB391DB746E84CF90
                                                      Function 00614F40 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 251COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00615310: GetFileAttributesW.KERNEL32(9453238F,945323AF,00000000,?), ref: 0061535D
                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000), ref: 00615124
                                                      • GetLastError.KERNEL32 ref: 0061521A
                                                      • GetLastError.KERNEL32(Create tmp directory security descriptor fail), ref: 00615271
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 0061527B
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • GetLastError.KERNEL32(?,006F8810,00000000), ref: 0061528E
                                                      • GetLastError.KERNEL32(Create directory fail), ref: 006152E9
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 006152F3
                                                      Strings
                                                      • Create directory '{}' fail {}!, xrefs: 006152D4
                                                      • asw-, xrefs: 00614FA4
                                                      • isfx, xrefs: 00615193
                                                      • Create directory fail, xrefs: 006152E4
                                                      • Create tmp directory security descriptor fail, xrefs: 0061526C
                                                      • G, xrefs: 006151B1
                                                      • SFX temp folder '{}' created., xrefs: 0061518E
                                                      • D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU), xrefs: 006150D7
                                                      • 11ED4C45, xrefs: 0061518B
                                                      • Create tmp directory security descriptor fail {}!, xrefs: 0061525C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorDescriptorSecurity$AttributesConvertDispatcherExceptionFileStringUser
                                                      • String ID: 11ED4C45$Create directory '{}' fail {}!$Create directory fail$Create tmp directory security descriptor fail$Create tmp directory security descriptor fail {}!$D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)$G$SFX temp folder '{}' created.$asw-$isfx
                                                      • API String ID: 1872695026-855061209
                                                      • Opcode ID: 1f579e07b33c76fdbaa2c1c1e7304d1f58703882324be27ea8c2eae7875adf60
                                                      • Instruction ID: 03ea8cceb0bec3d246932aed59eec41b826737299bcd2f391c043e8ad1a837ed
                                                      • Opcode Fuzzy Hash: 1f579e07b33c76fdbaa2c1c1e7304d1f58703882324be27ea8c2eae7875adf60
                                                      • Instruction Fuzzy Hash: E7B11571D00249DEDF10EFA4C889BEDBBB4BF55304F50815AE419BB281EB746A88CF61
                                                      Function 00606F20 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 174fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,00000001,00000001,00000000,00000003,00000000,00000000,945323AF), ref: 00606F61
                                                      • CloseHandle.KERNEL32(00000000), ref: 00607008
                                                      • GetLastError.KERNEL32 ref: 0060702F
                                                      • GetLastError.KERNEL32(Open file for DSA check fail!), ref: 00607087
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00607091
                                                        • Part of subcall function 0063BE30: GetFileSizeEx.KERNEL32(?,?,945323AF,?), ref: 0063BE67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLast$CloseConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateHandleSize
                                                      • String ID: #$5$88D5$88D5$CE3D$CE3D$DSA for block with size '{}' verified with result '{}'$DSA for file '{}' verified with result '{}'$Open file '{}' for DSA check fail {}!$Open file for DSA check fail!$isfx$isfx
                                                      • API String ID: 3336171881-927765935
                                                      • Opcode ID: e13af55234c34cf2463591410ef2fd043f2b4dff4b52f81b5d3c872bac13a13a
                                                      • Instruction ID: 3c80874a49d68a518443ccaecd3b00a138f221e7b245310d3c2f0d51e3a226ac
                                                      • Opcode Fuzzy Hash: e13af55234c34cf2463591410ef2fd043f2b4dff4b52f81b5d3c872bac13a13a
                                                      • Instruction Fuzzy Hash: 90615BB1D04248AFDB10DF98D845BEEBBB9FB09710F10421AE811AB381DB756604CFA1
                                                      Function 005CCD90 Relevance: 28.6, APIs: 8, Strings: 11, Instructions: 150COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3816 5ccd90-5cce83 call 5c7da0 call 669c50 call 5cc4c0 3822 5cce88-5cce90 3816->3822 3823 5cceb6-5ccebb 3822->3823 3824 5cce92-5cceaf 3822->3824 3825 5ccebd-5ccebe CloseHandle 3823->3825 3826 5ccec4-5cced0 3823->3826 3824->3823 3825->3826 3827 5cced9-5ccee5 3826->3827 3828 5cced2-5cced3 CloseHandle 3826->3828 3830 5cceee-5ccefa 3827->3830 3831 5ccee7-5ccee8 CloseHandle 3827->3831 3828->3827 3832 5ccefc-5ccefd CloseHandle 3830->3832 3833 5ccf03-5ccf0f 3830->3833 3831->3830 3832->3833 3835 5ccf18-5ccf24 3833->3835 3836 5ccf11-5ccf12 CloseHandle 3833->3836 3837 5ccf2d-5ccf52 call 5c8440 * 2 3835->3837 3838 5ccf26-5ccf27 CloseHandle 3835->3838 3836->3835 3843 5ccf89-5ccf91 3837->3843 3844 5ccf54-5ccf5c 3837->3844 3838->3837 3846 5ccf9a-5ccfac 3843->3846 3847 5ccf93-5ccf94 CloseHandle 3843->3847 3844->3843 3845 5ccf5e-5ccf76 3844->3845 3845->3843 3852 5ccf78-5ccf85 3845->3852 3848 5ccfae-5ccfaf CloseHandle 3846->3848 3849 5ccfb5-5ccfc8 3846->3849 3847->3846 3848->3849 3852->3843
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCEBE
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCED3
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCEE8
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCEFD
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCF12
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCF27
                                                      • CloseHandle.KERNEL32(?,945323AF,?,?), ref: 005CCF94
                                                      • CloseHandle.KERNEL32(945323AF,945323AF), ref: 005CCFAF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID: D$GetCachedSigningLevel$H$SetCachedSigningLevel$Unable to create process '{}'!$Unable to retrieve exit status for process '{}'!$Unable to wait for process '{}'!$Unable to write to the pipe!$UpdateProcThreadAttribute set_protection_level$Wrong signature level '{}'!$kernel32.dll
                                                      • API String ID: 2962429428-819407044
                                                      • Opcode ID: 5d3f87af14a9fef061089ae0970b6fa0d70e1db09d755e8d9dc002c99d6e6a46
                                                      • Instruction ID: 848767f9d7657698d5ac984d5c2c58e970021160ac7f9b6b038ac1248d1bd9ee
                                                      • Opcode Fuzzy Hash: 5d3f87af14a9fef061089ae0970b6fa0d70e1db09d755e8d9dc002c99d6e6a46
                                                      • Instruction Fuzzy Hash: 13614C74E043598FDB10DFA4CD48BADBBB9BF49314F144299E809A7390EB74AA84CF50
                                                      Function 0063A180 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 228fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3854 63a180-63a1ea CreateFileW 3855 63a208-63a26a GetLastError call 5ce4b0 call 669660 3854->3855 3856 63a1ec-63a207 call 64d0d5 3854->3856 3864 63a270-63a275 3855->3864 3865 63a355-63a3d7 call 5d1700 call 669660 call 63a180 3855->3865 3864->3865 3867 63a27b 3864->3867 3895 63a3e0-63a3fb call 64d0d5 3865->3895 3896 63a3d9-63a3da CloseHandle 3865->3896 3869 63a287-63a29a SetFilePointerEx 3867->3869 3870 63a27d-63a281 3867->3870 3872 63a2e9-63a306 GetLastError call 5c9c10 call 669660 3869->3872 3873 63a29c-63a2b4 SetFilePointerEx 3869->3873 3870->3865 3870->3869 3883 63a30b-63a328 GetLastError call 5c9c10 call 669660 3872->3883 3874 63a2b6-63a2bf SetEndOfFile 3873->3874 3875 63a32d-63a350 GetLastError call 63a490 call 669660 3873->3875 3874->3875 3878 63a2c1-63a2d4 SetFilePointerEx 3874->3878 3875->3865 3882 63a2d6-63a2e8 call 64d0d5 3878->3882 3878->3883 3883->3875 3896->3895
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000002,00000005,00000000,00000002,00000080,00000000,945323AF,?,?,006A507E,000000FF), ref: 0063A1D1
                                                      • GetLastError.KERNEL32 ref: 0063A208
                                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A292
                                                      • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A2AC
                                                      • SetEndOfFile.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A2B7
                                                      • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001), ref: 0063A2CC
                                                      Strings
                                                      • Unable to create file '{}'!, xrefs: 0063A214
                                                      • Unable to set size of file to {} bytes!, xrefs: 0063A335
                                                      • Unable to set the file pointer!, xrefs: 0063A30B
                                                      • Unable to retrieve the file pointer!, xrefs: 0063A2E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$Pointer$CreateErrorLast
                                                      • String ID: Unable to create file '{}'!$Unable to retrieve the file pointer!$Unable to set size of file to {} bytes!$Unable to set the file pointer!
                                                      • API String ID: 2176584126-2660858681
                                                      • Opcode ID: 03d0b207758055319acd849c01da4f4a112dc770947ddf50a42c7fafbb6e93e1
                                                      • Instruction ID: c18362b9f4682babadcfe90214cd5fbb7c74c285bcab47c217dcf399e19b6e58
                                                      • Opcode Fuzzy Hash: 03d0b207758055319acd849c01da4f4a112dc770947ddf50a42c7fafbb6e93e1
                                                      • Instruction Fuzzy Hash: 3B718371A00608AFDB10EFA5DC4AFAEB7B9FB05710F10462AF915E72D1DB746900CBA5
                                                      Function 00642BB0 Relevance: 28.0, APIs: 2, Strings: 16, Instructions: 1033COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3899 642bb0-642c28 EnterCriticalSection 3900 642c2e-642c31 3899->3900 3901 643ac9 3899->3901 3900->3901 3903 642c37-642c92 3900->3903 3902 643ad3-643b01 LeaveCriticalSection call 64d0d5 3901->3902 3905 642c94-642c96 3903->3905 3906 642ccf-642ce8 call 647dc0 3903->3906 3909 642ca6-642cae 3905->3909 3910 642c98-642ca2 3905->3910 3914 643b0c-643b70 call 647af0 3906->3914 3915 642cee-642d2c call 647dc0 3906->3915 3912 642cb6-642cbe 3909->3912 3913 642cb0-642cb3 3909->3913 3910->3909 3912->3902 3916 642cc4-642cca call 6464e0 3912->3916 3913->3912 3922 643b86-643ba6 3914->3922 3923 643b72-643b82 3914->3923 3915->3914 3936 642d32-642d6d call 647dc0 3915->3936 3916->3902 3924 643bbc-643bdc 3922->3924 3925 643ba8-643bb8 3922->3925 3923->3922 3928 643bf2-643c16 3924->3928 3929 643bde-643bee 3924->3929 3925->3924 3932 643c2c-643c3d 3928->3932 3933 643c18-643c28 3928->3933 3929->3928 3933->3932 3936->3914 3942 642d73-642dae call 647dc0 3936->3942 3942->3914 3947 642db4-642e29 call 642870 call 647dc0 3942->3947 3947->3914 3954 642e2f-6430d5 call 669c50 * 2 3947->3954 3961 6430d7-6430de call 646300 3954->3961 3962 6430ec-643103 call 6455b0 call 6460b0 3954->3962 3961->3962 3967 6430e0-6430ea 3961->3967 3970 643108 3962->3970 3969 64310e-643114 call 645620 3967->3969 3972 643119-643196 3969->3972 3970->3969 3973 6432c7-6432ca 3972->3973 3974 64319c-6431ef call 5de2e0 call 5c8120 call 6464c0 3972->3974 3975 6432d0-6432dd call 6440f0 3973->3975 3976 6433ff-643417 3973->3976 4000 643220-643251 3974->4000 4001 6431f1-643200 3974->4001 3975->3976 3988 6432e3-643348 call 5de2e0 call 5c8120 call 6464c0 3975->3988 3978 643420-64342a 3976->3978 3981 643576-643589 3978->3981 3982 643430-643433 3978->3982 3981->3978 3985 64358f-64359a 3981->3985 3986 643435-643438 3982->3986 3987 64343e-64344e 3982->3987 3990 6435a0-6435a4 3985->3990 3986->3981 3986->3987 3991 643454-6434a3 call 5de2e0 call 5c8120 call 6464c0 3987->3991 3992 643570 3987->3992 4042 643379-6433aa 3988->4042 4043 64334a-643359 3988->4043 3996 6436fd-643710 3990->3996 3997 6435aa-6435ad 3990->3997 4064 6434d4-64350d 3991->4064 4065 6434a5-6434b4 3991->4065 3992->3981 4002 643712-643718 3996->4002 4003 64371d-64372c 3996->4003 4004 6435af-6435b2 3997->4004 4005 6435b8-6435bf 3997->4005 4012 643253-643266 call 6696d0 4000->4012 4013 64326b 4000->4013 4008 643216-64321d call 64d0e3 4001->4008 4009 643202-643210 4001->4009 4002->3990 4010 6437a3-6437aa 4003->4010 4011 64372e-64379f call 5de2e0 * 2 4003->4011 4004->3996 4004->4005 4005->3996 4014 6435c5-64362e call 5de2e0 call 5c8120 call 6464c0 4005->4014 4008->4000 4009->4008 4018 643b02 call 67343f 4009->4018 4023 643820 4010->4023 4024 6437ac-64381e call 5de2e0 * 2 4010->4024 4011->4010 4012->3976 4025 6432b4-6432c2 call 6696d0 4013->4025 4026 64326d-643274 4013->4026 4087 643667-643695 4014->4087 4088 643630-643641 4014->4088 4047 643b07 call 67343f 4018->4047 4039 643824-64383a 4023->4039 4024->4039 4025->3976 4036 643276-64328d call 5cea90 call 6696d0 4026->4036 4037 643292-6432b2 call 669c50 4026->4037 4036->3976 4037->4025 4040 64383c-643846 4039->4040 4041 64384a-643852 4039->4041 4040->4041 4052 643854-64385c call 6464e0 4041->4052 4053 643861-64393d call 5de2e0 * 4 4041->4053 4058 6433b4 4042->4058 4059 6433ac-6433b2 4042->4059 4054 64336f-643376 call 64d0e3 4043->4054 4055 64335b-643369 4043->4055 4047->3914 4052->4053 4124 643945-64394c 4053->4124 4125 64393f-643942 4053->4125 4054->4042 4055->4047 4055->4054 4075 6433f3-6433fc 4058->4075 4076 6433b6-6433be 4058->4076 4059->4075 4071 643516 4064->4071 4072 64350f-643514 4064->4072 4068 6434b6-6434c4 4065->4068 4069 6434ca-6434d1 call 64d0e3 4065->4069 4068->4018 4068->4069 4069->4064 4080 64354e-64356a call 6696d0 4071->4080 4081 643518-64351f 4071->4081 4072->4080 4075->3976 4084 6433c0-6433ca call 5cea90 4076->4084 4085 6433cc-6433f1 call 669c50 4076->4085 4080->3992 4090 643521-64352a call 5cea90 4081->4090 4091 64352c-64354c call 669c50 4081->4091 4084->4075 4085->4075 4097 643697-64369c 4087->4097 4098 64369e 4087->4098 4103 643657-643664 call 64d0e3 4088->4103 4104 643643-643651 4088->4104 4090->4080 4091->4080 4107 6436e0-6436f7 call 6696d0 4097->4107 4098->4107 4108 6436a0-6436a7 4098->4108 4103->4087 4104->4018 4104->4103 4107->3996 4113 6436b8-6436da call 669c50 4108->4113 4114 6436a9-6436b6 call 5cea90 4108->4114 4113->4107 4114->4107 4126 643957-64395d 4124->4126 4127 64394e-643955 4124->4127 4125->4124 4128 643960-643967 4126->4128 4127->4126 4127->4128 4129 643987-64399b 4128->4129 4130 643969-643980 4128->4130 4131 6439b4-6439ed call 643c40 4129->4131 4132 64399d-6439b1 4129->4132 4130->4129 4136 643a06-643a2d 4131->4136 4137 6439ef-643a03 4131->4137 4132->4131 4139 643a46-643a6d 4136->4139 4140 643a2f-643a43 4136->4140 4137->4136 4141 643a86-643ab1 4139->4141 4142 643a6f-643a83 4139->4142 4140->4139 4141->3902 4145 643ab3-643ac7 4141->4145 4142->4141 4145->3902
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32 ref: 00642C20
                                                      • LeaveCriticalSection.KERNEL32(00708758), ref: 00643AD8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID: "n$(!n$0!n$0"n$8!n$<"n$@!n$DiskMajoritySN$H!n$Pvm$Pvm$Pvm$SystemVolumeGUID$\!n$p!n$!n
                                                      • API String ID: 3168844106-762381817
                                                      • Opcode ID: e6e75e1ba6067ac1268482fa4cf0a08adee5c6d05308522c7d499d1f9bd6b124
                                                      • Instruction ID: 08ebfd1d5f6dbfb495d593999fed09038543b941cfbe4f226a5fb78051c9e731
                                                      • Opcode Fuzzy Hash: e6e75e1ba6067ac1268482fa4cf0a08adee5c6d05308522c7d499d1f9bd6b124
                                                      • Instruction Fuzzy Hash: A2A23670D012698BDB25DF28CC587EDBBB6AF49304F1482E9D409AB351DB70AB85CF85
                                                      Function 005EC550 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 335COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 4152 5ec550-5ec5eb call 5b7ba0 4155 5ec735-5ec752 4152->4155 4156 5ec5f1-5ec5f7 4152->4156 4159 5ec756-5ec769 GetFileVersionInfoSizeW 4155->4159 4160 5ec754 4155->4160 4157 5ec5fb-5ec617 call 5edc10 4156->4157 4158 5ec5f9 4156->4158 4157->4155 4168 5ec61d-5ec6b5 call 5b8750 * 2 call 5eac20 call 5eb030 4157->4168 4158->4157 4161 5ec76f-5ec787 call 64d6ae 4159->4161 4162 5eca58-5eca61 GetLastError 4159->4162 4160->4159 4170 5ec78b-5ec79a GetFileVersionInfoW 4161->4170 4171 5ec789 4161->4171 4166 5eca66-5eca7e call 5cdec0 call 669660 4162->4166 4179 5eca83-5eca88 call 5ada80 4166->4179 4198 5ec6e9-5ec72f call 5c8440 * 4 call 5eb190 4168->4198 4199 5ec6b7-5ec6e6 call 5c8440 4168->4199 4174 5ec7af-5ec7ca 4170->4174 4175 5ec79c-5ec7aa GetLastError 4170->4175 4171->4170 4184 5ec7df-5ec820 4174->4184 4185 5ec7cc-5ec7da GetLastError 4174->4185 4175->4166 4187 5ec83c-5ec840 4184->4187 4188 5ec822-5ec828 4184->4188 4185->4166 4190 5ec9bf-5ec9d1 call 64d6a9 4187->4190 4191 5ec846 4187->4191 4188->4179 4192 5ec82e-5ec839 call 5e9ef0 4188->4192 4206 5ec9ea-5eca11 call 5c8440 call 64d0d5 4190->4206 4207 5ec9d3-5ec9e5 call 5ed8a0 4190->4207 4194 5ec850-5ec900 call 5ec370 call 5d1060 4191->4194 4192->4187 4222 5ec932-5ec93d GetLastError 4194->4222 4223 5ec902-5ec90a 4194->4223 4198->4155 4240 5eca21-5eca53 call 5c8120 call 5c8210 call 669660 4198->4240 4199->4198 4207->4206 4226 5eca12-5eca1f 4222->4226 4227 5ec943-5ec949 4222->4227 4225 5ec910-5ec919 4223->4225 4225->4225 4231 5ec91b-5ec930 call 5c9ae0 4225->4231 4226->4166 4228 5ec94b-5ec983 4227->4228 4229 5ec985-5ec98f call 5ad900 4227->4229 4232 5ec994-5ec9b9 call 5c8440 call 5ec4c0 4228->4232 4229->4232 4231->4227 4232->4190 4232->4194 4240->4162
                                                      APIs
                                                      • GetFileVersionInfoSizeW.KERNELBASE(?,?,945323AF,00000000,?), ref: 005EC75E
                                                      • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 005EC792
                                                      • GetLastError.KERNEL32 ref: 005EC79C
                                                      • GetLastError.KERNEL32 ref: 005EC7CC
                                                      • GetLastError.KERNEL32 ref: 005EC932
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$FileInfoVersion$Size
                                                      • String ID: .sys$GetFileVersionInfoSizeW '{}'$GetFileVersionInfoW '{}'$Unable to make a .sys copy$VerQueryValueW '{}'$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation$asw$tmp
                                                      • API String ID: 2303269438-1955712893
                                                      • Opcode ID: 34bcae70287acd51bbe3e3679afb7df5bdc36e263d9e6a29a6bb8c75f66112a0
                                                      • Instruction ID: 1a842330d556ecee29631d94951b0e472e12092a95d6377128d406507932ff4b
                                                      • Opcode Fuzzy Hash: 34bcae70287acd51bbe3e3679afb7df5bdc36e263d9e6a29a6bb8c75f66112a0
                                                      • Instruction Fuzzy Hash: 85E18C70D0025A9EDB24DF65CC49BEDBBB4FF55304F10829AE459A7292EB70AA84CF50
                                                      Function 0061FBD0 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 231COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 4248 61fbd0-61fc6b 4253 61fc6d-61fc72 4248->4253 4254 61ffd0-61fffb call 601720 call 5c8440 call 64d0d5 4253->4254 4255 61fc78-61fc94 4253->4255 4257 61fc96-61fcaa call 64d907 4255->4257 4258 61fccb-61fce6 call 6019f0 4255->4258 4257->4258 4268 61fcac-61fcc8 call 64a9f2 call 64d8b6 4257->4268 4265 61fe3c-61fe44 4258->4265 4266 61fcec-61fda7 call 620060 call 5c8fd0 call 5ea4f0 GetFileAttributesW 4258->4266 4265->4253 4281 61fdb1-61fdb6 call 5ea7b0 4266->4281 4282 61fda9-61fdab 4266->4282 4268->4258 4287 61fdbb-61fdbd 4281->4287 4282->4281 4283 61fe49-61fe91 4282->4283 4285 61fe93 4283->4285 4286 61fe95-61feac call 6291a0 4283->4286 4285->4286 4293 61feb2-61feb4 4286->4293 4287->4283 4288 61fdc3-61fe37 GetLastError call 620080 call 5c8440 * 2 4287->4288 4288->4265 4295 61feb6-61ff28 call 620060 call 5c8440 * 2 4293->4295 4296 61ff2d 4293->4296 4295->4253 4296->4254
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?), ref: 0061FD9E
                                                      • GetLastError.KERNEL32 ref: 0061FDC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AttributesErrorFileLast
                                                      • String ID: .edat$1$6240$923F$923F6240$923F6240$Create EDAT directory '{}' fail {} ({}), skip$EDAT not be extracted from payload ({})$Unpacking EDAT ({})$isfx$isfx$lfp$tmp-path
                                                      • API String ID: 1799206407-360738380
                                                      • Opcode ID: 9a8d637cf8f3d6b53b44bf73fbf471bbfe5bd88c16f3e58f2311152fd7776b47
                                                      • Instruction ID: 46cf5a9c797d4663ec335809cc9e2e59367aa85686bb65b40361923c7eb837c2
                                                      • Opcode Fuzzy Hash: 9a8d637cf8f3d6b53b44bf73fbf471bbfe5bd88c16f3e58f2311152fd7776b47
                                                      • Instruction Fuzzy Hash: D4B14570E00258DFDB10DFA8D985BDDBBB2BF49314F1441A9E409AB382DB706A85CF91
                                                      Function 00631EA0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 298fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000002,C0010000,00000001,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00631F7A
                                                      • GetLastError.KERNEL32 ref: 00631F95
                                                      • CreateFileW.KERNEL32(?,C0010000,00000001,00000000,00000002,00000080,00000000), ref: 00632002
                                                      Strings
                                                      • Unable to create file '{}'!, xrefs: 0063222C
                                                      • Unable to verify DSA signature of SFX payload!, xrefs: 00632275
                                                      • C83F, xrefs: 006321AE
                                                      • Unable to process unknown compression format '{}'!, xrefs: 00632254
                                                      • Unable to verify offline file '{}'!, xrefs: 006322B1
                                                      • 5848, xrefs: 006321B8
                                                      • Xf, xrefs: 0063208A
                                                      • The file '{}' was successfully extracted from SFX., xrefs: 006321CD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateFile$ErrorLast
                                                      • String ID: 5848$C83F$The file '{}' was successfully extracted from SFX.$Unable to create file '{}'!$Unable to process unknown compression format '{}'!$Unable to verify DSA signature of SFX payload!$Unable to verify offline file '{}'!$Xf
                                                      • API String ID: 3733516855-1821070509
                                                      • Opcode ID: a1ab8f8a0f702c5e7ead9a4be57bd94c993e69029fc105a400bba00191b5c750
                                                      • Instruction ID: 42998310e9954018be488cf4f850715d56df72693ea81fdb5efceb8552a7894d
                                                      • Opcode Fuzzy Hash: a1ab8f8a0f702c5e7ead9a4be57bd94c993e69029fc105a400bba00191b5c750
                                                      • Instruction Fuzzy Hash: E1C1BC70D00209AFDB14EFA4CC59BEDBBB6BF48310F044199E8056B392DB71AA44CFA5
                                                      Function 0060A3F0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 215fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(000000FF,00000001,00000005,00000000,00000003,00000000,00000000,00000020,?,945323AF,?,?), ref: 0060A4AA
                                                      • CloseHandle.KERNEL32(00000000,00000000,006A0BC6,?,?), ref: 0060A4CE
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • GetLastError.KERNEL32(?,006F8810,945323AF,The digest is not initialized!,00000020,?,945323AF,?,?), ref: 0060A53B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
                                                      • String ID: 1.0$<vm$The digest is not initialized!$Unable to open file '{}' for reading!$encoding$http://www.w3.org/2001/XMLSchema-instance$icarus-info$utf-8$version$xmlns:xs
                                                      • API String ID: 3278050421-1114099671
                                                      • Opcode ID: 8c7dfdb151c9c29ed04e321eb6c12c7d2bdf6464a9aa1c018f9d3b71d57dea23
                                                      • Instruction ID: 08bfe760d6afa441cd569397837002978e523121ba68b23d3ef6c4b013b741c6
                                                      • Opcode Fuzzy Hash: 8c7dfdb151c9c29ed04e321eb6c12c7d2bdf6464a9aa1c018f9d3b71d57dea23
                                                      • Instruction Fuzzy Hash: 0A8172B1D447099BCB00DFA4CD46BDEBBFAFF49710F10411AE415A7281EBB46A44CBA5
                                                      Function 00627E00 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 169memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalAlloc.KERNELBASE(00000002,Zub,?,?,?,0062755A,?,?), ref: 00627E31
                                                      • GlobalLock.KERNEL32(00000000), ref: 00627E42
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00627E5E
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00627E72
                                                        • Part of subcall function 00628000: DeleteDC.GDI32(?), ref: 00628012
                                                      • GdipAlloc.GDIPLUS(00000010), ref: 00627E94
                                                      • GdipLoadImageFromStream.GDIPLUS(00000000,00000004), ref: 00627EC3
                                                      • GdipImageGetFrameDimensionsCount.GDIPLUS(?,?), ref: 00627EDC
                                                      • GdipImageGetFrameDimensionsList.GDIPLUS(?,00000000,00000000), ref: 00627F13
                                                      • GdipImageGetFrameCount.GDIPLUS(?,00000000,00000000), ref: 00627F46
                                                      • GdipGetPropertyItemSize.GDIPLUS(?,00005100,00000000), ref: 00627F6E
                                                      • GdipGetPropertyItem.GDIPLUS(00000000,00005100,00000000,00000000), ref: 00627F96
                                                      • GlobalFree.KERNEL32(00000000), ref: 00627FDF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Gdip$Global$Image$Frame$AllocCountDimensionsItemPropertyStream$CreateDeleteFreeFromListLoadLockSizeUnlock
                                                      • String ID: Zub
                                                      • API String ID: 831027338-1872691123
                                                      • Opcode ID: e294d450ad61c3495c4f3a4931257b3ca5411fa5bbbddea7fd1ca2e54157e24a
                                                      • Instruction ID: a638f4d8ee8def28f83bf1bce8c509f107ff5f7cd721e8f451e789d501684b86
                                                      • Opcode Fuzzy Hash: e294d450ad61c3495c4f3a4931257b3ca5411fa5bbbddea7fd1ca2e54157e24a
                                                      • Instruction Fuzzy Hash: C5517271A08619AFDB109F65DD49B9EBBFAFF09310F104069E80997350DB31A944CF90
                                                      Function 005F51D0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 45libraryloadermemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 005F51D9
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 005F51E9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005F51F0
                                                      • SetDllDirectoryW.KERNEL32(006D0120), ref: 005F5214
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 005F5224
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005F522B
                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005F524C
                                                      • ExitProcess.KERNEL32 ref: 005F525B
                                                      • ExitProcess.KERNEL32 ref: 005F5267
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressExitHandleModuleProcProcess$DirectoryFeatureHeapInformationPresentProcessor
                                                      • String ID: LdrEnumerateLoadedModules$SetDefaultDllDirectories$kernel32.dll$ntdll.dll
                                                      • API String ID: 1015791202-1451921263
                                                      • Opcode ID: 6316940c04ad1a17bf788af16c9e9d1df61c657b46b5f7efade9c4463bb29385
                                                      • Instruction ID: 3303ebdd3b5922451644d6af0ae3b3051a79b7f2867feffd9b7085c93c961b48
                                                      • Opcode Fuzzy Hash: 6316940c04ad1a17bf788af16c9e9d1df61c657b46b5f7efade9c4463bb29385
                                                      • Instruction Fuzzy Hash: 8E011731B897156BDB2137B09C0EF5E3D57BB06F41F161115FB02A52D0DAA465018F55
                                                      Function 00628B10 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 409fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,00000001,00000005,?,00000003,00000080,00000000,945323AF), ref: 00628B89
                                                      • GetLastError.KERNEL32 ref: 00628BA3
                                                      • GetLastError.KERNEL32(Failed to open sfx file.), ref: 00629021
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 0062902B
                                                      • CloseHandle.KERNEL32(00000000,00000000,list too long), ref: 00629063
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CloseConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateFileHandle
                                                      • String ID: 2C65$C5AE$Cannot open payload:'{}', err:{}$Failed to open sfx file.$list too long
                                                      • API String ID: 1226372023-4226211496
                                                      • Opcode ID: 6af2edf198953953dc0ed940348b9c232f4834bab3ca318244490813fca3132a
                                                      • Instruction ID: bec15d848ea94b438cdcb5bf4a91ec356c5e48fc4e574ff359157685a6b0b715
                                                      • Opcode Fuzzy Hash: 6af2edf198953953dc0ed940348b9c232f4834bab3ca318244490813fca3132a
                                                      • Instruction Fuzzy Hash: 2D026870E006199FCF14DFA4C844BADBBB2FF59314F148259E809AB391DB70AA45CF90
                                                      Function 006395F0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 332fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteFile.KERNELBASE(?,00639F80,0063A400,?,00000000), ref: 00639892
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 0063995C
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 0063999E
                                                      • GetLastError.KERNEL32(Unable to write uncompressed data to the disk!,?,006F8810,00000002,Unable to allocate LZMA context!,00000000,00000000,00000000,00000000,000000FF,945323AF,00000000,006DF940,?,006A4F5E,000000FF), ref: 006399BC
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 006399C7
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 006399E6
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00639A04
                                                      Strings
                                                      • Unable to allocate LZMA context!, xrefs: 00639994
                                                      • The LZMA stream has ended prematurely!, xrefs: 006399DB
                                                      • Unable to decompress LZMA stream!, xrefs: 006399FA
                                                      • Unable to write uncompressed data to the disk!, xrefs: 006399B7
                                                      • Unable to read LZMA header!, xrefs: 00639951
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error$ErrorFileLastWrite
                                                      • String ID: The LZMA stream has ended prematurely!$Unable to allocate LZMA context!$Unable to decompress LZMA stream!$Unable to read LZMA header!$Unable to write uncompressed data to the disk!
                                                      • API String ID: 4218127867-2965191148
                                                      • Opcode ID: 90a5d34ee0e3715c8477ed3c32184e46790bc670a53fd8f48575f52e413824a0
                                                      • Instruction ID: cc07f182d2a76c74caa25a91add15b74f4b88592abbdb4777efd7cc84c063b04
                                                      • Opcode Fuzzy Hash: 90a5d34ee0e3715c8477ed3c32184e46790bc670a53fd8f48575f52e413824a0
                                                      • Instruction Fuzzy Hash: 0AC19F706043019FD714DF24C895A6AB7EAFF89314F048A2DF85997391EBB0E944CFA6
                                                      Function 005EEFC0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstVolumeW.KERNELBASE(?,00000040,945323AF,?,?), ref: 005EF00B
                                                      • QueryDosDeviceW.KERNEL32(?,?,00000104,?,?,?), ref: 005EF0AC
                                                      • FindNextVolumeW.KERNEL32(00000000,?,00000040,?,?), ref: 005EF119
                                                      • GetLastError.KERNEL32(?,?), ref: 005EF127
                                                      • FindVolumeClose.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005EF2FC
                                                      • GetLastError.KERNEL32(?,?), ref: 005EF327
                                                      • GetLastError.KERNEL32(Unable to enumerate volumes!,?,?), ref: 005EF340
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EF34D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFindLastVolume$CloseConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorDeviceFirstNextQuery
                                                      • String ID: Unable to convert NT path '{}' to a volume GUID path!$Unable to enumerate volumes!$\Device\LanmanRedirector\$\\?\
                                                      • API String ID: 1638443985-4107698323
                                                      • Opcode ID: 55cb5179374f50e85cb81192f75b57268d08532c6f090010773c712b9967e47f
                                                      • Instruction ID: 7af4774be07a056060ce678902f1386f2117ba5db77b81f3d1d38a0f8be395d4
                                                      • Opcode Fuzzy Hash: 55cb5179374f50e85cb81192f75b57268d08532c6f090010773c712b9967e47f
                                                      • Instruction Fuzzy Hash: 44A15D709002599EDB24DF64CC59BEDB7B8FF54304F1486EAE809A7191EB706B84CF50
                                                      Function 00628070 Relevance: 19.7, APIs: 13, Instructions: 216windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteDC.GDI32(?), ref: 006280C6
                                                      • GetDC.USER32(?), ref: 006280E4
                                                      • GdipImageSelectActiveFrame.GDIPLUS(00000000,006C7D38,00000000), ref: 0062810E
                                                      • CreateCompatibleDC.GDI32(?), ref: 0062811E
                                                      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0062813A
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0062814A
                                                      • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 00628164
                                                      • GdipGetImageHeight.GDIPLUS(?,00000000), ref: 0062818E
                                                      • GdipGetImageWidth.GDIPLUS(?,?), ref: 006281B3
                                                      • GdipDrawImageRectI.GDIPLUS(?,00000000,00000000,00000000,00000000,00000000), ref: 006281E0
                                                      • GdipDeleteGraphics.GDIPLUS(?), ref: 00628239
                                                      • GdipImageSelectActiveFrame.GDIPLUS(00000000,006C7D38,?), ref: 00628278
                                                      • ReleaseDC.USER32(?,?), ref: 0062828B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Gdip$Image$CreateSelect$ActiveCompatibleDeleteFrame$BitmapDrawFromGraphicsHeightObjectRectReleaseWidth
                                                      • String ID:
                                                      • API String ID: 4015333622-0
                                                      • Opcode ID: d3ab95d8149ca42b9431cbb9d837ffdee2afdd9bab05114027275a7595d58bfe
                                                      • Instruction ID: e8d7c414a74a72df95ee9b628e79172aef4da488eb8b5fb6369a9db938c30bce
                                                      • Opcode Fuzzy Hash: d3ab95d8149ca42b9431cbb9d837ffdee2afdd9bab05114027275a7595d58bfe
                                                      • Instruction Fuzzy Hash: 9D81F571A0161AEFDB14DFA4DD84AAEBBF6FF09310F144169E815A7260DB30AD51CFA0
                                                      Function 005EE3B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00008000,00000000,945323AF,?,?,945323AF), ref: 005EE48D
                                                      • K32GetMappedFileNameW.KERNEL32(00000000,005A0000,?,00000000), ref: 005EE49B
                                                      • GetLastError.KERNEL32(Unable to retrieve the path of the module!), ref: 005EE5FB
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EE605
                                                      • GetLastError.KERNEL32(Unable to get the path of the module!,?,006F8810,00000000), ref: 005EE61D
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EE627
                                                      • GetLastError.KERNEL32(Unable to store the path of the module!,?,006F8810,00000000), ref: 005EE63F
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EE649
                                                      Strings
                                                      • Unable to store the path of the module!, xrefs: 005EE63A
                                                      • Unable to retrieve the path of the module!, xrefs: 005EE5F6
                                                      • Unable to get the path of the module!, xrefs: 005EE618
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorLast$CurrentFileMappedNameProcess
                                                      • String ID: Unable to get the path of the module!$Unable to retrieve the path of the module!$Unable to store the path of the module!
                                                      • API String ID: 3252908632-2385983247
                                                      • Opcode ID: 755154d4d8ad94e145b2d9e6982cddad4ac559aaba14373c9eb8d0696dff7c8b
                                                      • Instruction ID: cfeee38acb772522082c403c438200780daa3209397a9a5ce9ced808310b9b19
                                                      • Opcode Fuzzy Hash: 755154d4d8ad94e145b2d9e6982cddad4ac559aaba14373c9eb8d0696dff7c8b
                                                      • Instruction Fuzzy Hash: 27518C71D10249DEDB04DFA9CC49BEEBBB9FF48304F10852AE415B7291EB706A44CBA5
                                                      Function 00610150 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,006A13E6,000000FF,?,0060DB8E), ref: 006101E0
                                                        • Part of subcall function 005EA7B0: CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7CD
                                                        • Part of subcall function 005EA7B0: GetLastError.KERNEL32(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7DB
                                                        • Part of subcall function 005EA7B0: GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7F1
                                                        • Part of subcall function 005EA7B0: SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA809
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,006A13E6,000000FF,?,0060DB8E,?), ref: 0061026B
                                                      • GetLastError.KERNEL32(Create directory fail), ref: 006102C2
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 006102CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$AttributesFile$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateDirectory
                                                      • String ID: 64E867B7$Create directory '{}' fail {}!$Create directory fail$The folder {} already exists.$The temp folder '{}' has been successfully created.$isfx$tmp-path
                                                      • API String ID: 1965344717-3986052289
                                                      • Opcode ID: f9048d82730607fef0152026fa8272d7895aae7f622f4ef6b1c40640db0dab8f
                                                      • Instruction ID: 7c17698514978d869b488317279200dec3c9439a247d836df623c198c0f25e73
                                                      • Opcode Fuzzy Hash: f9048d82730607fef0152026fa8272d7895aae7f622f4ef6b1c40640db0dab8f
                                                      • Instruction Fuzzy Hash: 82419070E00219AFDF00EF94D849BDEBBB6FF49714F04411AE815A7381EBB56A45CBA1
                                                      Function 00613F30 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(00000000,00000001,?,?,?,?,?,?,945323AF), ref: 00614228
                                                      • CloseHandle.KERNEL32(00000000,00000001,?,?,?,?,?,?,945323AF), ref: 0061423D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID: '$5058$5058$6146$6146$Process '{}' finished with exit code '{}'$Process '{}', timeout '{}' is still running$Start of run_process '{}', cmdline '{}', timeout '{}'$isfx$isfx
                                                      • API String ID: 2962429428-2178435625
                                                      • Opcode ID: dccd3e4f7f9f4111ffd1ceba1c35f1376270ee8567ba1d2deb446ba3069fd5ba
                                                      • Instruction ID: fc255c752241d9108f3a80f2d84e9db5011695f9713692e991c167f6cfd308af
                                                      • Opcode Fuzzy Hash: dccd3e4f7f9f4111ffd1ceba1c35f1376270ee8567ba1d2deb446ba3069fd5ba
                                                      • Instruction Fuzzy Hash: 81B14670E002199FDF20DFA4C898BEEBBB6BF49314F144149E915AB381DB746A84CF91
                                                      Function 005D7440 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Failed to convert file time to system time., xrefs: 005D8667
                                                      • %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu, xrefs: 005D8376
                                                      • list too long, xrefs: 005D7DA7
                                                      • Failed to initialize the log file, xrefs: 005D778E
                                                      • Failed to convert the path to an absolute path., xrefs: 005D776C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu$Failed to convert file time to system time.$Failed to convert the path to an absolute path.$Failed to initialize the log file$list too long
                                                      • API String ID: 0-2919189909
                                                      • Opcode ID: 29230b7ee4391365d9855b3a384f931437d16c5bb51cb867b947026bc3131525
                                                      • Instruction ID: a8b75e7a33a9fc6b009058c99978e0435af8c5504f7c087830beaad72cec3f58
                                                      • Opcode Fuzzy Hash: 29230b7ee4391365d9855b3a384f931437d16c5bb51cb867b947026bc3131525
                                                      • Instruction Fuzzy Hash: F4B17E71E0460D9FCB14DFA8D845AADBBB6FF89310F10861AE425A7391EB30A941CF95
                                                      Function 006255E0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 298COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(Store data to HKLM failed.), ref: 00625720
                                                      • GetLastError.KERNEL32(Store data to HKCU failed.), ref: 006257F7
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 006259CB
                                                      Strings
                                                      • C06AEB9D-8774-46E7-8160-8321BCD14D9F, xrefs: 00625790
                                                      • Permanent storage - failed to store data to HKLM., xrefs: 00625728
                                                      • Permanent storage - failed to store data to HKCU., xrefs: 006257FF
                                                      • PSK contains null, xrefs: 006259BE
                                                      • SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198, xrefs: 006256B4
                                                      • Store data to HKCU failed., xrefs: 006257ED
                                                      • Store data to HKLM failed., xrefs: 00625716
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: C06AEB9D-8774-46E7-8160-8321BCD14D9F$PSK contains null$Permanent storage - failed to store data to HKCU.$Permanent storage - failed to store data to HKLM.$SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198$Store data to HKCU failed.$Store data to HKLM failed.
                                                      • API String ID: 1226269410-1756622524
                                                      • Opcode ID: 0df0e52fdce64d66bf522ac5b25cfd1809f1fc0dd5cbd0f135d992c1a4d006af
                                                      • Instruction ID: b8076aa10c9ea9f2b8ad32b56a80f46be2f72985e224ab4803cb0a43c8014c58
                                                      • Opcode Fuzzy Hash: 0df0e52fdce64d66bf522ac5b25cfd1809f1fc0dd5cbd0f135d992c1a4d006af
                                                      • Instruction Fuzzy Hash: 6AC18C30D00659DFDB14DFA4C849BEDBBB6FF99304F10824AE8056B292DB756A85CF50
                                                      Function 006975F3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 006972AC: CreateFileW.KERNELBASE(?,00000000,?,0069769C,?,?,00000000,?,0069769C,?,0000000C), ref: 006972C9
                                                      • GetLastError.KERNEL32 ref: 00697707
                                                      • __dosmaperr.LIBCMT ref: 0069770E
                                                      • GetFileType.KERNELBASE(00000000), ref: 0069771A
                                                      • GetLastError.KERNEL32 ref: 00697724
                                                      • __dosmaperr.LIBCMT ref: 0069772D
                                                      • CloseHandle.KERNEL32(00000000), ref: 0069774D
                                                      • CloseHandle.KERNEL32(0068F1C3), ref: 0069789A
                                                      • GetLastError.KERNEL32 ref: 006978CC
                                                      • __dosmaperr.LIBCMT ref: 006978D3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 30ca7f8f34cefd2114f0d700db18cd5e113e39eb68f9da5f3cde2ce1197f1944
                                                      • Instruction ID: 326739e5c924ede9f4d7aaa0d6543a7e5716be88e895e65b03cab691d05b9cdf
                                                      • Opcode Fuzzy Hash: 30ca7f8f34cefd2114f0d700db18cd5e113e39eb68f9da5f3cde2ce1197f1944
                                                      • Instruction Fuzzy Hash: 7CA12832A281189FCF199F78DC55BAD3BBAAB46310F14025DF8019F3A1CB359912CB55
                                                      Function 00618CC0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::generic_category.LIBCPMTD ref: 00618ED0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::generic_category
                                                      • String ID: 0C25$DSA verification check of file '{}' fail!$ED31$Failed to parse xml file '{}', '{}'$File is not DSA signed (alias:{})!$Mandatory file '{}' is missing in payload.$sfx info can't be parsed.$sfx info file wasn't found in payload.$sfx-info.xml
                                                      • API String ID: 2374251199-1067922666
                                                      • Opcode ID: e961819461868812d2c506aa2333fc64854780cc33266e629d195cc90a50b524
                                                      • Instruction ID: 3c1d4a18c0521286bed77f8b6b49c8b58d4a3fcb0b53eb36bf267e131b3f52c4
                                                      • Opcode Fuzzy Hash: e961819461868812d2c506aa2333fc64854780cc33266e629d195cc90a50b524
                                                      • Instruction Fuzzy Hash: 68A18C71E0021D9FCB15EFA4CC56BEDBBB6AF49310F040199E509A7281DB706E85CFA1
                                                      Function 006451D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 259fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00645299
                                                      • GetLastError.KERNEL32 ref: 006452A7
                                                      • CloseHandle.KERNEL32(?,?), ref: 00645470
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateErrorFileHandleHeapLastProcess
                                                      • String ID: SCSIDISK$\\.\Scsi%u:
                                                      • API String ID: 3436858811-3530472383
                                                      • Opcode ID: 3e0203ca355a8fa35011472c31079c16de0542e87c1e05399f2c0be1155af717
                                                      • Instruction ID: b8af44d55443bc8c49e04fa80fc846f72bae57011316314491e2779ac85677d3
                                                      • Opcode Fuzzy Hash: 3e0203ca355a8fa35011472c31079c16de0542e87c1e05399f2c0be1155af717
                                                      • Instruction Fuzzy Hash: DBA1E3709006099FDB11DFA8D885B9EBBF6EF09324F144159E905BB382DB74AA04CFA5
                                                      Function 005CAD20 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVG$AVG$Avg$IcarusEnabled$PersistentStorage$avg$avg
                                                      • API String ID: 0-1260397143
                                                      • Opcode ID: 7cf7b1065cc8217c7f45d1e15d745f6bfe69623db4ebf78d3f5e46b50aff73c6
                                                      • Instruction ID: 15086dc0238883eb0cf13f8d3d2334bbe31c67f83dcffb97016dbd4ae02778fe
                                                      • Opcode Fuzzy Hash: 7cf7b1065cc8217c7f45d1e15d745f6bfe69623db4ebf78d3f5e46b50aff73c6
                                                      • Instruction Fuzzy Hash: 18A1BFB0921244CEDB80DF64DD49BB97BB4FB84308F10C32AE485A6660EF796584CB5B
                                                      Function 005F0570 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005F12B0: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,945323AF,0000000C,0000000C), ref: 005F136E
                                                        • Part of subcall function 005F0890: RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,000000FF,945323AF,0000000C,0000000C), ref: 005F0911
                                                      • RegCloseKey.ADVAPI32(?,?,?,0000000C,00000000), ref: 005F05ED
                                                      • SetLastError.KERNEL32(00000000,?,?,0000000C,00000000), ref: 005F05F8
                                                      • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,0000000C,00000000), ref: 005F06BF
                                                      • ExpandEnvironmentStringsW.KERNEL32(?,0000000C,?,-00000001,00000000,?,?,?,0000000C,00000000), ref: 005F072D
                                                      • RegCloseKey.ADVAPI32(00000000,0000000C,?,006F8B18,?,String environment expansion failed due to unexpected buffer size,?,006F8B18,?,String environment expansion failed,?,?,?,0000000C,00000000), ref: 005F083A
                                                      • SetLastError.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 005F0845
                                                      Strings
                                                      • String environment expansion failed due to unexpected buffer size, xrefs: 005F07F7
                                                      • String environment expansion failed, xrefs: 005F07C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseEnvironmentErrorExpandLastStrings$OpenQueryValue
                                                      • String ID: String environment expansion failed$String environment expansion failed due to unexpected buffer size
                                                      • API String ID: 3482234664-527591527
                                                      • Opcode ID: e15b06fb4bea34730f704c9e2d3629515cd18fc8b52bca42f6b8ca4c095aef03
                                                      • Instruction ID: a122dcf656bc19e78c004ba2fe29670e29f5686f60d340722fee92ec04352150
                                                      • Opcode Fuzzy Hash: e15b06fb4bea34730f704c9e2d3629515cd18fc8b52bca42f6b8ca4c095aef03
                                                      • Instruction Fuzzy Hash: 73918071D0020D9EDF20DFA4D848BBEBBF9FF84704F149519E555A7281EB78AA44CB90
                                                      Function 005ECC20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 97fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000005,00000000,?,00000080,00000000), ref: 005ECCA7
                                                      • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,40000000,00000005,00000000,?,00000080,00000000), ref: 005ECCCB
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,40000000,00000005,00000000,?,00000080,00000000), ref: 005ECCD6
                                                      • GetLastError.KERNEL32(?,40000000,00000005,00000000,?,00000080,00000000), ref: 005ECCF7
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • GetLastError.KERNEL32(set_file_content,?,006F8810,00000000,set_file_content '{}',00000015,?,?,40000000,00000005,00000000,?,00000080,00000000), ref: 005ECD21
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005ECD2B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLast$ChangeCloseConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateDispatcherExceptionFindNotificationUserWrite
                                                      • String ID: set_file_content$set_file_content '{}'
                                                      • API String ID: 2798191477-2708867019
                                                      • Opcode ID: f8fb93c3ff2ac6a9023a848cf007d2a97b67669d1e9e712c8fef8e83590e1d49
                                                      • Instruction ID: a16eea8cb13172a61a7adeb4aff053615263094e05d488ef6796c9de2b742402
                                                      • Opcode Fuzzy Hash: f8fb93c3ff2ac6a9023a848cf007d2a97b67669d1e9e712c8fef8e83590e1d49
                                                      • Instruction Fuzzy Hash: 7B31B671A00259AFCB14EFA5CC09FEEBBBAFF45714F100119F515A7291EB306600CBA4
                                                      Function 005EA7B0 Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7CD
                                                      • GetLastError.KERNEL32(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7DB
                                                      • GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7F1
                                                      • SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA809
                                                      • CreateDirectoryW.KERNEL32(?,?,?,006D9DE8), ref: 005EA890
                                                      • CreateDirectoryW.KERNEL32(?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA8B6
                                                      • GetLastError.KERNEL32(?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA8C0
                                                      • GetFileAttributesW.KERNEL32(?,?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA8D1
                                                      • SetLastError.KERNEL32(00000000,?,?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA8E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CreateDirectory$AttributesFile
                                                      • String ID:
                                                      • API String ID: 2650082360-0
                                                      • Opcode ID: a25a33549defef77d4ad128f475ab75cae41333c0459c12ed6bf5d990fbe2b4d
                                                      • Instruction ID: dc78a8866dd6217298d662dce33b01f30e4675e82d6e9286e7eac87f61d4ff92
                                                      • Opcode Fuzzy Hash: a25a33549defef77d4ad128f475ab75cae41333c0459c12ed6bf5d990fbe2b4d
                                                      • Instruction Fuzzy Hash: D3319F71A082409BC728AF39DC4856ABBE5FFC5315F105E1AF8D593251E730BD468B93
                                                      Function 005DDE00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005EFB70: UnmapViewOfFile.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFB90
                                                        • Part of subcall function 005EFB70: CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBB7
                                                        • Part of subcall function 005EFB70: CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBD0
                                                        • Part of subcall function 005EFC10: UnmapViewOfFile.KERNEL32(00000000,945323AF,?,?,?,?,?,?,?,?,00000000,0069E26D,000000FF,?,005EFBFF,00000000), ref: 005EFCB0
                                                        • Part of subcall function 005EFC10: MapViewOfFile.KERNELBASE(?,00000000,00000000,00000000,00000000,945323AF,?,?,?,?,?,?,?,?,00000000,0069E26D), ref: 005EFCDA
                                                      • UnmapViewOfFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 005DDF59
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 005DDF67
                                                      • CloseHandle.KERNEL32(FFFFFFFF,?,00000000,?,00000000), ref: 005DDF76
                                                      • UnmapViewOfFile.KERNEL32(?,00000000,?,006F8810,00000000,Unable to retrieve size of unmapped view!,00000000,00000000,02000000,?,?,00000000,?,00000000), ref: 005DDFEB
                                                      • CloseHandle.KERNEL32(00000000,00000000,?,006F8810,00000000,Unable to retrieve size of unmapped view!,00000000,00000000,02000000,?,?,00000000,?,00000000), ref: 005DE00B
                                                      • CloseHandle.KERNEL32(00000000,00000000,?,006F8810,00000000,Unable to retrieve size of unmapped view!,00000000,00000000,02000000,?,?,00000000,?,00000000), ref: 005DE020
                                                        • Part of subcall function 005EFC10: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EFD6A
                                                      Strings
                                                      • Unable to retrieve size of unmapped view!, xrefs: 005DDF9C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$FileView$Unmap$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: Unable to retrieve size of unmapped view!
                                                      • API String ID: 1092123594-268701684
                                                      • Opcode ID: 0ac0119b819f69057c5ff1190f9a8af00fa9e2f68fb1e3cceb9c136723de8979
                                                      • Instruction ID: c3c8e133ee37810b90b30c87682aa47d907d119e2af849ff9b2aded4831b210e
                                                      • Opcode Fuzzy Hash: 0ac0119b819f69057c5ff1190f9a8af00fa9e2f68fb1e3cceb9c136723de8979
                                                      • Instruction Fuzzy Hash: BA616A70E043489FDB20DFA9DC48B9EBBB9FF49320F14421AE811A7391DB74A945CB60
                                                      Function 005EFC10 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 121fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • UnmapViewOfFile.KERNEL32(00000000,945323AF,?,?,?,?,?,?,?,?,00000000,0069E26D,000000FF,?,005EFBFF,00000000), ref: 005EFCB0
                                                      • MapViewOfFile.KERNELBASE(?,00000000,00000000,00000000,00000000,945323AF,?,?,?,?,?,?,?,?,00000000,0069E26D), ref: 005EFCDA
                                                      • GetLastError.KERNEL32(Unable to create mapping view!,?,006F857C,0069E26D,006F8810,?,Unable to map a view of uninitialized mapping!,945323AF,?,?,?), ref: 005EFD60
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005EFD6A
                                                      Strings
                                                      • Unable to map a view of uninitialized mapping!, xrefs: 005EFD0D
                                                      • Unable to map a view outside of the file mapping!, xrefs: 005EFD04
                                                      • Unable to create mapping view!, xrefs: 005EFD5B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: FileView$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorLastUnmap
                                                      • String ID: Unable to create mapping view!$Unable to map a view of uninitialized mapping!$Unable to map a view outside of the file mapping!
                                                      • API String ID: 1737011392-1948104343
                                                      • Opcode ID: f6dae54fa33f5160e4a9fe07d46c545d0bc1b77d94d1aa9b1db3b6182865fd8f
                                                      • Instruction ID: 6ca4217b1888137cabb270517dd18c1264a201bf202c16b7d51306efc065ea0d
                                                      • Opcode Fuzzy Hash: f6dae54fa33f5160e4a9fe07d46c545d0bc1b77d94d1aa9b1db3b6182865fd8f
                                                      • Instruction Fuzzy Hash: BC418071A007899FDB28DF66CD45B9ABBFABB88700F14452DE845D3651EF71AC00CB60
                                                      Function 005ECD40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,005E6844,00000000), ref: 005ECD5D
                                                      • WriteFile.KERNELBASE(00000000,00000000,Dh^,?,00000000,?,?,?,?,?,005E6844,00000000), ref: 005ECD6E
                                                      • SetEndOfFile.KERNELBASE(00000000,?,?,?,?,?,005E6844,00000000), ref: 005ECD79
                                                      • GetLastError.KERNEL32(set_file_content,?,?,?,?,?,005E6844,00000000), ref: 005ECD94
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005ECD9E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorLastPointerWrite
                                                      • String ID: Dh^$set_file_content
                                                      • API String ID: 1544028900-1109201371
                                                      • Opcode ID: ba330ec5287a0658ed722caf17be477c12e40dbc3efd12f5d74cce71baaaf552
                                                      • Instruction ID: b4678275323ae7893db9c7f30c9f323547ae574fd12c3b8143feb538e32468c6
                                                      • Opcode Fuzzy Hash: ba330ec5287a0658ed722caf17be477c12e40dbc3efd12f5d74cce71baaaf552
                                                      • Instruction Fuzzy Hash: 2FF08131A00208BBD710AFA5DC49FFF7B7DEB86B11F404069F90597180DE31A901CBA5
                                                      Function 00616060 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0061648F
                                                      Strings
                                                      • DSA verification check of downloaded data product-info.xml (url {}) fail., xrefs: 0061642A
                                                      • DSA signature is invalid:'{}'., xrefs: 00616440
                                                      • Xf, xrefs: 006160F8
                                                      • F7951891, xrefs: 00616396
                                                      • Downloaded product-info.xml (url {}) is empty., xrefs: 006163B7, 006163CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: DSA signature is invalid:'{}'.$DSA verification check of downloaded data product-info.xml (url {}) fail.$Downloaded product-info.xml (url {}) is empty.$F7951891$Xf
                                                      • API String ID: 2659868963-1680476506
                                                      • Opcode ID: 60c814283c45d246e604e4dca3f04a2607c8baf744d9abf0f1a5a0086e0cef27
                                                      • Instruction ID: ccb6fa255cca2684a9384b777c93d38fde4808e7fa0930a3afa66dc2da0bdac4
                                                      • Opcode Fuzzy Hash: 60c814283c45d246e604e4dca3f04a2607c8baf744d9abf0f1a5a0086e0cef27
                                                      • Instruction Fuzzy Hash: FDC16C75E002199BDB14DFA4CC44BEDBBB6FF49310F14825AE419A7380DB74AA85CFA4
                                                      Function 00639C90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • UnmapViewOfFile.KERNEL32(00000000,?,?), ref: 00639D5D
                                                      • CloseHandle.KERNEL32(00000000,?,?), ref: 00639D6B
                                                      • CloseHandle.KERNEL32(FFFFFFFF,?,?), ref: 00639D7A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00639E78
                                                      • CloseHandle.KERNEL32(00000000), ref: 00639E8E
                                                        • Part of subcall function 005EFB70: UnmapViewOfFile.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFB90
                                                        • Part of subcall function 005EFB70: CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBB7
                                                        • Part of subcall function 005EFB70: CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBD0
                                                      Strings
                                                      • Unable to retrieve size of unmapped view!, xrefs: 00639DB4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$FileUnmapView
                                                      • String ID: Unable to retrieve size of unmapped view!
                                                      • API String ID: 260491571-268701684
                                                      • Opcode ID: 2de692c530f4dfef7319c2c643ee7c6ccdeb71b55ccc8614ea916c7c11392ab2
                                                      • Instruction ID: 78ac7448520e4250a1ce3568d197ecdb1280452d6d4755e82211a64543d425af
                                                      • Opcode Fuzzy Hash: 2de692c530f4dfef7319c2c643ee7c6ccdeb71b55ccc8614ea916c7c11392ab2
                                                      • Instruction Fuzzy Hash: D2815D71D04649ABDB10DFA4DC49BAEBBB9FF45720F10421AF825A33D0DBB46944CBA0
                                                      Function 005EE770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,945323AF,?,?), ref: 005EE7C5
                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 005EE7EA
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005EE819
                                                      • GetLastError.KERNEL32(?,006F8810,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 005EE9C0
                                                      • GetLastError.KERNEL32(?,006F8810,000000EA,Unable to retrieve a path of the known folder ({})!,00000033,?,?,006F8810,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 005EEA20
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DirectoryErrorLast$FolderPathSystemWindows
                                                      • String ID: Unable to retrieve a path of the known folder ({})!
                                                      • API String ID: 1744653567-3064207712
                                                      • Opcode ID: 840a49037f79bb700c5a65d2db4cca71ae15940f2b55203e6605b0c5c7517113
                                                      • Instruction ID: 770937a98d31a8aff0c4c6bf2bf76a7bd88e4e6c1b3a92924c9697eb6f005059
                                                      • Opcode Fuzzy Hash: 840a49037f79bb700c5a65d2db4cca71ae15940f2b55203e6605b0c5c7517113
                                                      • Instruction Fuzzy Hash: 9961F871A10248AADB28EF55EC4FFAE7BADFB54700F10459AF445A3181DB70AF44CB61
                                                      Function 0060A760 Relevance: 10.7, APIs: 7, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060A7DD
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060A7E8
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060A86D
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060A878
                                                        • Part of subcall function 0064C365: ReleaseSRWLockExclusive.KERNEL32(005FBB1F,?,005FBB27), ref: 0064C379
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
                                                      • String ID:
                                                      • API String ID: 3666349979-0
                                                      • Opcode ID: 9df414af83351103d2c8ad39f21ad24777a29c4b0d69e39e4a2ac8bfcaf8c242
                                                      • Instruction ID: 1531849708c3bc62e6aece1286f77273a008d4189815aee4bc47a39d55f7c5d7
                                                      • Opcode Fuzzy Hash: 9df414af83351103d2c8ad39f21ad24777a29c4b0d69e39e4a2ac8bfcaf8c242
                                                      • Instruction Fuzzy Hash: 27513772A40A08ABD724EF64DC01FDBB3ADFB05724F10462AF92593780E731B918CA95
                                                      Function 0068C056 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,945323AF,?,0068C163,00000008,005F40DA,?,00000000), ref: 0068C117
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 3664257935-537541572
                                                      • Opcode ID: eccd15f2dd67f47cc6253ca8231c895d0eec014bb93673d1323376557394f351
                                                      • Instruction ID: 3dfbbe161e668a192f07f155d02c48dbcb015847317cd093d078bec819583f5f
                                                      • Opcode Fuzzy Hash: eccd15f2dd67f47cc6253ca8231c895d0eec014bb93673d1323376557394f351
                                                      • Instruction Fuzzy Hash: 4921D571A05251EBCB21BB68DC85A9A37AADB417B0F255314F915A7392DA31ED00CBF0
                                                      Function 005EAF90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005EA7B0: CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7CD
                                                        • Part of subcall function 005EA7B0: GetLastError.KERNEL32(?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7DB
                                                        • Part of subcall function 005EA7B0: GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA7F1
                                                        • Part of subcall function 005EA7B0: SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,005C8624,?,00000001,00000000,00000000,?,945323AF,0000000C), ref: 005EA809
                                                      • CreateFileW.KERNELBASE(?,00000006,00000007,00000000,00000003,02000000,00000000,?,00000002), ref: 005EAFC4
                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 005EAFD0
                                                      • GetLastError.KERNEL32 ref: 005EAFDD
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • GetLastError.KERNEL32(?,00000002), ref: 005EB004
                                                      Strings
                                                      • Unable to open directory '{}' for writing!, xrefs: 005EAFE6
                                                      • Unable to create directory '{}'!, xrefs: 005EB00D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CreateFile$AttributesChangeCloseDirectoryDispatcherExceptionFindNotificationUser
                                                      • String ID: Unable to create directory '{}'!$Unable to open directory '{}' for writing!
                                                      • API String ID: 952813956-3801278387
                                                      • Opcode ID: 3e43f08253a5d33a48bee32fd437ff7a33a2ebb49137b327be23840aa601b288
                                                      • Instruction ID: 9e3b21f8dfd726ede8a585c1b538c63b71022806274c7415461aeb4db46c5339
                                                      • Opcode Fuzzy Hash: 3e43f08253a5d33a48bee32fd437ff7a33a2ebb49137b327be23840aa601b288
                                                      • Instruction Fuzzy Hash: CE0128717443047BE624BB65CC0EFAB3B6EAF41720F000615B6A6971D1EE70BA00CAB7
                                                      Function 00648D20 Relevance: 9.3, APIs: 6, Instructions: 264registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000057,945323AF,00000000,?), ref: 00648D6F
                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,00000007,00000000,945323AF,00000000,?), ref: 00648DC2
                                                      • SetLastError.KERNEL32(00000000), ref: 00648DCD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Open
                                                      • String ID:
                                                      • API String ID: 1333505713-0
                                                      • Opcode ID: 131f131f4afc6ff1cd67d7c37aac2e98111a37d7f787acb1dd232d6ecec4933e
                                                      • Instruction ID: bac8c928f32c9172535b91ba17cc1c19a776ef04594322c450b1c8e79ecfa632
                                                      • Opcode Fuzzy Hash: 131f131f4afc6ff1cd67d7c37aac2e98111a37d7f787acb1dd232d6ecec4933e
                                                      • Instruction Fuzzy Hash: D6A18571901119AFDB24DF64DC89BAEBBB6FF08300F144199E819A3341DB75AE84CF90
                                                      Function 00649740 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.KERNELBASE(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?), ref: 006497B2
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000004,?,00000000,00000000,00000000), ref: 006497D6
                                                      • SetLastError.KERNEL32(00000000), ref: 006497E1
                                                      • RegSetValueExW.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?), ref: 00649803
                                                      • SetLastError.KERNEL32(00000000), ref: 0064980C
                                                      • SetLastError.KERNEL32(00000057,?), ref: 00649840
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Create$Value
                                                      • String ID:
                                                      • API String ID: 642683725-0
                                                      • Opcode ID: 3f36067e290058f8c4ebd4b1cb4281c1b3df32d9afa20d34c3e3041783eb9064
                                                      • Instruction ID: 7d3203f1bce43b42888c3d001f8a2c716b80320978c4a0f7b737bcecb2a7744e
                                                      • Opcode Fuzzy Hash: 3f36067e290058f8c4ebd4b1cb4281c1b3df32d9afa20d34c3e3041783eb9064
                                                      • Instruction Fuzzy Hash: 02312A71E4120AAFEB20DF68DC45BFFBBBAEB45700F104059E901A7280D775AD018BA0
                                                      Function 005EAC20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExpandEnvironmentStringsW.KERNEL32(%TMP%,?,00000104,00000108,945323AF), ref: 005EACBF
                                                      • GetLastError.KERNEL32(Unable to expand %TMP{} environment variable!), ref: 005EAF42
                                                      • GetLastError.KERNEL32(?,006F8810,00000000), ref: 005EAF5F
                                                      Strings
                                                      • Unable to expand %TMP{} environment variable!, xrefs: 005EAF3D
                                                      • %TMP%, xrefs: 005EACBA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnvironmentExpandStrings
                                                      • String ID: %TMP%$Unable to expand %TMP{} environment variable!
                                                      • API String ID: 2871630417-2940734617
                                                      • Opcode ID: c7aa0d36a35d4b11b79a0a9ad1078053765627dd87cf8f545d038ce0b5bf76f9
                                                      • Instruction ID: d564440294be40ed5db1dd2b99008c682c88dc6f6cc2419257f92400530018e2
                                                      • Opcode Fuzzy Hash: c7aa0d36a35d4b11b79a0a9ad1078053765627dd87cf8f545d038ce0b5bf76f9
                                                      • Instruction Fuzzy Hash: 0341BE70D142499ADB14DFB9C845BEEFBB9FF48700F10862EE465A3281EB746644CBA1
                                                      Function 0061BD30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,08000000,00000000,945323AF,?,edat_dir,?,?,?,00000000,006A257D,000000FF), ref: 0061BD84
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000000,006A257D,000000FF), ref: 0061BDA5
                                                      • GetLastError.KERNEL32(?,?,?,00000000,006A257D,000000FF), ref: 0061BDC8
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
                                                      • String ID: edat_dir$get_file_content '{}'
                                                      • API String ID: 3278050421-1165497833
                                                      • Opcode ID: 3ed366a549ac41f2d33692e9562796152bcf0003f944268baefa00faafbe5ece
                                                      • Instruction ID: 5f880f75576bb8a40404f3f458707fb4591434b3565e8ff22cc1c62efa375e02
                                                      • Opcode Fuzzy Hash: 3ed366a549ac41f2d33692e9562796152bcf0003f944268baefa00faafbe5ece
                                                      • Instruction Fuzzy Hash: 3C117571E40609AFDB14EFA9DC09FAEB7BAEF49710F10051AF515E72D0DB7469008B54
                                                      Function 005EFB70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • UnmapViewOfFile.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFB90
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBB7
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,006F8810,00000000), ref: 005EFBD0
                                                      Strings
                                                      • Unable to create file mapping!, xrefs: 005EFB3F
                                                      • Unable to get file size!, xrefs: 005EFB1D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$FileUnmapView
                                                      • String ID: Unable to create file mapping!$Unable to get file size!
                                                      • API String ID: 260491571-1879323020
                                                      • Opcode ID: 1f534a5f180c4d4d22504b0df7641f8106898d787c54592ce9d393dce79d6d53
                                                      • Instruction ID: b895ea4749c1446f70a6203516ccfdb947dc42db50eaf0f6819ff1272ad8ec7c
                                                      • Opcode Fuzzy Hash: 1f534a5f180c4d4d22504b0df7641f8106898d787c54592ce9d393dce79d6d53
                                                      • Instruction Fuzzy Hash: 821187702007419BE734AF29CC18B077FE8BB04320F100B2CE8E6866E0DBB5A9588BD4
                                                      Function 0063A240 Relevance: 7.6, APIs: 5, Instructions: 126fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A292
                                                      • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A2AC
                                                      • SetEndOfFile.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,006DF940,006DF940), ref: 0063A2B7
                                                      • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001), ref: 0063A2CC
                                                      • CloseHandle.KERNEL32(00000000), ref: 0063A3DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$Pointer$CloseHandle
                                                      • String ID:
                                                      • API String ID: 1851150075-0
                                                      • Opcode ID: 34ecb4bb462591b732463b6c58ba6f56b45e4d9b66439d97ae452f4ab5284697
                                                      • Instruction ID: faea9aeb23cb397f02d746a26b88280ceee360f184fcaa0111357a6c4e7f9e6d
                                                      • Opcode Fuzzy Hash: 34ecb4bb462591b732463b6c58ba6f56b45e4d9b66439d97ae452f4ab5284697
                                                      • Instruction Fuzzy Hash: 24418271A00608ABDB10DFA9DC45BAEB7BAFB05720F144169FD15E7280DB70AD00DBE6
                                                      Function 005EF630 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindVolumeClose.KERNEL32(00000000,?,?,006F8810,00000057,945323AF), ref: 005EF93B
                                                        • Part of subcall function 005EE770: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,945323AF,?,?), ref: 005EE7C5
                                                        • Part of subcall function 005EE770: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 005EE7EA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseDirectoryFindFolderPathVolumeWindows
                                                      • String ID: \Device\LanmanRedirector\$\Device\Mup\$\SystemRoot\
                                                      • API String ID: 3371243582-816336259
                                                      • Opcode ID: b836439a4c24450d570be589686d45586bbbd38a026f38ab633aebbeb0175564
                                                      • Instruction ID: 1ed3fe8afe47307b18669e848be1b0967660489f09454cc399186498296d1e23
                                                      • Opcode Fuzzy Hash: b836439a4c24450d570be589686d45586bbbd38a026f38ab633aebbeb0175564
                                                      • Instruction Fuzzy Hash: E9818F70D00249EFDF04DFA5D899BEDBBB5FF98304F50812AE455A7281EB706A48CB91
                                                      Function 005EF3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,00000000,00000000,?,?,?,?,945323AF,?,00000000), ref: 005EF478
                                                      • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 005EF4B7
                                                      • GetLastError.KERNEL32 ref: 005EF605
                                                      Strings
                                                      • Unable to retrieve volume paths for volume '{}'!, xrefs: 005EF611
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Volume$NameNamesPath$ErrorLast
                                                      • String ID: Unable to retrieve volume paths for volume '{}'!
                                                      • API String ID: 1243668693-190204307
                                                      • Opcode ID: 4a862113cd90622e02606a4dddfb0d3707bbf9fef0925485a626fe5b6bb53a5e
                                                      • Instruction ID: 7aa56f2ff187b9082a9143f6a9a5be26921dfe9042dc9b1d68560ef337ff39f3
                                                      • Opcode Fuzzy Hash: 4a862113cd90622e02606a4dddfb0d3707bbf9fef0925485a626fe5b6bb53a5e
                                                      • Instruction Fuzzy Hash: 42816D71D002499EDF14DFA4C855BEEBBB5FF98304F14862DE415A7281EB70A685CB90
                                                      Function 005C8660 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005EE770: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,945323AF,?,?), ref: 005EE7C5
                                                        • Part of subcall function 005EE770: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 005EE7EA
                                                      • GetFileAttributesW.KERNELBASE(?,-00000088,945323AF), ref: 005C86FA
                                                      Strings
                                                      • D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA), xrefs: 005C8805, 005C885F
                                                      • O:BAG:BAD:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;DTFRFW;;;BU), xrefs: 005C877C
                                                      • D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU), xrefs: 005C871F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AttributesDirectoryFileFolderPathWindows
                                                      • String ID: D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)$D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)$O:BAG:BAD:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;DTFRFW;;;BU)
                                                      • API String ID: 4286144708-1970287685
                                                      • Opcode ID: 132db4ea6f1ed95771873b9c2b83b753d0f9909a826ef21776f162e0e9c570a3
                                                      • Instruction ID: 62874268a58d9133a442203961710d0a3f3ec20ea2a6773b9e40e4dcb6f8241c
                                                      • Opcode Fuzzy Hash: 132db4ea6f1ed95771873b9c2b83b753d0f9909a826ef21776f162e0e9c570a3
                                                      • Instruction Fuzzy Hash: 95613E70D10259DEDB14EBE0CC5ABEDBB75BFA4308F54425CE40567282EF742A49CB62
                                                      Function 00601290 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::generic_category.LIBCPMTD ref: 0060143F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::generic_category
                                                      • String ID: temp-base-dir$tmp-path$xperf
                                                      • API String ID: 2374251199-4180264099
                                                      • Opcode ID: 26f7cc380eb21b203a97d965be66ec9b8180d7ce516c302f0a44d97b7e7526a4
                                                      • Instruction ID: de8c56904dd6f984a1e84056921865e0ae2c976cb95a76e5e2a84730f3e08382
                                                      • Opcode Fuzzy Hash: 26f7cc380eb21b203a97d965be66ec9b8180d7ce516c302f0a44d97b7e7526a4
                                                      • Instruction Fuzzy Hash: 70516A71E0021D9FCB18DFA4C855AEEBBBAFF49714F04009AE906A7390DB306A45CF91
                                                      Function 00616BB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,04000100,00000000), ref: 00616C77
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000), ref: 00616CEC
                                                      • GetLastError.KERNEL32 ref: 00616D28
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      • Unable to create temporary file '{}', xrefs: 00616D34
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
                                                      • String ID: Unable to create temporary file '{}'
                                                      • API String ID: 3278050421-3251441461
                                                      • Opcode ID: aefc6ab5fd2e59ae2ad5bb852a4832bbd03c3010b860913a887955f90205bd22
                                                      • Instruction ID: f1663de34f0ea10398653e92150dc7237d04d0243ad133641cf74bdb1b5fc469
                                                      • Opcode Fuzzy Hash: aefc6ab5fd2e59ae2ad5bb852a4832bbd03c3010b860913a887955f90205bd22
                                                      • Instruction Fuzzy Hash: FF516A71D00209AFDB10DFA4D845FEEBBB5FF49710F10822AF915A7291EB706A44CBA1
                                                      Function 005DB710 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 005DB89C
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005DB8B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 005DB8B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$FileProcessSystemThread
                                                      • String ID: xom
                                                      • API String ID: 2426501826-1959103095
                                                      • Opcode ID: 47a9b6b73f1dc6be3924f33978b7cb8c11730144f356c8688599e44cb6552171
                                                      • Instruction ID: 0ffd1776e803324d5cb1bc142d6c5feb4fc60f5d1a5678426cd77e0cbb5f4a88
                                                      • Opcode Fuzzy Hash: 47a9b6b73f1dc6be3924f33978b7cb8c11730144f356c8688599e44cb6552171
                                                      • Instruction Fuzzy Hash: F451DDB1C00708CFCB14DF68C845AAABBF5FF49314F00865EE855AB751EB70A984CB91
                                                      Function 005FB870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDiskFreeSpaceExW.KERNELBASE(00000000,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005FB91D
                                                      Strings
                                                      • get_available_disk_space, xrefs: 005FB96A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DiskFreeSpace
                                                      • String ID: get_available_disk_space
                                                      • API String ID: 1705453755-1899927582
                                                      • Opcode ID: 6c89ca05f16d39cb6f6edd18babd63ebd57f572233ba9bdcb964d5eff3d9a48e
                                                      • Instruction ID: 219ed8e2d9956ec401db8df823ee51118bc5f892cc8e2b4769702b67705a2dbc
                                                      • Opcode Fuzzy Hash: 6c89ca05f16d39cb6f6edd18babd63ebd57f572233ba9bdcb964d5eff3d9a48e
                                                      • Instruction Fuzzy Hash: 53419271E0020CDFDB08DF95D945FAEBBB9FF84700F108569EA11A7251DB74A904CBA1
                                                      Function 005C8500 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,945323AF,0000000C,?,?,?,?,?,00000020,0064C527,00000000,00000080,?,?,?,005F7C4E), ref: 005C8539
                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000), ref: 005C860D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DescriptorSecurity$AttributesConvertFileString
                                                      • String ID: SeRestorePrivilege$SeTakeOwnershipPrivilege
                                                      • API String ID: 2746451971-3495689257
                                                      • Opcode ID: f67535c676ca29d7fb146fe925a978893c71f23b2876d654b90e3e0eef74377a
                                                      • Instruction ID: 0e1ec9f912ff337af8c9301a9d15b05e0e1e8d3b860eaa18e75b7d34e1af2aa1
                                                      • Opcode Fuzzy Hash: f67535c676ca29d7fb146fe925a978893c71f23b2876d654b90e3e0eef74377a
                                                      • Instruction Fuzzy Hash: 94418170D002499FDB24DFA4D859BFEBBF6BB49308F04052EE855A7381DB756908CBA1
                                                      Function 005E3E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005E3DE0: InitializeCriticalSection.KERNEL32(00000000,?,?,005B99FB,?,945323AF,?,?), ref: 005E3E09
                                                        • Part of subcall function 005E3DE0: DeleteCriticalSection.KERNEL32(00000000,?,?,005B99FB,?,945323AF,?,?), ref: 005E3E23
                                                        • Part of subcall function 005E3DE0: EnterCriticalSection.KERNEL32(031A4BE0,0070765C,00707660,?,?,?,005B8F53,945323AF,0070765C,?,?,?,005B99FB,?,945323AF,?), ref: 005E3E6D
                                                      • SetEvent.KERNEL32(00000000,945323AF,0070765C,?,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF), ref: 005E3EDA
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF,?,005B9A9A), ref: 005E3EF4
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 005E3F16
                                                      Strings
                                                      • asw::lifetime::impl::lifetime_creation_monitor_holder::set_created, xrefs: 005E3F39
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$ChangeCloseDeleteEnterEventFindInitializeLeaveNotification
                                                      • String ID: asw::lifetime::impl::lifetime_creation_monitor_holder::set_created
                                                      • API String ID: 2148637788-3605786268
                                                      • Opcode ID: ebbce21f74963bf8a7c61e31010290ea0f2a6d4ac9f9a46d2ef5f9ba46e86a28
                                                      • Instruction ID: 0b2f3bdf87893bb500c60e1532823e4bdf3ee4ad020a73b42e042ff67e818830
                                                      • Opcode Fuzzy Hash: ebbce21f74963bf8a7c61e31010290ea0f2a6d4ac9f9a46d2ef5f9ba46e86a28
                                                      • Instruction Fuzzy Hash: 6321A131D04249AFCB11EF65CC49BAEBFB9FF14710F14462AE851A7290EB34AA45CF90
                                                      Function 0061F280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,C0010000,00000001,00000000,00000002,00000080,00000000,945323AF), ref: 0061F2D0
                                                      • CloseHandle.KERNEL32(00000000), ref: 0061F30A
                                                      Strings
                                                      • Unable to create file '{}'!, xrefs: 0061F359
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateFileHandle
                                                      • String ID: Unable to create file '{}'!
                                                      • API String ID: 3498533004-787908802
                                                      • Opcode ID: 87087100fedfdce276f5b690cdac695c78d4b9f4c6cf2a8d5c5001bc3921b3da
                                                      • Instruction ID: 2ddc76c9b15120648bf8be2426b352158184b94d4b20e9ced9bf26413fdbc93c
                                                      • Opcode Fuzzy Hash: 87087100fedfdce276f5b690cdac695c78d4b9f4c6cf2a8d5c5001bc3921b3da
                                                      • Instruction Fuzzy Hash: 4521D771A00208AFDB14DF99CC49FEEB7B9FB48B10F10022AF515A7391DB746900CB90
                                                      Function 00617D20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,C0010000,00000001,00000000,00000002,00000080,00000000,945323AF,?,?,?,006A203D,000000FF,?,00616CDD,?), ref: 00617D70
                                                      • CloseHandle.KERNEL32(00000000,00000000,?,006A203D,000000FF,?,00616CDD,?,00000000,?,00000000), ref: 00617D95
                                                      Strings
                                                      • Unable to create file '{}'!, xrefs: 00617DE4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateFileHandle
                                                      • String ID: Unable to create file '{}'!
                                                      • API String ID: 3498533004-787908802
                                                      • Opcode ID: 8a9f6d8d19c8b0daaf309943858bd2dbe993d11cf38383ece7ce6a5c265d9ae2
                                                      • Instruction ID: 092c992fcfb72f8136c10d13ef165d1e24520e22f1de12119ee2a82fe414e69a
                                                      • Opcode Fuzzy Hash: 8a9f6d8d19c8b0daaf309943858bd2dbe993d11cf38383ece7ce6a5c265d9ae2
                                                      • Instruction Fuzzy Hash: 40119071A44218ABDB10EB99DC45FAEB7B9FF49B10F10021AF515A32C0DB746940CB64
                                                      Function 00626D80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(shell32.dll,945323AF), ref: 00626DB1
                                                      • GetProcAddress.KERNEL32(00000000,SHGetPropertyStoreForWindow), ref: 00626DC5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: SHGetPropertyStoreForWindow$shell32.dll
                                                      • API String ID: 1646373207-1874690567
                                                      • Opcode ID: 701f9eac84a1ad354bbf672573740452ab3da53a9346bf8b89a848e2f503f840
                                                      • Instruction ID: b6b70e8dea07a54dd9a1b8a452b7488bd1df9cea0c4f516fa5df39929499317a
                                                      • Opcode Fuzzy Hash: 701f9eac84a1ad354bbf672573740452ab3da53a9346bf8b89a848e2f503f840
                                                      • Instruction Fuzzy Hash: 95214134D046599FCB10DFA5DC45BEEBBF9EB09724F01412AE811A7390DB75AA048BA0
                                                      Function 005D77D0 Relevance: 6.2, APIs: 4, Instructions: 250COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(-00000044,00000000,00000003,?,?,?,?), ref: 005D788C
                                                      • LeaveCriticalSection.KERNEL32(-00000044), ref: 005D78AA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3168844106-0
                                                      • Opcode ID: f53df248c2ecb34d9c3e0a31fd9dcd20996a811848be7e1793e953d4a5e88591
                                                      • Instruction ID: 1489b07fa603af9450456982a01e12b789c9474e904193937e6aaafe19d83460
                                                      • Opcode Fuzzy Hash: f53df248c2ecb34d9c3e0a31fd9dcd20996a811848be7e1793e953d4a5e88591
                                                      • Instruction Fuzzy Hash: 1B91C7719046088FDF24DF68C889BAEBBA5BF49310F04415BE805AB381E735AD45CBA1
                                                      Function 006460B0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • MultiByteToWideChar.KERNEL32(00000003,00000000,00000001,000000FF,00000000,00000000), ref: 006461C2
                                                      • MultiByteToWideChar.KERNEL32(00000003,00000000,00000001,000000FF,00000010,-00000001), ref: 006461F5
                                                      • WideCharToMultiByte.KERNEL32(00000003,00000000,00000010,000000FF,00000000,00000000,00000000,00000000), ref: 00646246
                                                      • WideCharToMultiByte.KERNEL32(00000003,00000000,00000010,000000FF,?,-00000001,00000000,00000000), ref: 0064627F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$HeapProcess
                                                      • String ID:
                                                      • API String ID: 2590121937-0
                                                      • Opcode ID: 8f73a7757da191d763ac51f76b3abc3428fc209eebec831dc15d3085cb89b7df
                                                      • Instruction ID: e3d8374b14fe33fafdd8787da12f104f6eec23ac4dcac399784477b585d6ee25
                                                      • Opcode Fuzzy Hash: 8f73a7757da191d763ac51f76b3abc3428fc209eebec831dc15d3085cb89b7df
                                                      • Instruction Fuzzy Hash: DC719F31A00209AFDB14DF58DC94B9EBBB6FF46320F20412DF915AB391DB70AA01CB55
                                                      Function 00649E20 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___scrt_release_startup_lock.LIBCMT ref: 00649F02
                                                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00649F17
                                                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00649F42
                                                      • ___scrt_uninitialize_crt.LIBCMT ref: 00649F99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                      • String ID:
                                                      • API String ID: 3089971210-0
                                                      • Opcode ID: fd33136941d56d2a1aa7f9dfffe9796de33128e5de930d8c7a48216d29875a79
                                                      • Instruction ID: 0a27404571383a08fa7f411d8a901bb185a6647607b4a7ac573f55e8a0db7624
                                                      • Opcode Fuzzy Hash: fd33136941d56d2a1aa7f9dfffe9796de33128e5de930d8c7a48216d29875a79
                                                      • Instruction Fuzzy Hash: 67412C71E84204ABDB50BF649C037DE7BA3EF12714F14022DF845A73D2EE76590487AA
                                                      Function 005D6650 Relevance: 6.1, APIs: 4, Instructions: 128fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005D6E00: EnterCriticalSection.KERNEL32(?,945323AF,?,?,?,?,?,?,?,?,?,?,0069C5F5,000000FF,?,005D6693), ref: 005D6E3C
                                                        • Part of subcall function 005D6E00: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0069C5F5,000000FF,?,005D6693,945323AF), ref: 005D6E5A
                                                        • Part of subcall function 005D6E00: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0069C5F5,000000FF,?,005D6693), ref: 005D6E77
                                                        • Part of subcall function 005D6E00: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0069C5F5,000000FF,?,005D6693,945323AF), ref: 005D6EB6
                                                        • Part of subcall function 005D6E00: GetFileSizeEx.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,0069C5F5,000000FF,?,005D6693), ref: 005D6ED6
                                                        • Part of subcall function 005DB8E0: FileTimeToSystemTime.KERNEL32(?,?,945323AF,?,?), ref: 005DB940
                                                      • EnterCriticalSection.KERNEL32(00000001,?), ref: 005D66C3
                                                      • LeaveCriticalSection.KERNEL32(00000001), ref: 005D66E4
                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 005D6719
                                                      • FlushFileBuffers.KERNEL32(?), ref: 005D6740
                                                      • GetLastError.KERNEL32 ref: 005D67D0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalFileSection$Enter$LeaveSizeTime$BuffersErrorFlushLastSystemWrite
                                                      • String ID:
                                                      • API String ID: 3948539269-0
                                                      • Opcode ID: a2b46bd3a63943fc3370a69286bf4b790349a70addff524f0bba14ac34f87273
                                                      • Instruction ID: 938d1c525d8196ed85fe9a2dcc057bcc1ba33aa924cdbd3e5c03f5478d149fb0
                                                      • Opcode Fuzzy Hash: a2b46bd3a63943fc3370a69286bf4b790349a70addff524f0bba14ac34f87273
                                                      • Instruction Fuzzy Hash: E0418C75A002099FCB14DF68C888AAEBBBAFF49315F14411AE421E7350DB34ED42CFA0
                                                      Function 005DC080 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005F3250: GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,945323AF,00000005,00000000), ref: 005F32AB
                                                        • Part of subcall function 005F3250: GetClassInfoExW.USER32(00000000), ref: 005F32B2
                                                        • Part of subcall function 005F3250: GetLastError.KERNEL32 ref: 005F32C0
                                                        • Part of subcall function 005F3250: Sleep.KERNELBASE(00000001), ref: 005F32CA
                                                        • Part of subcall function 005F3250: GetProcessHeap.KERNEL32 ref: 005F32E2
                                                        • Part of subcall function 005F3250: HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 005F32F7
                                                        • Part of subcall function 005F3250: InitializeCriticalSection.KERNEL32(00000000), ref: 005F331A
                                                        • Part of subcall function 005F3250: GetProcessHeap.KERNEL32 ref: 005F3320
                                                        • Part of subcall function 005F3250: GetProcessHeap.KERNEL32 ref: 005F333E
                                                        • Part of subcall function 005F3250: RegisterClassExW.USER32(00000030), ref: 005F3360
                                                        • Part of subcall function 005F3250: HeapFree.KERNEL32(?,00000000,00000000), ref: 005F3394
                                                        • Part of subcall function 005F3250: DeleteCriticalSection.KERNEL32(?), ref: 005F33BF
                                                        • Part of subcall function 005F3250: GetProcessHeap.KERNEL32 ref: 005F33C5
                                                      • EnterCriticalSection.KERNEL32(00000000,945323AF), ref: 005DC0CB
                                                        • Part of subcall function 00669148: ___unDName.LIBVCRUNTIME ref: 00669175
                                                        • Part of subcall function 005DC290: GetProcessHeap.KERNEL32(006D59BA,?,?,?,?,?,?,?,?,?,?,?,?,005DC0F8), ref: 005DC2A4
                                                        • Part of subcall function 005DC290: HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,005DC0F8), ref: 005DC2DA
                                                      • HeapFree.KERNEL32(?,00000000,?,00000000), ref: 005DC12B
                                                      • asw_process_storage_deallocate_connector.SECURITEINFO.COM.TROJAN.SIGGEN29.7508.16428.4641 ref: 005DC13B
                                                      • LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 005DC143
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$CriticalSection$AllocClassFree$DeleteEnterErrorHandleInfoInitializeLastLeaveModuleN29.7508.16428NameRegisterSleep___unasw_process_storage_deallocate_connector.
                                                      • String ID:
                                                      • API String ID: 1731676229-0
                                                      • Opcode ID: afd7bc6b1087406a23b5e441e442a7d59444161012e20ea9c85b33091840facb
                                                      • Instruction ID: 14db3bfc779df01d9f869e7cf39169aa89a8ce571549edd99c544c7f1088c4b4
                                                      • Opcode Fuzzy Hash: afd7bc6b1087406a23b5e441e442a7d59444161012e20ea9c85b33091840facb
                                                      • Instruction Fuzzy Hash: B221D371E04209DBDB10EFA9CC457AEBFB5FB49710F10426AE801A7381DB756D40CBA5
                                                      Function 005D1EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005B8F10: CloseHandle.KERNEL32(031A4F00,945323AF,0070765C,?,?,?,005B99FB,?,945323AF,?), ref: 005B8F70
                                                        • Part of subcall function 005B8F10: LeaveCriticalSection.KERNEL32(?,945323AF,0070765C,?), ref: 005B8FAA
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,945323AF), ref: 005D201A
                                                      • CloseHandle.KERNEL32(?), ref: 005D2031
                                                        • Part of subcall function 005E4650: EnterCriticalSection.KERNEL32(00000000), ref: 005E46CE
                                                        • Part of subcall function 005E4650: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 005E4702
                                                        • Part of subcall function 005E3E80: SetEvent.KERNEL32(00000000,945323AF,0070765C,?,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF), ref: 005E3EDA
                                                        • Part of subcall function 005E3E80: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF,?,005B9A9A), ref: 005E3EF4
                                                        • Part of subcall function 005E3E80: LeaveCriticalSection.KERNEL32(?), ref: 005E3F16
                                                      Strings
                                                      • lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 005D2065, 005D2093
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$CloseLeave$Handle$ChangeEnterEventFindNotificationObjectSingleWait
                                                      • String ID: lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
                                                      • API String ID: 2560582975-2706815617
                                                      • Opcode ID: 350754c2dd6a6989bc89cac5fb05e1452bb8da9a56b3268920e7059a0d8dd925
                                                      • Instruction ID: 03b7f703fddf0e08680081bb046a867255831b2902586b598ceeecb704422522
                                                      • Opcode Fuzzy Hash: 350754c2dd6a6989bc89cac5fb05e1452bb8da9a56b3268920e7059a0d8dd925
                                                      • Instruction Fuzzy Hash: DE61BE70D05249EFCB14DF98C949BAEBFF8FB55714F10826AE401A7381DB796904CBA1
                                                      Function 005B9990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005B8F10: CloseHandle.KERNEL32(031A4F00,945323AF,0070765C,?,?,?,005B99FB,?,945323AF,?), ref: 005B8F70
                                                        • Part of subcall function 005B8F10: LeaveCriticalSection.KERNEL32(?,945323AF,0070765C,?), ref: 005B8FAA
                                                      • WaitForSingleObject.KERNEL32(00000001,000000FF,?,945323AF,?,?), ref: 005B9AB3
                                                      • CloseHandle.KERNEL32(00000001), ref: 005B9ACA
                                                        • Part of subcall function 005E4650: EnterCriticalSection.KERNEL32(00000000), ref: 005E46CE
                                                        • Part of subcall function 005E4650: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 005E4702
                                                        • Part of subcall function 005E3E80: SetEvent.KERNEL32(00000000,945323AF,0070765C,?,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF), ref: 005E3EDA
                                                        • Part of subcall function 005E3E80: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00000000,0069D1C5,000000FF,?,005B9A9A), ref: 005E3EF4
                                                        • Part of subcall function 005E3E80: LeaveCriticalSection.KERNEL32(?), ref: 005E3F16
                                                      Strings
                                                      • lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 005B9AFC, 005B9B2A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$CloseLeave$Handle$ChangeEnterEventFindNotificationObjectSingleWait
                                                      • String ID: lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
                                                      • API String ID: 2560582975-2706815617
                                                      • Opcode ID: 9bd00d7405b9494b86facb998305172ab10d2fd4ded6c7496aab868d921cd4a9
                                                      • Instruction ID: 351f703b429871c8c6a8c31a6ec5ed23b2de7cf3c7dd6262d46f5c9186156bf6
                                                      • Opcode Fuzzy Hash: 9bd00d7405b9494b86facb998305172ab10d2fd4ded6c7496aab868d921cd4a9
                                                      • Instruction Fuzzy Hash: BC516D70C002099FCB00DFA4C945BEEFBF8FF15710F10826AE515A7291EB746A08CBA1
                                                      Function 00626C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00626C9A
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00626CA5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorThrow_std::_
                                                      • String ID: d
                                                      • API String ID: 2134207285-2564639436
                                                      • Opcode ID: f61d4ee1b0235560eaac6d16def6d3631121699d5883696fe380efcc8b2b86ba
                                                      • Instruction ID: 59858eb8fcbd9f6d3e155c51a13645c77be1737d4bcd951a8f5fcb94cfc342d9
                                                      • Opcode Fuzzy Hash: f61d4ee1b0235560eaac6d16def6d3631121699d5883696fe380efcc8b2b86ba
                                                      • Instruction Fuzzy Hash: AE411372604618AFDB14DF18DC41BAABBAAFF49724F00422EF90197780DB71BC10CB90
                                                      Function 00638A70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,-00000002,945323AF,00000000), ref: 00638B2F
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • SetFileInformationByHandle.KERNEL32(?,00000004,?,00000001,00000020,?), ref: 00638B7D
                                                      Strings
                                                      • Unable to create directory '{}'!, xrefs: 00638B3B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DispatcherErrorExceptionFileHandleInformationLastUser
                                                      • String ID: Unable to create directory '{}'!
                                                      • API String ID: 3835546636-2841264205
                                                      • Opcode ID: 213a9bd6c593ad752e9952d004856d377b6ecaa11dc6428b5ca72c5c075eb8fa
                                                      • Instruction ID: 66684dfad48453ec91b2cf7f453ecbe19181956d5819c920bc8f2239821670f2
                                                      • Opcode Fuzzy Hash: 213a9bd6c593ad752e9952d004856d377b6ecaa11dc6428b5ca72c5c075eb8fa
                                                      • Instruction Fuzzy Hash: 27319071D00209AFDB04EFA4CD46BEEBBBAEF45714F50426EE81163281EB716A04CB95
                                                      Function 00624660 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00624741
                                                      Strings
                                                      • Failed to get midex, xrefs: 00624738
                                                      • Unsupported midex length: {}, xrefs: 0062471C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: Failed to get midex$Unsupported midex length: {}
                                                      • API String ID: 116670465-2224421424
                                                      • Opcode ID: b37d14737736850808811a0538ef49b8e2b71068e8e9673d1eb6528eeed5c2af
                                                      • Instruction ID: 5a6969c6ba7804714335b17f9efd4dd28f45bb0936668869e1d22339204912de
                                                      • Opcode Fuzzy Hash: b37d14737736850808811a0538ef49b8e2b71068e8e9673d1eb6528eeed5c2af
                                                      • Instruction Fuzzy Hash: A221AD71A40609AFEB10DF55DC56F9BBBEAEB49700F10491EF451A7281EBB1A904CBA0
                                                      Function 005A8A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(945323AF), ref: 005A8AAF
                                                        • Part of subcall function 005CC030: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 005CC063
                                                      • GetCurrentProcess.KERNEL32 ref: 005A8AD4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$InformationQuery
                                                      • String ID: %d-%s
                                                      • API String ID: 3761803441-1781338863
                                                      • Opcode ID: 5ff342ba468685823528d3949ec575736b0da402e04fc2ac708ebda4904a7c64
                                                      • Instruction ID: 1b65df08813907c88cc5b52580fc7e7072210a9328f643d256f804280ae9ba7b
                                                      • Opcode Fuzzy Hash: 5ff342ba468685823528d3949ec575736b0da402e04fc2ac708ebda4904a7c64
                                                      • Instruction Fuzzy Hash: 48318C70D05249DBDB10DFA4D9497AEBBF5FF49308F20461EE405A3280EBB56A48CB91
                                                      Function 00638CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFileTime.KERNELBASE(00000000,00000000,00000000,?,?,?,00989680,00000000,945323AF,?,00000000), ref: 00638D0C
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,006A4E4D,000000FF,?,?,?), ref: 00638D34
                                                      Strings
                                                      • Unable to set write time of file '{}'!, xrefs: 00638D49
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLastTime
                                                      • String ID: Unable to set write time of file '{}'!
                                                      • API String ID: 2212998366-2070977618
                                                      • Opcode ID: db246d7bfc19c69e28a39d1f429bca9633e01466857bf6d7b274b0408f540f36
                                                      • Instruction ID: fa489d208c9af5c968b3b22b31101004f2f177bad882a9ad64c9ad04889603bc
                                                      • Opcode Fuzzy Hash: db246d7bfc19c69e28a39d1f429bca9633e01466857bf6d7b274b0408f540f36
                                                      • Instruction Fuzzy Hash: 3921A775E00208AFD714DF65CC46FAAB7BDFB45710F144529FD11E7381DA74A900CAA5
                                                      Function 005B9E00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005B9E86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_destroy
                                                      • String ID: Loading Proxy settings:$NV_
                                                      • API String ID: 4194217158-2818640257
                                                      • Opcode ID: 87a2fd3cbe511e451c8b0d54b21b8e725915c5da24c755418fb4ccdafcaa367d
                                                      • Instruction ID: eed702fb3f23e3d2dd74fa29a93cccfd37f3d4015bb15154a3cadd0e1457627b
                                                      • Opcode Fuzzy Hash: 87a2fd3cbe511e451c8b0d54b21b8e725915c5da24c755418fb4ccdafcaa367d
                                                      • Instruction Fuzzy Hash: E2115CB1E042499BCF00DF99C94579EFBF9FB49714F10422BE802A7340DB75A904CBA5
                                                      Function 005EB2A0 Relevance: 4.7, APIs: 3, Instructions: 171sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFileInformationByHandle.KERNELBASE(?,00000003,00000000,?,?,?,945323AF,?,?), ref: 005EB3A8
                                                      • GetLastError.KERNEL32(?,?,945323AF,?,?), ref: 005EB3BC
                                                      • Sleep.KERNEL32(000000C8,?,?,945323AF,?,?), ref: 005EB3D7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileHandleInformationLastSleep
                                                      • String ID:
                                                      • API String ID: 3034249586-0
                                                      • Opcode ID: fc01956a01012bc5033d980873209cbcc77c9e1c380040be95c73105a70ad24f
                                                      • Instruction ID: 8eee389533f3b80142d2fc10400774f234d635d5e83af63e2b3fca8102af4e3c
                                                      • Opcode Fuzzy Hash: fc01956a01012bc5033d980873209cbcc77c9e1c380040be95c73105a70ad24f
                                                      • Instruction Fuzzy Hash: 9A618B30A006098FDB15DF69C844BAEBBF6FF4A324F104619E4A5973E1DB75A901CF90
                                                      Function 005CB800 Relevance: 4.6, APIs: 3, Instructions: 113registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005F12B0: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,945323AF,0000000C,0000000C), ref: 005F136E
                                                      • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,?,?,?,00000000,?), ref: 005CB897
                                                        • Part of subcall function 005F0290: ___std_exception_copy.LIBVCRUNTIME ref: 005F03CF
                                                      • RegCloseKey.ADVAPI32(?), ref: 005CB8D2
                                                      • SetLastError.KERNEL32(00000000), ref: 005CB8DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseErrorLastOpenQueryValue___std_exception_copy
                                                      • String ID:
                                                      • API String ID: 941120629-0
                                                      • Opcode ID: 298b9c92d0651e2837424c4c5168d647398fbd8df6f270ae10073ee0e411dbad
                                                      • Instruction ID: 30e47dce0328b6f7bc022f7200c406a971da6678cfc0afa0c69ae82cf7a63437
                                                      • Opcode Fuzzy Hash: 298b9c92d0651e2837424c4c5168d647398fbd8df6f270ae10073ee0e411dbad
                                                      • Instruction Fuzzy Hash: E64160B1D0420CAFDF10DFA4DD49BAEBBB9FB48310F14416AE915A7381DB35A904CBA1
                                                      Function 005D6800 Relevance: 4.6, APIs: 3, Instructions: 88fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,00010005,00000007,00000000,00000003,00000080,00000000,945323AF,?,00000001), ref: 005D6876
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 3bb90099f3f0f72b5f67c7373ff681807e3b8e620cfc13c052fc1b4c4f0c550a
                                                      • Instruction ID: 46645de21cf8c06e0fcdbd919a0ed945cfbfd335547c8ce2e944e49d3416725e
                                                      • Opcode Fuzzy Hash: 3bb90099f3f0f72b5f67c7373ff681807e3b8e620cfc13c052fc1b4c4f0c550a
                                                      • Instruction Fuzzy Hash: 793153B0D00315AFEB20DF65CC09B9ABBB4FF05714F11829AF518AB291D7B5A984CF50
                                                      Function 006270C0 Relevance: 4.6, APIs: 3, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 006270E4
                                                        • Part of subcall function 00627140: BeginPaint.USER32(?,?,945323AF,00000000,?,?), ref: 006271F5
                                                        • Part of subcall function 00627140: CreateCompatibleDC.GDI32(?), ref: 00627295
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00627106
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00627131
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$BeginCompatibleCreatePaintProc
                                                      • String ID:
                                                      • API String ID: 2602052907-0
                                                      • Opcode ID: 945b1595ff67f23e999fa2eae580442cbf3801210df11ebe6ca846e0a623c3f1
                                                      • Instruction ID: b61599c4649b9748dfb3d61a6ddc06db5564a6b5660bf26d7eb8881723e07d9d
                                                      • Opcode Fuzzy Hash: 945b1595ff67f23e999fa2eae580442cbf3801210df11ebe6ca846e0a623c3f1
                                                      • Instruction Fuzzy Hash: 9A0192372085387B8F115E89BC94CEF776EFFCA371B184116FA1582250C7319D21ABA4
                                                      Function 005DB830 Relevance: 4.6, APIs: 3, Instructions: 56timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 005DB89C
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005DB8B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 005DB8B9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$FileProcessSystemThread
                                                      • String ID:
                                                      • API String ID: 2426501826-0
                                                      • Opcode ID: bcfd38a9961b77dacde441417e8c2c348e63b4d4a3bc309ebfba4baebef9268f
                                                      • Instruction ID: de4880fc1b2df13e54264b61b750ffea9a8cba1cc0b7b45079664bfe9a934bcb
                                                      • Opcode Fuzzy Hash: bcfd38a9961b77dacde441417e8c2c348e63b4d4a3bc309ebfba4baebef9268f
                                                      • Instruction Fuzzy Hash: F92159B5904709DFC724DF28D9498A6BBF5FF89310B008A5EEC9A87311EB30E554CB91
                                                      Function 006797BC Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_000D9660,00000000,00000000,00000000), ref: 00679805
                                                      • GetLastError.KERNEL32(?,005F7C05,00000000,00000000), ref: 00679811
                                                      • __dosmaperr.LIBCMT ref: 00679818
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorLastThread__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2744730728-0
                                                      • Opcode ID: a09be31039812c3e9f4700fa02ceece344e9cdf7bce85b108b4281e2b5cefadd
                                                      • Instruction ID: 2a351caa68c68ff7d4c2cb0c9e4c439fa56d0a38b77f3fb259a43a9bfc13382d
                                                      • Opcode Fuzzy Hash: a09be31039812c3e9f4700fa02ceece344e9cdf7bce85b108b4281e2b5cefadd
                                                      • Instruction Fuzzy Hash: DB01B172514219AFDF19AFA0DC05AEE7BEAEF01320F108128F80996250DB71DE00EBA5
                                                      Function 005F7900 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 005F7C49
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorThrow_std::_
                                                      • String ID: install
                                                      • API String ID: 2134207285-801815929
                                                      • Opcode ID: c84dab69e200c33b189fdd13f52cda8109a8ea5efb884955b2a320a30ea76bf7
                                                      • Instruction ID: 1e38d9ccd95989b197e0c233f30ea402f4f469ea448a3c4984d865ef02d1fc26
                                                      • Opcode Fuzzy Hash: c84dab69e200c33b189fdd13f52cda8109a8ea5efb884955b2a320a30ea76bf7
                                                      • Instruction Fuzzy Hash: 94A148B0A04B46AFE344CF24C9457D6FBA0BF19308F10825EE55C9B291EBB5B5A4CBD1
                                                      Function 0065FAE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::ctype_base::ctype_base.LIBCPMT ref: 0065FB11
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::ctype_base::ctype_base
                                                      • String ID: Pfe
                                                      • API String ID: 139608259-2642587220
                                                      • Opcode ID: 60fe62ba4878c5d351d2d3dd713c77205f096135e6425751897c7a3de5df7ee8
                                                      • Instruction ID: b826e1d5ce299ddf3b2c39ffd7bfb5a943b384ad7cea49db3f6fc8cc1e22424a
                                                      • Opcode Fuzzy Hash: 60fe62ba4878c5d351d2d3dd713c77205f096135e6425751897c7a3de5df7ee8
                                                      • Instruction Fuzzy Hash: 09018472904619ABCB11DF54DD02BDA77AAEB05724F00416AFC15A3340E736AA18CBA5
                                                      Function 005F86B0 Relevance: 3.2, APIs: 2, Instructions: 250COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec33e27a9c21f59bd5bad245fadbf9cbd15737300160ad90e72018da8625a03b
                                                      • Instruction ID: 0be551e2881c65075274869f5a90bcfb7b1170f745a36531e63a16b0f8d3fd96
                                                      • Opcode Fuzzy Hash: ec33e27a9c21f59bd5bad245fadbf9cbd15737300160ad90e72018da8625a03b
                                                      • Instruction Fuzzy Hash: 5C9111719006089FD728EF28D844B7EBBF5FF41304F20861DE2558BB92DB79E9408B91
                                                      Function 005DB460 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsGetValue.KERNEL32(FFFFFFFF,?,945323AF,00000005,00000000), ref: 005DB4E2
                                                        • Part of subcall function 005DC080: EnterCriticalSection.KERNEL32(00000000,945323AF), ref: 005DC0CB
                                                        • Part of subcall function 005DC080: HeapFree.KERNEL32(?,00000000,?,00000000), ref: 005DC12B
                                                        • Part of subcall function 005DC080: LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 005DC143
                                                        • Part of subcall function 005DB710: GetSystemTimeAsFileTime.KERNEL32(?), ref: 005DB89C
                                                        • Part of subcall function 005DB710: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005DB8B0
                                                        • Part of subcall function 005DB710: GetCurrentThreadId.KERNEL32 ref: 005DB8B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalCurrentSectionTime$EnterFileFreeHeapLeaveProcessSystemThreadValue
                                                      • String ID: {{{}}} {}
                                                      • API String ID: 4134713035-2117331405
                                                      • Opcode ID: 63235cdf2f60b7e98794b3f485aba4476faa20066ca046f1912435ac3d2939de
                                                      • Instruction ID: 81d4e8f8150c13ec32422aa0deca2e81fff5b75a8ec7706845fe253563e19041
                                                      • Opcode Fuzzy Hash: 63235cdf2f60b7e98794b3f485aba4476faa20066ca046f1912435ac3d2939de
                                                      • Instruction Fuzzy Hash: 4A817E71E00208DFDB28DF6CD884AADBFB6FF45310F15425BE425AB791EB3099458B91
                                                      Function 00611380 Relevance: 3.2, APIs: 2, Instructions: 216registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000101,00000000,945323AF,00000000,00000088), ref: 006113DC
                                                      • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,0000012C), ref: 00611456
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: OpenQueryValue
                                                      • String ID:
                                                      • API String ID: 4153817207-0
                                                      • Opcode ID: df31fbeb548dac8322f745201c54389c73785d6fabc4c2bc70c880d0398fb889
                                                      • Instruction ID: eb2300af08ae2f6e6cf0cecbba36c58e00bfe4ed8732f5aa3e5d3490f9f14629
                                                      • Opcode Fuzzy Hash: df31fbeb548dac8322f745201c54389c73785d6fabc4c2bc70c880d0398fb889
                                                      • Instruction Fuzzy Hash: 0C819E70E002499FDF10DFA4C845BEEBBB6EF86304F18411AE515BB385D770A985CB91
                                                      Function 0068B900 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0068B013: GetConsoleOutputCP.KERNEL32(945323AF,?,00000000,00000000), ref: 0068B076
                                                      • WriteFile.KERNELBASE(?,?,00000000,006F8240,00000000,?,00000000,00000000,?,?,006F8240,00000010,00679226,00000000,00000000,00000000), ref: 0068BA69
                                                      • GetLastError.KERNEL32 ref: 0068BA73
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                      • String ID:
                                                      • API String ID: 2915228174-0
                                                      • Opcode ID: 19eda8c8580a51480f76a2d9dfb0173fcc837ab02af162c69f0c81bd131131e4
                                                      • Instruction ID: 8521c0e28ced191edace51314500d12cbae6411192d354515bcaf7ae0e622f3f
                                                      • Opcode Fuzzy Hash: 19eda8c8580a51480f76a2d9dfb0173fcc837ab02af162c69f0c81bd131131e4
                                                      • Instruction Fuzzy Hash: 3A61C171D04149AEDF15EFA9C884AEEBBBAEF0A304F045289E914A7352D371D942CB64
                                                      Function 006268C0 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GdiplusStartup.GDIPLUS(00000000,00000001,00000000), ref: 0062695C
                                                      • CreateEventW.KERNEL32(00000000), ref: 00626A48
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateEventGdiplusStartup
                                                      • String ID:
                                                      • API String ID: 211868705-0
                                                      • Opcode ID: 9e8e4bb70566697d5435cd7a07d7597dead84eff3b1b10aaca2bb7a0e9038dc9
                                                      • Instruction ID: 24542a9abcab515debbb21811e35580d78013a7f36eb1b98b846360dc0c2d0fa
                                                      • Opcode Fuzzy Hash: 9e8e4bb70566697d5435cd7a07d7597dead84eff3b1b10aaca2bb7a0e9038dc9
                                                      • Instruction Fuzzy Hash: 2A5134B09007059FE710CF15C858B9ABBF0FF09328F24825EE8156B791D7BAA944CFA4
                                                      Function 005C8CF0 Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCloseKey.ADVAPI32(?), ref: 005C8E2A
                                                      • SetLastError.KERNEL32(00000000), ref: 005C8E35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseErrorLast
                                                      • String ID:
                                                      • API String ID: 3262646002-0
                                                      • Opcode ID: 640c7220f455e36f448191f4bf2d4974c5294805160322fe224b0525cc6099b2
                                                      • Instruction ID: e87578af128372f987734de0d06dfeaef51f9d2b7e563e08204f79b02f9e7b2b
                                                      • Opcode Fuzzy Hash: 640c7220f455e36f448191f4bf2d4974c5294805160322fe224b0525cc6099b2
                                                      • Instruction Fuzzy Hash: 81414971D01219DFDB20DFA8D989BADBBF8FB49304F1005ADE409A7281EB349A44CF51
                                                      Function 00626AC0 Relevance: 3.0, APIs: 2, Instructions: 46synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00086E60,?,00000000,?), ref: 00626AF6
                                                      • WaitForSingleObject.KERNEL32(?,02FAF080,?,00000000,?), ref: 00626B10
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 1891408510-0
                                                      • Opcode ID: d3d42ebfa7afcc9d340b38f70caa7b680f736e0450e296849fc1986510334d1c
                                                      • Instruction ID: 898c64108b67b017be5f1d7f42bf105191c55ed6d5fb9a3b1ee3915f4cdcddf8
                                                      • Opcode Fuzzy Hash: d3d42ebfa7afcc9d340b38f70caa7b680f736e0450e296849fc1986510334d1c
                                                      • Instruction Fuzzy Hash: B501F730A00318ABDB20DF65EC05BABBBF99B09711F00005EFD419B281DA71E910CB54
                                                      Function 00679660 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(006F7E98,0000000C), ref: 00679673
                                                      • ExitThread.KERNEL32 ref: 0067967A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorExitLastThread
                                                      • String ID:
                                                      • API String ID: 1611280651-0
                                                      • Opcode ID: e7989df06d6a700472b5b8cc0bb47005b51dbc6846074c698b5ebbc3728d4d19
                                                      • Instruction ID: 8a70b8bd8d7aa9ac09d0ee70d52b25eeceec0b78467e061776e4184cd387fc4e
                                                      • Opcode Fuzzy Hash: e7989df06d6a700472b5b8cc0bb47005b51dbc6846074c698b5ebbc3728d4d19
                                                      • Instruction Fuzzy Hash: 27F0AF71A002049FEB40BFB0D80AAAE3BB7EF81310F20464DF405972A2DB316941CFB9
                                                      Function 006899FA Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,0069425A,?,00000000,?,?,006944FB,?,00000007,?,?,006949FE,?,?), ref: 00689A10
                                                      • GetLastError.KERNEL32(?,?,0069425A,?,00000000,?,?,006944FB,?,00000007,?,?,006949FE,?,?), ref: 00689A1B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 485612231-0
                                                      • Opcode ID: cbfc72f2efd8d16216d5e38ead837b536c08d5882e860330937cdb06b51aac0e
                                                      • Instruction ID: 094b2e0205558885b62b93308daf01a47451bd644270c5d34476034253ebbaa7
                                                      • Opcode Fuzzy Hash: cbfc72f2efd8d16216d5e38ead837b536c08d5882e860330937cdb06b51aac0e
                                                      • Instruction Fuzzy Hash: 84E0CD32604604AFCB557FB4EC0CBD93B6AAB41351F149134F90C86171DB749D81DB99
                                                      Function 00620D20 Relevance: 2.7, APIs: 2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: FreeLocal
                                                      • String ID:
                                                      • API String ID: 2826327444-0
                                                      • Opcode ID: 170f3c1d49dbc9927547c062900c01d8497cecd6faddd1e3f3941102295432d2
                                                      • Instruction ID: 704a9ba9ecbe0d3172cd2ee6c6a405cdec068a02113f4fdf19e5b92578c4f36a
                                                      • Opcode Fuzzy Hash: 170f3c1d49dbc9927547c062900c01d8497cecd6faddd1e3f3941102295432d2
                                                      • Instruction Fuzzy Hash: 6AA14C71E00259CFDB04CFA8D894BAEBBB6FF59314F14815AE805AB341DB34A945CF91
                                                      Function 006492E0 Relevance: 2.6, APIs: 2, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00648D20: SetLastError.KERNEL32(00000057,945323AF,00000000,?), ref: 00648D6F
                                                      • GetLastError.KERNEL32 ref: 0064936B
                                                      • SetLastError.KERNEL32(00000000), ref: 006493A4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: d21b51a46646b987fa538a0e4642d17d7907a69ea8fd91f4c9197b28726b2ba1
                                                      • Instruction ID: a10b9a30b30e081601d26cf30339a7925ad451196c016c5e8e7d1efca752c05c
                                                      • Opcode Fuzzy Hash: d21b51a46646b987fa538a0e4642d17d7907a69ea8fd91f4c9197b28726b2ba1
                                                      • Instruction Fuzzy Hash: 09219F72D002199BCF15DF64CC45BEFBBB6FF85714F10421DE801A7381D7786A008AA4
                                                      Function 005F1670 Relevance: 2.6, APIs: 2, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00708730,?,?), ref: 005F1691
                                                      • LeaveCriticalSection.KERNEL32(00708730), ref: 005F1748
                                                        • Part of subcall function 0064D907: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D912
                                                        • Part of subcall function 0064D907: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D94C
                                                        • Part of subcall function 005F1450: GetSystemTimeAsFileTime.KERNEL32(?), ref: 005F147A
                                                        • Part of subcall function 005F1450: GetCurrentProcessId.KERNEL32 ref: 005F1493
                                                        • Part of subcall function 005F1450: GetCurrentThreadId.KERNEL32 ref: 005F14AF
                                                        • Part of subcall function 005F1450: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 005F14EC
                                                        • Part of subcall function 005F1450: GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000), ref: 005F1523
                                                        • Part of subcall function 005F1450: GetSystemTimes.KERNELBASE(?,?,?), ref: 005F154C
                                                        • Part of subcall function 0064D8B6: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,005B7C08,00707650), ref: 0064D8C0
                                                        • Part of subcall function 0064D8B6: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,005B7C08,00707650), ref: 0064D8F3
                                                        • Part of subcall function 0064D8B6: WakeAllConditionVariable.KERNEL32(00706D38,?,005B7C08,00707650), ref: 0064D8FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ExclusiveLock$AcquireCriticalCurrentReleaseSectionSystemTime$ConditionDiskEnterFileFreeGlobalLeaveMemoryProcessSpaceStatusThreadTimesVariableWake
                                                      • String ID:
                                                      • API String ID: 1939839377-0
                                                      • Opcode ID: ad143e8833def66b0fea16314ef69e7e41aa3c02102489a55a9f2e6382113a56
                                                      • Instruction ID: c7bf84c207e1950346149d659e8c2b3d71e2060c944b32a6b474f8bdaa5b5571
                                                      • Opcode Fuzzy Hash: ad143e8833def66b0fea16314ef69e7e41aa3c02102489a55a9f2e6382113a56
                                                      • Instruction Fuzzy Hash: A821FBB5A04744CBC340EB54EC069AB77A0BBC5714F04872AF99587692EF78A544CF8B
                                                      Function 005CE660 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 005CE850
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 118556049-0
                                                      • Opcode ID: fa49be8f574d9518a9e4fac142357abca7f97025621c1b5eaa738ae3f019e169
                                                      • Instruction ID: 228e4274e260d92b76d710ba24e434ee45178bb699d17f49e04f0ce423e70662
                                                      • Opcode Fuzzy Hash: fa49be8f574d9518a9e4fac142357abca7f97025621c1b5eaa738ae3f019e169
                                                      • Instruction Fuzzy Hash: DE518272E00119AFDF14DFE8C986DAEBFB9FB48310B14426DE815E7341E6319A51CBA4
                                                      Function 005F0290 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005F03CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID:
                                                      • API String ID: 2659868963-0
                                                      • Opcode ID: 58da1e0d239bd0a006e3b929abd08172fa6e6568de59de48934208a5a948f8db
                                                      • Instruction ID: 326083970a1f4d3887adc58b1a02379c99b5417e6a33cea1998fec000717b768
                                                      • Opcode Fuzzy Hash: 58da1e0d239bd0a006e3b929abd08172fa6e6568de59de48934208a5a948f8db
                                                      • Instruction Fuzzy Hash: 26419F7290020DAFCB14EF95C949EEDBBBDFF48300F1045A9FA05A3591EB75AA04CB64
                                                      Function 005F12B0 Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,945323AF,0000000C,0000000C), ref: 005F136E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Open
                                                      • String ID:
                                                      • API String ID: 71445658-0
                                                      • Opcode ID: bc0f8a96e0b347843b1adf4cfc1f7f220ec8916669c913749239db314889fbe7
                                                      • Instruction ID: e0f561859e6ba08720aeafc782cd26617b305704a6c57864a74b21faa651cd8d
                                                      • Opcode Fuzzy Hash: bc0f8a96e0b347843b1adf4cfc1f7f220ec8916669c913749239db314889fbe7
                                                      • Instruction Fuzzy Hash: 51418AB1D05659DFDB10DFA8C948BAEFBB4FB48304F10469AD808A7281DB756A44CF94
                                                      Function 00605840 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 006058FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 118556049-0
                                                      • Opcode ID: 6693d9209ea186c1527457dd26b0e76f5d9b5498cacb123a3c0ee28a5cf3ad67
                                                      • Instruction ID: 934b44d1ba0844590651fd8d08b57489ef82ea18b22c621af4dc3d83c985aaaa
                                                      • Opcode Fuzzy Hash: 6693d9209ea186c1527457dd26b0e76f5d9b5498cacb123a3c0ee28a5cf3ad67
                                                      • Instruction Fuzzy Hash: 3921D7B2A00615AFD708DF7CC98596BB7E9EF083407148239E81AC7340E730ED10CBA4
                                                      Function 0061D630 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::generic_category.LIBCPMTD ref: 0061D6DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::generic_category
                                                      • String ID:
                                                      • API String ID: 2374251199-0
                                                      • Opcode ID: 79da055dc469aca284c45c5f083230f7450f6c8b7840c5a5f48d74c6602e3765
                                                      • Instruction ID: d30801314b933a26100ea37321b44dbfa168544edec303a23c7a88bd1ae6a141
                                                      • Opcode Fuzzy Hash: 79da055dc469aca284c45c5f083230f7450f6c8b7840c5a5f48d74c6602e3765
                                                      • Instruction Fuzzy Hash: 8311B2717005066BCB4CAB34CC46BDDF756BF80705F048229F11C57291DB7179A687E8
                                                      Function 005D0FC0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 005D1030
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 118556049-0
                                                      • Opcode ID: dcb50dfe27c31b5eaebbc6444db84619cc2a3a9bd552961dda3e9c42c44ba11b
                                                      • Instruction ID: 738c4468d77605bdbd6e23441e6e6d7b2e3142fb1e667a68034460a506d03a07
                                                      • Opcode Fuzzy Hash: dcb50dfe27c31b5eaebbc6444db84619cc2a3a9bd552961dda3e9c42c44ba11b
                                                      • Instruction Fuzzy Hash: 15019EB2A01A266FC710EFA8D80568AFBE8BE54760300813BE558C3700E374E8A1C7D9
                                                      Function 0068C121 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71c9f176cacba7200318bf9da0fb1fc7f07f00366fa4f8f720a40be4b6d6ebd6
                                                      • Instruction ID: b882698022760e2efa9e1fd0488cd7f899a777e8d87a8d7d496734f45d08b950
                                                      • Opcode Fuzzy Hash: 71c9f176cacba7200318bf9da0fb1fc7f07f00366fa4f8f720a40be4b6d6ebd6
                                                      • Instruction Fuzzy Hash: F701F533704215AFEB26EE2DEC8499A3397FBC13747144324F915DB286DA30D801C7A4
                                                      Function 0068F207 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: ca5959a29e2b71e9e4631525ce020b3d98f4d4e5483d85df2b121da91332029d
                                                      • Instruction ID: cf22b1a0a961c95cb26245fcdb6b10d3b86940b46dbe4132e429a68cea459d04
                                                      • Opcode Fuzzy Hash: ca5959a29e2b71e9e4631525ce020b3d98f4d4e5483d85df2b121da91332029d
                                                      • Instruction Fuzzy Hash: B9114875A0420AAFCF05DF98E94198A7BF9EF48304F004069F804AB311D630EE21CBA4
                                                      Function 00669660 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser
                                                      • String ID:
                                                      • API String ID: 6842923-0
                                                      • Opcode ID: b926207754c76e445517c5d8f8f1209525dbd7fbbc785c409e641664623035d4
                                                      • Instruction ID: 316cbb991a6855a3cb10eb61752eb331dacecff240518c8bb0796e6087c5002a
                                                      • Opcode Fuzzy Hash: b926207754c76e445517c5d8f8f1209525dbd7fbbc785c409e641664623035d4
                                                      • Instruction Fuzzy Hash: E301F236A00318ABDB019F58D880BDEBBBAFF88300F01405AED00AB390D771ED01CBA0
                                                      Function 00649930 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCloseKey.KERNELBASE(?,945323AF,?,00000000,?,Function_000C8D50,006F72A0,000000FE), ref: 0064997D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 68721da356532e150f0c3779e8487731ce5655d07ae778b6aadab8109e1607b7
                                                      • Instruction ID: 50b1afbf450d5e594fd4361a3417b18e8254c0b12eef33bb7258241fbb32df07
                                                      • Opcode Fuzzy Hash: 68721da356532e150f0c3779e8487731ce5655d07ae778b6aadab8109e1607b7
                                                      • Instruction Fuzzy Hash: 24018F71644708EFC720CF59C981B6BBBB9FB06724F10465EE416977A0D735A800CBA0
                                                      Function 005FB800 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005FA042), ref: 005FB830
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: 5266b3557b0a99188ea3605a49f82a5303098182f10dc196b46f554ec25545fe
                                                      • Instruction ID: 4afc83b3d5c790b45dfdc1d663505cf5215be1042f07bba600e2cefd691396c0
                                                      • Opcode Fuzzy Hash: 5266b3557b0a99188ea3605a49f82a5303098182f10dc196b46f554ec25545fe
                                                      • Instruction Fuzzy Hash: A8F06871A043084BD710EF74DC4672FB3EADB85714F44451DBD9987280EA35D910C757
                                                      Function 005ACCB0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,945323AF,?,00000000,?,Function_000C8D50,006EAF08,000000FE), ref: 005ACCEF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 2591292051-0
                                                      • Opcode ID: e10420c4421d54ea63c0b1f17c7c8939b143ca9b7d1f3d5d61648ab21667448d
                                                      • Instruction ID: f051664ce12d323fc9ccb50b8d12baf6a5e6aea3dc4a683f419775eb68a1a916
                                                      • Opcode Fuzzy Hash: e10420c4421d54ea63c0b1f17c7c8939b143ca9b7d1f3d5d61648ab21667448d
                                                      • Instruction Fuzzy Hash: 27F090B1A04348EFC710CFA9DD45B5ABFB9FB05724F10466AF015936A0D73169008AA0
                                                      Function 00689A34 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0064D32D,?,?,005F40DA,00000008,945323AF), ref: 00689A66
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: eacd4189cec0a7f9c36b43c81590c7db3fa3e370232e7f89a7a6e28ae27aedff
                                                      • Instruction ID: a1cdbdf649eb677dc5d57dd5475eb64152334a34e37c32608139078f317abac2
                                                      • Opcode Fuzzy Hash: eacd4189cec0a7f9c36b43c81590c7db3fa3e370232e7f89a7a6e28ae27aedff
                                                      • Instruction Fuzzy Hash: 20E0E53120562566D66836659C057BB36ABAF423B0F194320AC9693690DF20DC0183F5
                                                      Function 00647AF0 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      • RtlAllocateHeap.NTDLL(006D9DE8,00000000,?,?,?,006F8E90,?,?,?,00643B16,80004005), ref: 00647B1B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AllocateDispatcherExceptionHeapUser
                                                      • String ID:
                                                      • API String ID: 3515689010-0
                                                      • Opcode ID: de565745a107f64d1cc282081947b24273f247fd5ad37625f87bd73e9218bd76
                                                      • Instruction ID: f79e44499a0b2b65134bf1ae46bc2917aec33a21b173fd710d4b029bdeb0f7a7
                                                      • Opcode Fuzzy Hash: de565745a107f64d1cc282081947b24273f247fd5ad37625f87bd73e9218bd76
                                                      • Instruction Fuzzy Hash: 62D0123414420CBBDB186B91DC07E9A7B1EEB01740F104824B7044A861DBB2BA109699
                                                      Function 006972AC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,00000000,?,0069769C,?,?,00000000,?,0069769C,?,0000000C), ref: 006972C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 03bb421deaf097886d5a56bc8f248536d8ab3ed9f44e1d170fa6976e7e07c092
                                                      • Instruction ID: 667e5aec75f1f066a0679f9bc35378251a70596f4afab132bfb5b86e2eed3053
                                                      • Opcode Fuzzy Hash: 03bb421deaf097886d5a56bc8f248536d8ab3ed9f44e1d170fa6976e7e07c092
                                                      • Instruction Fuzzy Hash: 0DD06C3211010DBBDF029F84DC06EDA3BAAFB48714F014100BA1856020C732E961AB90
                                                      Function 0064A05F Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0064A108: AcquireSRWLockExclusive.KERNEL32(?,0064A2B6), ref: 0064A125
                                                      • DloadProtectSection.DELAYIMP ref: 0064A087
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AcquireDloadExclusiveLockProtectSection
                                                      • String ID:
                                                      • API String ID: 3680172570-0
                                                      • Opcode ID: a3b29755c3545b2d7926fc152aa3231b43f54db2bc9bf40af4e614dee2e5c16d
                                                      • Instruction ID: 6ade1914c5060cdd6bd91a44e415408b4342aaa2aa78717c1667161f5e2b9851
                                                      • Opcode Fuzzy Hash: a3b29755c3545b2d7926fc152aa3231b43f54db2bc9bf40af4e614dee2e5c16d
                                                      • Instruction Fuzzy Hash: A1D0C9701CA101EDC761A7A49956B593692A725705F440608E145A2296CEEA84A0A60F
                                                      Function 00649860 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(0000000D), ref: 00649884
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: 459c34769e707dd291340ee1078d7a5bfa2174459c982708a192e17f3ecac39d
                                                      • Instruction ID: b0d5efdd410396f785b0ff21cd362c7105c14648d2e00bd9d9359847bad13bbc
                                                      • Opcode Fuzzy Hash: 459c34769e707dd291340ee1078d7a5bfa2174459c982708a192e17f3ecac39d
                                                      • Instruction Fuzzy Hash: 7C11AF32D40219AFCB24DF5CD8815AFB7B6FB8A310B154AA9EC1497341D231DD94CBE0
                                                      Function 00624AC0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: 57dee45a3d82cffa0385d157f728fc7ecab3a292266de4008bca074ce7e17677
                                                      • Instruction ID: 916a5ace002a4a98e3bc63a53f7eab378cc864fee7222d284498763942a216af
                                                      • Opcode Fuzzy Hash: 57dee45a3d82cffa0385d157f728fc7ecab3a292266de4008bca074ce7e17677
                                                      • Instruction Fuzzy Hash: 5DE03931540219DF8B44EF88E84489B3BAAEB49300B004851FD154B216D732EA60EFA5
                                                      Function 00624C60 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: 66bfe8898c51ae5ea9b6b12687699f4d3aecb24e6319e806f346541496158062
                                                      • Instruction ID: 052398246400bac8f7d44de077cbd4898261448cabade30380402e469da2fe88
                                                      • Opcode Fuzzy Hash: 66bfe8898c51ae5ea9b6b12687699f4d3aecb24e6319e806f346541496158062
                                                      • Instruction Fuzzy Hash: DBE06D71A04219EF8B04EF98F8448AB37AAEB49300B008451F9054B262D732E9A0DFB1

                                                      Non-executed Functions

                                                      Function 0066CE23 Relevance: 38.7, APIs: 25, Instructions: 1201COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • DName::DName.LIBVCRUNTIME ref: 0066CE71
                                                      • operator+.LIBVCRUNTIME ref: 0066CE8B
                                                      • DName::operator+.LIBCMT ref: 0066CFB9
                                                      • DName::operator+.LIBCMT ref: 0066CFD6
                                                        • Part of subcall function 0066E10D: DName::DName.LIBVCRUNTIME ref: 0066E150
                                                      • DName::operator+.LIBCMT ref: 0066D08A
                                                      • DName::operator+.LIBCMT ref: 0066D099
                                                        • Part of subcall function 00672739: DName::operator+.LIBCMT ref: 0067277D
                                                        • Part of subcall function 00672739: DName::operator+.LIBCMT ref: 00672789
                                                        • Part of subcall function 00672739: DName::operator+.LIBCMT ref: 00672804
                                                        • Part of subcall function 00672739: DName::operator+=.LIBCMT ref: 00672847
                                                      • DName::operator+.LIBCMT ref: 0066D025
                                                        • Part of subcall function 0066CC7C: DName::operator=.LIBVCRUNTIME ref: 0066CC9D
                                                        • Part of subcall function 0066CC24: shared_ptr.LIBCMT ref: 0066CC40
                                                        • Part of subcall function 0066E718: shared_ptr.LIBCMT ref: 0066E7BE
                                                      • DName::operator+.LIBCMT ref: 0066D603
                                                      • DName::operator+.LIBCMT ref: 0066D61F
                                                      • DName::operator+.LIBCMT ref: 0066D8BE
                                                        • Part of subcall function 0066CB4F: DName::operator+.LIBCMT ref: 0066CB70
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
                                                      • String ID:
                                                      • API String ID: 848932493-0
                                                      • Opcode ID: f4c2be5d7804fb05a44ff24bd5f5fa4191848bf7ca678ac1529acef95c3eeee8
                                                      • Instruction ID: 55649b9cdeeb61a31b5b4beada1585afc6c0caebdcb342f11a16228ec2f8dce0
                                                      • Opcode Fuzzy Hash: f4c2be5d7804fb05a44ff24bd5f5fa4191848bf7ca678ac1529acef95c3eeee8
                                                      • Instruction Fuzzy Hash: 5F926EB2F246199BDB14DFA8CC96BED77BAEB18310F04413EE516E7280DA38D905CB54
                                                      Function 005AC530 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 424windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCommandLineW.KERNEL32(00000001,945323AF), ref: 005AC5AE
                                                      • GetUserDefaultUILanguage.KERNEL32 ref: 005AC627
                                                      • MessageBoxW.USER32(00000000,?,?,00010010), ref: 005ACAEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CommandDefaultLanguageLineMessageUser
                                                      • String ID: %s:'%d'.%s:'%s'.$@Sfx_Download_Fail$@Sfx_ErrCode$@Sfx_LogInfo$@Sfx_MsgBoxTitle$ga_clientid$lang-id$language$silent$verysilent
                                                      • API String ID: 1083715854-2005466023
                                                      • Opcode ID: 9681795ba5d3ca03b3529109aec2b21f3ca5c3bef41f3dddc0cef92cb6886974
                                                      • Instruction ID: dee0429a237241b2afa93ce6cb9a6ce8193b144ffc2fb022d2405e8b58594b31
                                                      • Opcode Fuzzy Hash: 9681795ba5d3ca03b3529109aec2b21f3ca5c3bef41f3dddc0cef92cb6886974
                                                      • Instruction Fuzzy Hash: 5A02BF71D0025ACADB24DF64CC55BEDBFB5FF56304F108299E80A6B281EB706A85CF91
                                                      Function 005E2E60 Relevance: 22.3, Strings: 17, Instructions: 1018COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Sh$Auth$Cent$Genu$GenuineIntel$Hygo$Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz$Micr$ai $auls$aurH$cAMD$ntel$ntel$osof$t Hv$uine
                                                      • API String ID: 0-3143099344
                                                      • Opcode ID: 9e4e785c878c87e9c234915cd863faed0a188388d105a8dca8b519f76d2eeea9
                                                      • Instruction ID: 593493bf2b4d51a5d2cf4fbe6ec7b1ea597378a30a9b65051c9995b46ddb6482
                                                      • Opcode Fuzzy Hash: 9e4e785c878c87e9c234915cd863faed0a188388d105a8dca8b519f76d2eeea9
                                                      • Instruction Fuzzy Hash: 0C8222B1D146898AEF39CF6BC84839CFEB5BF98314F24856ED4A5A7292D7744980CF40
                                                      Function 00606320 Relevance: 21.8, APIs: 14, Instructions: 763COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060643B
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00606446
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0060653C
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00606547
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorThrow_std::_
                                                      • String ID:
                                                      • API String ID: 2134207285-0
                                                      • Opcode ID: 39b9a613fb4276599e2892fdde2be03bc26b74d9774ae3a816e23df2c5e67fa5
                                                      • Instruction ID: ca28660b360eaa4d3be7e90f0f92fe59588adf44d78b0cdd1705e06f20dfa7fe
                                                      • Opcode Fuzzy Hash: 39b9a613fb4276599e2892fdde2be03bc26b74d9774ae3a816e23df2c5e67fa5
                                                      • Instruction Fuzzy Hash: 9152AF75D002099BCB08DFA4C941BEFBBB9FF55318F10821AF815A7781EB71AA15CB91
                                                      Function 0063CDC0 Relevance: 17.0, APIs: 1, Strings: 10, Instructions: 489COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,UserPass,00000008,UserName,00000008,ProxyName,00000009,?,00000000), ref: 0063D41F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID: Authorization$AutomaticEnabled$ConfigUrl$Fallback$Port$ProxyName$ProxySettings$ProxyType$UserName$UserPass
                                                      • API String ID: 1452528299-2863058430
                                                      • Opcode ID: 6e2ef26406fee115bd97f1f8a9dd1937ca53a9787a297a33c1244d0044d984b6
                                                      • Instruction ID: f06b59715d24abb594f5f9a3b2637f0cbaeccfda5b7426b9634c701cc864f5cb
                                                      • Opcode Fuzzy Hash: 6e2ef26406fee115bd97f1f8a9dd1937ca53a9787a297a33c1244d0044d984b6
                                                      • Instruction Fuzzy Hash: E8229F31D00259DFCB14DFE4C945BEDBBB5BF98308F248259E44977281EB746A88CBA1
                                                      Function 005CA370 Relevance: 16.8, Strings: 13, Instructions: 558COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ^m$ ^m$@^m$@^m$atrk$av-vps$ccl$clear$family$foundation$icarus$suite$vpn
                                                      • API String ID: 0-3326270955
                                                      • Opcode ID: 716e6674280bae669cbfdd3294decbe73ae23058723932fb3ee3acdca89dcd90
                                                      • Instruction ID: 5d55eefa0e548a8fe18c1cbfcf15bd328ba91ead8a3313fcd55a8ac90048c424
                                                      • Opcode Fuzzy Hash: 716e6674280bae669cbfdd3294decbe73ae23058723932fb3ee3acdca89dcd90
                                                      • Instruction Fuzzy Hash: 24F11936F0011D4BCF289FA8C5A5779BF62FF94719B96016EDD8F4B740EA224E42C290
                                                      Function 005DC770 Relevance: 15.5, APIs: 9, Strings: 1, Instructions: 498COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?,?,945323AF), ref: 005DC7F0
                                                      • LeaveCriticalSection.KERNEL32(?,?,?), ref: 005DC867
                                                      • EnterCriticalSection.KERNEL32(?,945323AF,00000000), ref: 005DC9EE
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 005DCA52
                                                      • EnterCriticalSection.KERNEL32(?), ref: 005DCA6E
                                                      • EnterCriticalSection.KERNEL32(?), ref: 005DCB4F
                                                      • LeaveCriticalSection.KERNEL32(?,?,?), ref: 005DCBEE
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 005DCC50
                                                      • LeaveCriticalSection.KERNEL32(?,?,?), ref: 005DCCC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Leave$Enter
                                                      • String ID: Callback not found
                                                      • API String ID: 2978645861-2466553093
                                                      • Opcode ID: 0a0f4959fb645c1f4cf025f12c1a12a4ddb2360205d99850446c5242c1e10784
                                                      • Instruction ID: 18358df81842747fefc7a41476cbc694c9fbfb2ae202bd22f604d39ca474bff5
                                                      • Opcode Fuzzy Hash: 0a0f4959fb645c1f4cf025f12c1a12a4ddb2360205d99850446c5242c1e10784
                                                      • Instruction Fuzzy Hash: 6C124C75A0070A8FCB24DF68C984AADBFB6FF49320F15455AE81AA7350DB34AD41CF90
                                                      Function 005EA900 Relevance: 13.8, APIs: 9, Instructions: 251fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,00000007,?,?,?,006D7D9C,00000002,945323AF), ref: 005EA99B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: FileFindFirst
                                                      • String ID:
                                                      • API String ID: 1974802433-0
                                                      • Opcode ID: 644751436fef09d43c7b1e84c2d7a39526f4f3241da334fa1e007c04e5a2435b
                                                      • Instruction ID: bdaa0faeced928c3e31f82c32bfe1ec657e5c79ae1cad13c1ba3bef33019cd2d
                                                      • Opcode Fuzzy Hash: 644751436fef09d43c7b1e84c2d7a39526f4f3241da334fa1e007c04e5a2435b
                                                      • Instruction Fuzzy Hash: D89126709002969FDB189F74CD49BBDBB7AFF51308F100299E88597281E730BE85CB52
                                                      Function 005D04D0 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00003000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,945323AF), ref: 005D055A
                                                      • GetLengthSid.ADVAPI32(00000000), ref: 005D056B
                                                      • LocalAlloc.KERNEL32(00000040), ref: 005D057F
                                                      • CopySid.ADVAPI32(?,-00000008,00000000), ref: 005D05B6
                                                      • LocalAlloc.KERNEL32(00000040,?,?,-00000008,00000000), ref: 005D05CD
                                                      • InitializeAcl.ADVAPI32(00000000,?,00000002,?,?,-00000008,00000000), ref: 005D05E2
                                                      • AddAce.ADVAPI32(00000000,00000002,000000FF,00000000,?,?,00000002,?,?,-00000008,00000000), ref: 005D05FB
                                                      • TreeResetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005D065C
                                                      • SetLastError.KERNEL32(00000000), ref: 005D0667
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AllocInitializeLocal$AllocateCopyErrorInfoLastLengthNamedResetSecurityTree
                                                      • String ID:
                                                      • API String ID: 1516400239-0
                                                      • Opcode ID: ccb73fcd651898af6f989428f3f81755d1a2fa2e87fd6d931b19515e4adc98c2
                                                      • Instruction ID: 834271e3b3cd8880809fbf9e042bae51eac749762c836db5eb2b81a2ee81bb61
                                                      • Opcode Fuzzy Hash: ccb73fcd651898af6f989428f3f81755d1a2fa2e87fd6d931b19515e4adc98c2
                                                      • Instruction Fuzzy Hash: E1518D71E00208AADB209FA8DC49FEEBBB9FF45710F14511AF905B73C0DBB5A904CA65
                                                      Function 0063C580 Relevance: 13.1, Strings: 10, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLast$LockUnlock
                                                      • String ID: Authorization$AutomaticEnabled$ConfigUrl$Fallback$Port$ProxyName$ProxySettings$ProxyType$UserName$UserPass
                                                      • API String ID: 2275591146-2863058430
                                                      • Opcode ID: 280cfc752d1146d7e9da410c3a1503a68ebe32c8e1f378dfd4c2d04c70bdea97
                                                      • Instruction ID: 94dfee3eb47bf4a975f17acba23e967e70933aba381384b5fd93c0bdb1899488
                                                      • Opcode Fuzzy Hash: 280cfc752d1146d7e9da410c3a1503a68ebe32c8e1f378dfd4c2d04c70bdea97
                                                      • Instruction Fuzzy Hash: 44429271D00289CFCB14DFA4C885BEDBFB5BF55314F248259E445BB281EB70AA89CB91
                                                      Function 005ECEB0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 338COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileExW.KERNEL32(0069DECA,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,?,945323AF), ref: 005ED08F
                                                      • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,?,945323AF), ref: 005ED0A3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileFindFirstLast
                                                      • String ID: Unable to enumerate directory '{}'!
                                                      • API String ID: 873889042-3795103989
                                                      • Opcode ID: e371c00790c703c3914f34aaaceea3f1cefc3e58144bc8d1a9d1ca00cbe6fbc8
                                                      • Instruction ID: b50c1045833e2cb34c3f1b5162fa189bcfa751d2f9a4efe79995406d194995fc
                                                      • Opcode Fuzzy Hash: e371c00790c703c3914f34aaaceea3f1cefc3e58144bc8d1a9d1ca00cbe6fbc8
                                                      • Instruction Fuzzy Hash: F4D1AE70D0125A9FDB28EF64CD49BAEBBB5FF54304F104199E449A7291EB70AE84CF60
                                                      Function 00690234 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 006902CF
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0069034A
                                                      • FindClose.KERNEL32(00000000), ref: 0069036C
                                                      • FindClose.KERNEL32(00000000), ref: 0069038F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFile$FirstNext
                                                      • String ID:
                                                      • API String ID: 1164774033-0
                                                      • Opcode ID: 6b4d487a73ec7a5549461a9b0ddcad2e88769c8d9297bfaffd8666c527bac5c7
                                                      • Instruction ID: b41daad3f50d3042c3243b23e3a279103b228c69d48b2aea1a7f4fee7b9b8e13
                                                      • Opcode Fuzzy Hash: 6b4d487a73ec7a5549461a9b0ddcad2e88769c8d9297bfaffd8666c527bac5c7
                                                      • Instruction Fuzzy Hash: 38419371900619AFEF20EFA8CD8D9FAB7BEEB85314F144195E405E7641EA709E808B64
                                                      Function 006102E0 Relevance: 5.3, Strings: 4, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .lzma$.xml$base-url$defs
                                                      • API String ID: 0-88300702
                                                      • Opcode ID: caaa9f79f36b7b0274a806a961e6d4e0e44e783fa6e4378d72f26501f089227e
                                                      • Instruction ID: b1f3d46486ac0721068c404501b7a3703106feee96600c40bbec9b9a63d348fb
                                                      • Opcode Fuzzy Hash: caaa9f79f36b7b0274a806a961e6d4e0e44e783fa6e4378d72f26501f089227e
                                                      • Instruction Fuzzy Hash: FDE16C30C10799CEDB14DFA4C855BEDB7B1FF99308F119689E4096B252EBB06AC8CB51
                                                      Function 0066884F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647F60: InitializeCriticalSectionEx.KERNEL32(00706D80,00000000,00000000,0066887E,?,?,?,005A8A1A), ref: 00647F65
                                                        • Part of subcall function 00647F60: GetLastError.KERNEL32(?,?,?,005A8A1A), ref: 00647F6F
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,005A8A1A), ref: 00668882
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005A8A1A), ref: 00668891
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0066888C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 3511171328-631824599
                                                      • Opcode ID: b4ff59c97709ce795b456e3e2d652c53e33a71b62b7250bb24f012faf721846c
                                                      • Instruction ID: 26d623005fe20b3ad381938c553748d0edc208c4ac255423fca0e9abec3794cf
                                                      • Opcode Fuzzy Hash: b4ff59c97709ce795b456e3e2d652c53e33a71b62b7250bb24f012faf721846c
                                                      • Instruction Fuzzy Hash: 26E06D702107018FC7B0AF7AE9087567EE6BB04304F44895DE886C3280EFB8E4088F61
                                                      Function 005E6930 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000057,?,?,00000000), ref: 005E69E3
                                                        • Part of subcall function 005E9380: Concurrency::cancel_current_task.LIBCPMT ref: 005E94BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_taskErrorLast
                                                      • String ID: |g^$|g^
                                                      • API String ID: 523316592-4037149607
                                                      • Opcode ID: f18b761b921d0bece648ee1523b731d8801f16871295232daefabcacf3970180
                                                      • Instruction ID: 71bed59eaf08e253854431b049eb1ba95748521d95ff6c0076282c7da384a6ef
                                                      • Opcode Fuzzy Hash: f18b761b921d0bece648ee1523b731d8801f16871295232daefabcacf3970180
                                                      • Instruction Fuzzy Hash: 6002C1706006868FC728CF69C894BAABBF5FF64390F14869DE4DA97691D730BD44CB60
                                                      Function 0063E3D0 Relevance: 3.2, Strings: 1, Instructions: 1922COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Unab
                                                      • API String ID: 0-1082432564
                                                      • Opcode ID: 80a6beced2cab4d481fc23a4330ff91845d889589e79bc840f666e14c63e8851
                                                      • Instruction ID: c8ca7ea746580311f26c3d881a38108fd4ce6115bbe341ef0fda64d3eaeaab9d
                                                      • Opcode Fuzzy Hash: 80a6beced2cab4d481fc23a4330ff91845d889589e79bc840f666e14c63e8851
                                                      • Instruction Fuzzy Hash: EEF22871E002258BCB0CCFA9C9A02BCBBB2FF98311F25527ED946E7394D6345A45CB94
                                                      Function 005AA8B0 Relevance: 2.9, Strings: 2, Instructions: 444COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $T_$5S_
                                                      • API String ID: 0-3966799338
                                                      • Opcode ID: 7643d834b3513abf3f13f63ba8823cba5e4ed67393f1c07a2b5963a29acb596d
                                                      • Instruction ID: dcc3c0309fce65e2df218e3b72fb221374a0a62eb99fa72ae7a4c15d5fcdcb53
                                                      • Opcode Fuzzy Hash: 7643d834b3513abf3f13f63ba8823cba5e4ed67393f1c07a2b5963a29acb596d
                                                      • Instruction Fuzzy Hash: 8902B071D006458FCB25DF68C8446AEBBF1FF8A314F214B0DE4616B781E771A985CBA2
                                                      Function 005C29D0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: gfff
                                                      • API String ID: 0-1553575800
                                                      • Opcode ID: 57df1d19477feb9b407b889358418d8e70701a65c1992f9b708feea241d692db
                                                      • Instruction ID: a4097417ea9cdc957345a1dd35f879da9cbf59e697486a4ece5aa08b24e5399b
                                                      • Opcode Fuzzy Hash: 57df1d19477feb9b407b889358418d8e70701a65c1992f9b708feea241d692db
                                                      • Instruction Fuzzy Hash: 8D224D75E0411A9FCF18CFA9D891BAEBBF6FB98310F24812DD416E7340D6759D428B90
                                                      Function 00688EBD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,00000001,?,00000008,?,?,00688EB8,00000001,?,00000008,?,?,006983F1,00000000), ref: 006890EA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: 77c913bedf0eb8129721e3326fd284c27c9f7f4c27505f460d11a246e1b73e17
                                                      • Instruction ID: a50885e9ee5df3e261f64112d025f9d48c8d974163fb904b8100fb3b3bf70e00
                                                      • Opcode Fuzzy Hash: 77c913bedf0eb8129721e3326fd284c27c9f7f4c27505f460d11a246e1b73e17
                                                      • Instruction Fuzzy Hash: D9B16C31210605DFD714DF28C48AAA57BA2FF45364F298658E9DACF3A1C736E982CB50
                                                      Function 005FE0D0 Relevance: 1.7, Strings: 1, Instructions: 498COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: G_
                                                      • API String ID: 0-3327133591
                                                      • Opcode ID: 68980d057e9c7b05eef18b0040d7db455f939611b00e0b732f0f40c4268956c6
                                                      • Instruction ID: f1a24bfabc71fde48c102f03fddce64eca787017d9c5004fa07229f4c2acbb41
                                                      • Opcode Fuzzy Hash: 68980d057e9c7b05eef18b0040d7db455f939611b00e0b732f0f40c4268956c6
                                                      • Instruction Fuzzy Hash: 1C129D71D00249DFCF14DFA8C849AEEBBB5FF85314F20461DE415AB291EB34A945CB91
                                                      Function 0068C3F3 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0068868A,?,20001004,00000000,00000002,?,?,00687C8C), ref: 0068C427
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 2f332f9e6badf43a68215bd73d34d119250170fbcc7a7d44b994cc8115363210
                                                      • Instruction ID: d354757536e0917debe2cf07513f82ca74a2bfffc1b71a6022710e3b434e8c80
                                                      • Opcode Fuzzy Hash: 2f332f9e6badf43a68215bd73d34d119250170fbcc7a7d44b994cc8115363210
                                                      • Instruction Fuzzy Hash: 06E01A31604118BBCF123F60EC05EAE7E5BEF49760F005215F90566221CB729971ABA9
                                                      Function 005DAB30 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: VUUU
                                                      • API String ID: 0-2040033107
                                                      • Opcode ID: 71f8a8418d1cf3a2c313f2478c026d8ca06394e984ddf85190a2feba7837a6ff
                                                      • Instruction ID: 1e7db69efe6c7f032d4c67c9d754b6f35c1f6b23996dfdb52eb96c34c5d20290
                                                      • Opcode Fuzzy Hash: 71f8a8418d1cf3a2c313f2478c026d8ca06394e984ddf85190a2feba7837a6ff
                                                      • Instruction Fuzzy Hash: 3151E5719186A58FD726CF2DC81076AFFF2BB55300F48829FE4A5CB782D2349A05D7A1
                                                      Function 00664250 Relevance: .9, Instructions: 924COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9c85a0deb962ea26eb5bb1b0bc3aeae1d2c7eadc746fc865980119e760935bc
                                                      • Instruction ID: 0bf166e33e63231906a0d80946a7b95b9cc06db2ab06ae419e75cbf59de6c333
                                                      • Opcode Fuzzy Hash: d9c85a0deb962ea26eb5bb1b0bc3aeae1d2c7eadc746fc865980119e760935bc
                                                      • Instruction Fuzzy Hash: 9A827B71A006198FCB18CF69C9916EEB7F2FF88310F18856DD486E7794DB34AA41CB54
                                                      Function 00676988 Relevance: .4, Instructions: 388COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2382a6573aceb5ed8fdfef97f6dcfd11bcdcb9339beff859389b8f69b9d4e406
                                                      • Instruction ID: fc105064841907b25f506aea2b026f3bacab0d4b0f6c162419605695f4f612b2
                                                      • Opcode Fuzzy Hash: 2382a6573aceb5ed8fdfef97f6dcfd11bcdcb9339beff859389b8f69b9d4e406
                                                      • Instruction Fuzzy Hash: 6BE1AB70600A068FCB24CF28C581AAAB7B2FF49714B24C65DE59E9B391D730ED46CB55
                                                      Function 00642450 Relevance: .3, Instructions: 344COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5d47f4b59cf3beedd44e7c01f47ca632a77c30cbfd8524c3060bf796dfde55f
                                                      • Instruction ID: 7d7c7d000c649597d391126cf46f39c1d43cc3c28cb9293560379af3852088b2
                                                      • Opcode Fuzzy Hash: e5d47f4b59cf3beedd44e7c01f47ca632a77c30cbfd8524c3060bf796dfde55f
                                                      • Instruction Fuzzy Hash: DDC17871A0112E8FDB24DE68DC55BEEB3B6FB95310F6101E9E40AD7241DA31AE85CF90
                                                      Function 006765FA Relevance: .3, Instructions: 344COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f478cb3c4ed4d940adea9b29f0b73f4b97031f4372b8dca1e5890d0b1e622de
                                                      • Instruction ID: e63f3e87d1fe20b80ef29c966395efd50acd7ce3dc7648a5455442d524fa0a33
                                                      • Opcode Fuzzy Hash: 6f478cb3c4ed4d940adea9b29f0b73f4b97031f4372b8dca1e5890d0b1e622de
                                                      • Instruction Fuzzy Hash: 2BC1AE74500E468FCB28CF28C495ABAB7B3AB05318F64C61DF55E9B392D730AD46CB52
                                                      Function 005C2390 Relevance: .3, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d2da7dbe7445efd983d4c332e9334b6b814c8487af85eede9519a5eb2729417
                                                      • Instruction ID: 35f228915b5e96ea6850271e7742090d967a443915b286e4e51ca1439fc21fa9
                                                      • Opcode Fuzzy Hash: 7d2da7dbe7445efd983d4c332e9334b6b814c8487af85eede9519a5eb2729417
                                                      • Instruction Fuzzy Hash: 86A15472F001199BDF0CCEADCD917ADB6B6EB88310F19C13EE90AE7351E6749D418A94
                                                      Function 00666810 Relevance: .2, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4d5bfc2f6fc9adc6c15147773b51387725997272479a825af2e433f2510587c
                                                      • Instruction ID: 682826b32458a2b469925767900beef7bb670e0e520e459c46df20fce35d982e
                                                      • Opcode Fuzzy Hash: e4d5bfc2f6fc9adc6c15147773b51387725997272479a825af2e433f2510587c
                                                      • Instruction Fuzzy Hash: A8717F74A0051AABCB18DF28D9947A9BBA6FF49314F04422EE90AD7B41D731EC65CFD0
                                                      Function 005BE940 Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32b7730208513fea49f7821074d9c447e78d6d5601f6f81e8c7238713bb368f2
                                                      • Instruction ID: 93d72952558be86d5193d14632b1a71559fd63ffd776d66c8c91c9de23f0144d
                                                      • Opcode Fuzzy Hash: 32b7730208513fea49f7821074d9c447e78d6d5601f6f81e8c7238713bb368f2
                                                      • Instruction Fuzzy Hash: D351F432F016199BDB04CE6DD8856EEFBB6FF94310F18827DD855A7345DA34A805CB90
                                                      Function 005E2BF0 Relevance: .2, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c24cc89f7a604322b8ab490e4dd45b083c189411d3d6f1ebfe9e8eda2e0c1127
                                                      • Instruction ID: ba5bbaf13cbb29a9c461f26bf966f9112f9f1250f56f530a17bcfa66869c1885
                                                      • Opcode Fuzzy Hash: c24cc89f7a604322b8ab490e4dd45b083c189411d3d6f1ebfe9e8eda2e0c1127
                                                      • Instruction Fuzzy Hash: 78617AB2D142598BEB28CFAAC94139DFBB9FB48720F34422ED455A7346D774AD418F80
                                                      Function 005C0270 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c45fbc9bbf64ab1b53b15e040095ec4527f14a825c6be3b3c68e4ae33f325f9
                                                      • Instruction ID: 41751be98c15092937333b0de6dea8a7116a3d13250f030e149fc4cc8ae283a7
                                                      • Opcode Fuzzy Hash: 0c45fbc9bbf64ab1b53b15e040095ec4527f14a825c6be3b3c68e4ae33f325f9
                                                      • Instruction Fuzzy Hash: 8B51C335F012598FCB18CFADD8856AEFBA6EF89310F14867EE955D7381DA3099058740
                                                      Function 005F47C0 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19b34f2cdf2f0553f2792eaf2dec9e39ff12a1e73f5e5d68056f146202a2be79
                                                      • Instruction ID: d3ba9c66dbb6d0acb3bf997025deee96128617151692d768bdc4ea2da53fa312
                                                      • Opcode Fuzzy Hash: 19b34f2cdf2f0553f2792eaf2dec9e39ff12a1e73f5e5d68056f146202a2be79
                                                      • Instruction Fuzzy Hash: F3518275E002198FCB84CFADC98169EBBF1FF8C214B1581AAD819E7306D634AE558F94
                                                      Function 005C4AC0 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0997584573baebd1806051b37f05ff4abb3aad51c7c5515df4bc08d6eadda7bd
                                                      • Instruction ID: 0f629093994c6afe87ad4c2723b26b7156cd1c242c18ff865459e64ade9d3d31
                                                      • Opcode Fuzzy Hash: 0997584573baebd1806051b37f05ff4abb3aad51c7c5515df4bc08d6eadda7bd
                                                      • Instruction Fuzzy Hash: 2F4126216045568FCF1DCE6958B1FFEBFA1EB95228B14456FD4C28B302DA60CD06DFA0
                                                      Function 00666720 Relevance: .1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adc2fe75a12df1ac963011b9aa53ede0b3d7ae20bb6f3d3f66d5db85be41c55a
                                                      • Instruction ID: 0e90b2f31fa78e7e415b821fd869966d2dc796ccd67eab04cd51f0952d88f018
                                                      • Opcode Fuzzy Hash: adc2fe75a12df1ac963011b9aa53ede0b3d7ae20bb6f3d3f66d5db85be41c55a
                                                      • Instruction Fuzzy Hash: 94118137320A0A0BE74C8A2CD93777532D1A745314F88A67DEA6BCF2D2D729C455C385
                                                      Function 0068C70A Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f73d768404cd7774cf7ce2b93b973ae5028572769bfaf93a301668e07aa0ccf2
                                                      • Instruction ID: 3d136ded70bc9b75c22db2d18e2d3e6874d623b7f2fc81edcc9ba288b3d0b414
                                                      • Opcode Fuzzy Hash: f73d768404cd7774cf7ce2b93b973ae5028572769bfaf93a301668e07aa0ccf2
                                                      • Instruction Fuzzy Hash: B8E08C32911228EBCB24EBDCC94498AF3EDEB44B20B51019AB501E3201C270DE00CBE4
                                                      Function 0061CB20 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 173windowregistryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • #17.COMCTL32(00000000,?,?,945323AF), ref: 0061CBCF
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0061CBD7
                                                      • LoadImageW.USER32(00000000,00000080,00000001,00000000,00000000,00000040), ref: 0061CC14
                                                      • LoadImageW.USER32(00000000,00007F00,00000002,00000000,00000000,00008000), ref: 0061CC2F
                                                      • GetSystemMetrics.USER32(00000032), ref: 0061CC4F
                                                      • GetSystemMetrics.USER32(00000031), ref: 0061CC59
                                                      • LoadImageW.USER32(?,00000080,00000001,00000000,00000000,00000000), ref: 0061CC6D
                                                      • RegisterClassExW.USER32(00000030), ref: 0061CC7A
                                                      • CreateWindowExW.USER32(00000000,{32f2b598-6055-4f5b-b0eb-fed112efa9b7},?,90880000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0061CCB1
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0061CCC8
                                                      • IsDialogMessageW.USER32(?,?), ref: 0061CCDE
                                                      • TranslateMessage.USER32(?), ref: 0061CCEC
                                                      • DispatchMessageW.USER32(?), ref: 0061CCF6
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0061CD06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Message$ImageLoad$MetricsSystem$ClassCreateDialogDispatchHandleModuleRegisterTranslateWindow
                                                      • String ID: 0${32f2b598-6055-4f5b-b0eb-fed112efa9b7}
                                                      • API String ID: 889922848-477262938
                                                      • Opcode ID: 9fb2cb3e5a1424b5f1a20f7960199172d4f63118682a04dfc5d58b20fb2f3c80
                                                      • Instruction ID: 3bf5d0bd3bdb6ac22086fff172ce7143ff8e97fe5f6804e637dc48d5743a7bbf
                                                      • Opcode Fuzzy Hash: 9fb2cb3e5a1424b5f1a20f7960199172d4f63118682a04dfc5d58b20fb2f3c80
                                                      • Instruction Fuzzy Hash: 11515B71A44309ABDB10EFA4DC49F9EBBBAFB09720F144529F505AB2D0DB70A944CF94
                                                      Function 006142D0 Relevance: 25.0, APIs: 4, Strings: 10, Instructions: 468sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0064A844: __EH_prolog3.LIBCMT ref: 0064A84B
                                                        • Part of subcall function 0064A844: std::_Lockit::_Lockit.LIBCPMT ref: 0064A856
                                                        • Part of subcall function 0064A844: std::locale::_Setgloballocale.LIBCPMT ref: 0064A871
                                                        • Part of subcall function 0064A844: _Yarn.LIBCPMT ref: 0064A887
                                                        • Part of subcall function 0064A844: std::_Lockit::~_Lockit.LIBCPMT ref: 0064A8C4
                                                        • Part of subcall function 005B81F0: std::_Lockit::_Lockit.LIBCPMT ref: 005B8226
                                                        • Part of subcall function 005B81F0: std::_Lockit::_Lockit.LIBCPMT ref: 005B8249
                                                        • Part of subcall function 005B81F0: std::_Lockit::~_Lockit.LIBCPMT ref: 005B8269
                                                        • Part of subcall function 005B81F0: std::_Lockit::~_Lockit.LIBCPMT ref: 005B82FD
                                                      • __Xtime_get_ticks.LIBCPMT ref: 006144BA
                                                      • __Xtime_get_ticks.LIBCPMT ref: 006146A4
                                                      • Sleep.KERNEL32(000003E8,00000000,?,00989680,00000000,0000000E), ref: 006147C1
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006146D9
                                                        • Part of subcall function 005B9E00: ___std_exception_destroy.LIBVCRUNTIME ref: 005B9E86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Xtime_get_ticks$H_prolog3SetgloballocaleSleepUnothrow_t@std@@@Yarn___std_exception_destroy__ehfuncinfo$??2@std::locale::_
                                                      • String ID: 50586146$50586146$T$Wait for bug_report ({}) start$Wait for bug_report end$Waiting for bug_report finish timeout$Waiting for bug_report...$bug_report.exe$isfx$isfx
                                                      • API String ID: 1652337273-107864076
                                                      • Opcode ID: 81b83bce404b5babf2dacc997d8ecb7203b166e0622c5d2a2c6716c0e0c464b0
                                                      • Instruction ID: 0fd60912dc7e5834414cf2190bb5621d690deb706027e6269e74d73c311ce06b
                                                      • Opcode Fuzzy Hash: 81b83bce404b5babf2dacc997d8ecb7203b166e0622c5d2a2c6716c0e0c464b0
                                                      • Instruction Fuzzy Hash: BC226574E002598FDF14DFA4C854BEDBBB2BF89314F284259D419AB381EB706A85CF91
                                                      Function 00628570 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 329COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$C5AE2C65$Cannot duplicate handle for sfx mapping:'{}'.$There is '0' in sfx file mapping handle.$pm${m
                                                      • API String ID: 0-2931273013
                                                      • Opcode ID: a00de3059deaecbb053a74ad87afeadc0b3a52b5444fb0ffbbdb0eed04547687
                                                      • Instruction ID: e341b3904df5366d74afdd23f16faf9f9fdca03ed644c6f717ca58a33923c4f6
                                                      • Opcode Fuzzy Hash: a00de3059deaecbb053a74ad87afeadc0b3a52b5444fb0ffbbdb0eed04547687
                                                      • Instruction Fuzzy Hash: 53D13634E016199FCB14DFA8D854BEDBBB6FF49320F248259E415AB390DB74A941CF90
                                                      Function 005D0CC0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,945323AF,?,?), ref: 005D0D0A
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,945323AF,?,?), ref: 005D0D14
                                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?), ref: 005D0D4E
                                                      • GetLastError.KERNEL32(Unable to get the TOKEN_USER,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 005D0D5D
                                                      • LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 005D0D8A
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 005D0D94
                                                      • GetLastError.KERNEL32(Unable to get the user name and domain lengths by LookupAccountSid().,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 005D0DA4
                                                      • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 005D0E03
                                                      • GetLastError.KERNEL32(Unable to get the user name and the domain by LookupAccountSid().), ref: 005D0E12
                                                      Strings
                                                      • Unable to get the needed size for TOKEN_USER by GetTokenInformation(), xrefs: 005D0EE1
                                                      • Unable to get the user name and domain lengths by LookupAccountSid()., xrefs: 005D0D9F
                                                      • Unable to get the user name and the domain by LookupAccountSid()., xrefs: 005D0E0D
                                                      • Unable to get the TOKEN_USER, xrefs: 005D0D58
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$AccountInformationLookupToken
                                                      • String ID: Unable to get the TOKEN_USER$Unable to get the needed size for TOKEN_USER by GetTokenInformation()$Unable to get the user name and domain lengths by LookupAccountSid().$Unable to get the user name and the domain by LookupAccountSid().
                                                      • API String ID: 1183684846-2404060280
                                                      • Opcode ID: 3059a7905859f1326aad733164253ea1c91f9f16c46e766c0f0b680cb6155b36
                                                      • Instruction ID: 9a01f4c57e5a1476d308bc0cc582a4de13183396b87cd4116587ede5b229ef63
                                                      • Opcode Fuzzy Hash: 3059a7905859f1326aad733164253ea1c91f9f16c46e766c0f0b680cb6155b36
                                                      • Instruction Fuzzy Hash: 76615D71D04209ABDB14EFA4CD46BEEBBBAFF49304F20451AF405A6291EB756A44CB60
                                                      Function 00632D30 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00632F9E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: Exe file is not supported-bit.$F3B9F2C0$L$Missing DOS signature$Missing NT signature.$No payload present in file.$Payload starts behind file end.$Unable to retrieve size of uninitialized mapping!$file handle is null$repository
                                                      • API String ID: 116670465-3522303960
                                                      • Opcode ID: 1af185b9e45c3b08ed9e88a1e62c8b4a3b05a8ec3cda8ea9dbdee53b7748ed9a
                                                      • Instruction ID: a4a4470f619aae9e4f2ee592ac5fba0a683b7b5268c2b4eabbca39538e4d0705
                                                      • Opcode Fuzzy Hash: 1af185b9e45c3b08ed9e88a1e62c8b4a3b05a8ec3cda8ea9dbdee53b7748ed9a
                                                      • Instruction Fuzzy Hash: 39B1C270E0061A9FCB10EFA8C855BEDBBB6FF49700F10455EE415AB381EB74AA45CB94
                                                      Function 00604C90 Relevance: 19.8, APIs: 2, Strings: 11, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(Unable to set WinHTTP proxy information!,?,?,?,?,?,http,00000004,945323AF,00000000,00000000), ref: 0060511B
                                                      • GetLastError.KERNEL32(Unable to set proxy credentials!,?,006F8810,00000000,?,?,?,?,?,http,00000004,945323AF,00000000,00000000), ref: 0060513D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID: 073B$188C$The WinHttp does not support to use the SOCKS protocol for communication with the proxy server!$Unable to set WinHTTP proxy information!$Unable to set proxy credentials!$Unsupported proxy type '{}'.$http$https$isfx$isfx${}://{}:{}
                                                      • API String ID: 1452528299-4147856112
                                                      • Opcode ID: 3a693b66f4a47b03ebaf891a5a240c8e90b59d9e4485b816028b9456bab31897
                                                      • Instruction ID: fff66b7c66c2f36c4f2133dca64e433df6d4ee73bf2be614067df17a098a5e09
                                                      • Opcode Fuzzy Hash: 3a693b66f4a47b03ebaf891a5a240c8e90b59d9e4485b816028b9456bab31897
                                                      • Instruction Fuzzy Hash: 98D14770D04359DBDB24DFA4C845BEEBBB5FF54304F10829AE409A7281EB746A85CF91
                                                      Function 005D02F0 Relevance: 19.7, APIs: 13, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,?,00000000), ref: 005D0317
                                                      • GetLastError.KERNEL32(?,00000001,?,00000000), ref: 005D0321
                                                      • GetSecurityDescriptorOwner.ADVAPI32(00000000,00000000,?,?,00000001,?,00000000), ref: 005D0347
                                                      • GetLastError.KERNEL32(?,00000001,?,00000000), ref: 005D0351
                                                      • LocalFree.KERNEL32(00000000), ref: 005D049B
                                                      • SetLastError.KERNEL32(00000000), ref: 005D04A9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DescriptorErrorLastSecurity$ConvertFreeLocalOwnerString
                                                      • String ID:
                                                      • API String ID: 207741186-0
                                                      • Opcode ID: 016a75f2ee95877975dc1f771ac2869d6a67412488670a7be2a98607f9b29a7d
                                                      • Instruction ID: e8c7776d314290557328512eb2cace61a713729cadb5fe6303d304e31f05eda2
                                                      • Opcode Fuzzy Hash: 016a75f2ee95877975dc1f771ac2869d6a67412488670a7be2a98607f9b29a7d
                                                      • Instruction Fuzzy Hash: BD516672A00119ABDF209FB4DC44BEEBBB9BF09351F15556AE901F3290E775AD008A60
                                                      Function 0060ABE0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::generic_category.LIBCPMTD ref: 0060AE3A
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: DispatcherExceptionUserstd::generic_category
                                                      • String ID: Unable to convert uninitialized digest to string!$alias$file$file-list$flags$offset$sha-256$size$timestamp
                                                      • API String ID: 1587301224-2733867216
                                                      • Opcode ID: 0ff77637019781605efd354e571a741cabe5add4e17349a0761c47d413bc2cb1
                                                      • Instruction ID: db95eaaa71ea22f0de5069bc7f7cfb3a2efd299c07941ee5dbf4fc6ae4202959
                                                      • Opcode Fuzzy Hash: 0ff77637019781605efd354e571a741cabe5add4e17349a0761c47d413bc2cb1
                                                      • Instruction Fuzzy Hash: 1D815F719002199BCB25EFA0CC95BEEB7BAAF44300F4445ADE517A3291EF706E48CF95
                                                      Function 0060C0C0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0060C0F6
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0060C118
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0060C138
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0060C15F
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0060C1D8
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0060C224
                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0060C23E
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0060C2D3
                                                      • std::_Facet_Register.LIBCPMT ref: 0060C2E0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                                      • String ID: bad locale name
                                                      • API String ID: 3375549084-1405518554
                                                      • Opcode ID: 12dcdacbf3706c36c3fd3a7e3c0e4b89dfbe9d83b12de608e93c1aca22742826
                                                      • Instruction ID: 58e8b3de2f021bbcf76ef67aa5ed709e6f9cb3a22b7c18c71de2cddd4138fc3e
                                                      • Opcode Fuzzy Hash: 12dcdacbf3706c36c3fd3a7e3c0e4b89dfbe9d83b12de608e93c1aca22742826
                                                      • Instruction Fuzzy Hash: D9718FB1D40248DFDF54DFA8D845B9EBBB6BF04324F144159E805AB382EB34AD09CB96
                                                      Function 0060A970 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileSizeEx.KERNEL32(00000000,?,00000000,?,00000000,?,handle,?,file-mapping-sfx,?,?,00000000,?,00000000), ref: 0060AA9A
                                                      • GetLastError.KERNEL32(?,?,00000000,?,00000000), ref: 0060AAA4
                                                      • std::generic_category.LIBCPMTD ref: 0060AB6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLastSizestd::generic_category
                                                      • String ID: $$0C4FA195$Get file size of SFX fail {}$file-mapping-sfx$handle$isfx$size
                                                      • API String ID: 924041715-1867349626
                                                      • Opcode ID: a4aa313a8febb9aa22046a377fecbc76225b49425ea81cf9ef31f76e58f287bd
                                                      • Instruction ID: 05dfb5212042ff8f6514197cfb1d2beae9fef1aa735e7fc1cdb06e2dafcb240f
                                                      • Opcode Fuzzy Hash: a4aa313a8febb9aa22046a377fecbc76225b49425ea81cf9ef31f76e58f287bd
                                                      • Instruction Fuzzy Hash: E5618C71E002189FDB14EF64CC55FEEB7BAAF49314F104199E80AA7291EB706E44CF91
                                                      Function 0066E1BC Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                                      • String ID:
                                                      • API String ID: 1464150960-0
                                                      • Opcode ID: 95f6564865a3207b7210c8e72c9d662b9c0357e104ffde68c2fb380f1dba215a
                                                      • Instruction ID: ea659de68e1d8f3fab1fa4e8086e1762a51a96f4a26216c3151c9c1856da26e2
                                                      • Opcode Fuzzy Hash: 95f6564865a3207b7210c8e72c9d662b9c0357e104ffde68c2fb380f1dba215a
                                                      • Instruction Fuzzy Hash: 0FE13BB9C0020ADBCB14DFE4C599AFEBBBAEB14304F10815ED511A7341EB7A5A45CFA1
                                                      Function 005E8CF0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileSizeEx.KERNEL32(00000000,?,945323AF,005F54DE,?), ref: 005E8D68
                                                      • ReadFile.KERNEL32(?,000000FF,?,00000000,?), ref: 005E8DFB
                                                      • GetLastError.KERNEL32(get_file_content: GetFileSizeEx), ref: 005E8E80
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005E8E8A
                                                      • GetLastError.KERNEL32(get_file_content: ReadFile,006F8810,006F8810,00000000), ref: 005E8EA2
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005E8EAC
                                                      Strings
                                                      • get_file_content: GetFileSizeEx, xrefs: 005E8E7B
                                                      • get_file_content, xrefs: 005E8E6F
                                                      • get_file_content: ReadFile, xrefs: 005E8E9D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorFileLast$ReadSize
                                                      • String ID: get_file_content$get_file_content: GetFileSizeEx$get_file_content: ReadFile
                                                      • API String ID: 1173113360-2648918662
                                                      • Opcode ID: 03aaf97f45c373a401d7a5b18232cd4c5b9d3cc50e601ff471d154174c2eaae9
                                                      • Instruction ID: cb9104eba6af68688a64bac903a98831d3a97328e88132e6e5ecad98286bec58
                                                      • Opcode Fuzzy Hash: 03aaf97f45c373a401d7a5b18232cd4c5b9d3cc50e601ff471d154174c2eaae9
                                                      • Instruction Fuzzy Hash: FD514171E002499FDB18DFA9CD45BAEBBFAFF44700F20462EE455A3290EB706944CB54
                                                      Function 00648630 Relevance: 15.1, APIs: 10, Instructions: 106registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,945323AF), ref: 006486A5
                                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000100), ref: 006486C5
                                                      • SetLastError.KERNEL32(00000000), ref: 00648708
                                                      • RegDeleteKeyExW.ADVAPI32(?,?,?,00000000), ref: 0064871C
                                                      • SetLastError.KERNEL32(00000000), ref: 00648725
                                                        • Part of subcall function 00648630: GetLastError.KERNEL32 ref: 006486EC
                                                        • Part of subcall function 00648630: SetLastError.KERNEL32(00000000), ref: 006486F9
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0064873B
                                                      • SetLastError.KERNEL32(00000000), ref: 00648746
                                                      • SetLastError.KERNEL32(00000057,945323AF), ref: 00648752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CloseDeleteEnumOpen
                                                      • String ID:
                                                      • API String ID: 64881054-0
                                                      • Opcode ID: 98e2f9a8af73a2e1116718ee54f35707a6042fb540ed16d22e41da7ad415eef1
                                                      • Instruction ID: 8beca71ef906382bde30c1f79e27422acd98451369c5d032676914bf1cff70f5
                                                      • Opcode Fuzzy Hash: 98e2f9a8af73a2e1116718ee54f35707a6042fb540ed16d22e41da7ad415eef1
                                                      • Instruction Fuzzy Hash: CB31D671A45229AFDB20AF20DC58BEFB7BAEF46710F140155F805A7390DB749D44CEA0
                                                      Function 006440F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 351COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00647DC0: GetProcessHeap.KERNEL32 ref: 00647E2A
                                                      • GetSystemDirectoryW.KERNEL32(00000010,00000104), ref: 00644254
                                                      • GetLastError.KERNEL32 ref: 0064425E
                                                      • GetVolumePathNameW.KERNEL32(00000010,00000000,00000104), ref: 006442C9
                                                      • GetLastError.KERNEL32 ref: 006442D3
                                                      • GetVolumeNameForVolumeMountPointW.KERNEL32(00000000,00000010,00000104), ref: 00644342
                                                      • GetLastError.KERNEL32 ref: 0064434C
                                                        • Part of subcall function 00646E40: FindResourceExW.KERNEL32(00000000,00000006,CAE85006,00000000,00000000,006A5E5D,00000000,00000000,?,006477DE,?,?,?,?,945323AF,00000000), ref: 00646E86
                                                        • Part of subcall function 00646E40: FindResourceW.KERNEL32(00000000,CAE85006,00000006,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646ECF
                                                        • Part of subcall function 00646E40: LoadResource.KERNEL32(00000000,00000000,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646EE2
                                                        • Part of subcall function 00646E40: LockResource.KERNEL32(00000000,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646EF1
                                                        • Part of subcall function 00646E40: SizeofResource.KERNEL32(00000000,006477DE,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646F05
                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000), ref: 0064442D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Resource$ErrorLastVolume$FindName$DirectoryFromHeapLoadLockMountPathPointProcessSizeofStringSystem
                                                      • String ID: \\?\Volume
                                                      • API String ID: 3991536180-1671960459
                                                      • Opcode ID: e89098ef86210b533e0241c71ae62fb56f622301c41f203ed9a0897d6fd3d0eb
                                                      • Instruction ID: 2efa0c079fbdc59f8ae6889408cfef98903f032b52feb3ef0de56bb7494b9061
                                                      • Opcode Fuzzy Hash: e89098ef86210b533e0241c71ae62fb56f622301c41f203ed9a0897d6fd3d0eb
                                                      • Instruction Fuzzy Hash: D5D16870E006099FDB04DFA8D845BAEBBB6FF49324F144159E911A73A1DF74A941CF50
                                                      Function 005C6260 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 005C6306
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005C6361
                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005C64A3
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 005C6547
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 005C6579
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                      • String ID: bad locale name$false$true
                                                      • API String ID: 3204333896-1062449267
                                                      • Opcode ID: 9c73893da51481b2181861f1a2acb0306a6a3fbe9d75d9bf0e6430922a7a125f
                                                      • Instruction ID: 0b9ece1bd0070be91f4d42f951942f4635d71d4a1792078a1c77acc86ff9bcb7
                                                      • Opcode Fuzzy Hash: 9c73893da51481b2181861f1a2acb0306a6a3fbe9d75d9bf0e6430922a7a125f
                                                      • Instruction Fuzzy Hash: 4D9181B1D003489FEB50DFA4CD45BDEBBB9BF04304F14426DE948A7242EB75AA44CB66
                                                      Function 005E66C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005E4F10: CreateFileW.KERNEL32(000000FF,?,00000007,00000000,0069D2DE,08000000,00000000,00000000), ref: 005E4F9A
                                                        • Part of subcall function 005E4F10: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0069D2DE,000000FF,?,005E623C,80000000,00000003), ref: 005E4FB4
                                                        • Part of subcall function 005E4F10: CloseHandle.KERNEL32(00000064,?,?,?,?,?,?,?,?,0069D2DE,000000FF,?,005E623C,80000000,00000003), ref: 005E500C
                                                        • Part of subcall function 005E6930: SetLastError.KERNEL32(00000057,?,?,00000000), ref: 005E69E3
                                                      • CloseHandle.KERNEL32(00000000,00000000,00000000), ref: 005E67D2
                                                      • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?,00000000,00000000), ref: 005E681D
                                                      • UnlockFileEx.KERNEL32(?,00000000,FFFFFFFF,00000000,?), ref: 005E6856
                                                      • SetLastError.KERNEL32(00000000), ref: 005E685E
                                                      • CloseHandle.KERNEL32(00000000), ref: 005E68B6
                                                      • GetLastError.KERNEL32(couldn't obtain exclusive file lock), ref: 005E68FF
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005E6909
                                                      Strings
                                                      • couldn't obtain exclusive file lock, xrefs: 005E68FA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CloseFileHandle$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateLockUnlock
                                                      • String ID: couldn't obtain exclusive file lock
                                                      • API String ID: 1245938145-2975309972
                                                      • Opcode ID: 77c13c57d46a1812b5b652bdb7e2973131becfa2d820e77380f3679d6a707ab5
                                                      • Instruction ID: 025a47a4c999acc7035ecd6364eb47d73f78929884062071dd0a3f92e4be0cbb
                                                      • Opcode Fuzzy Hash: 77c13c57d46a1812b5b652bdb7e2973131becfa2d820e77380f3679d6a707ab5
                                                      • Instruction Fuzzy Hash: 7B61ACB1E002499BDF08DFA4CC49BEEBFB5BF59314F248219E410B7291DB756A458FA0
                                                      Function 0067288D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 185COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Replicator::operator[].LIBCMT ref: 006728CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Replicator::operator[]
                                                      • String ID: generic-type-$template-parameter-
                                                      • API String ID: 3676697650-13229604
                                                      • Opcode ID: 497e24cd39130ad0d93267d484efde3b9f9be29c05ea999305836a5972cdc767
                                                      • Instruction ID: 047a985a2a12b6f6f42279183db807b89e180dabbcd04381d70a3f38c714ebfb
                                                      • Opcode Fuzzy Hash: 497e24cd39130ad0d93267d484efde3b9f9be29c05ea999305836a5972cdc767
                                                      • Instruction Fuzzy Hash: CC61F771E0020ADFCB14DFA4D865AFEB7FAAF18310F14801EE649A7291DB749945CB94
                                                      Function 005D8D00 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32 ref: 005D8D24
                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 005D8D34
                                                      • GetLastError.KERNEL32 ref: 005D8D4E
                                                      • GetLastError.KERNEL32(?,006F8810,00000000,GetModuleHandleW ({}),00000015,?), ref: 005D8D79
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$AddressHandleModuleProc
                                                      • String ID: GetModuleHandleW ({})$GetProcAddress ({})$NtSetInformationFile$ntdll.dll
                                                      • API String ID: 1762409328-413960078
                                                      • Opcode ID: 124e72cdcb08d76e521dfb96d1c23e66486e662c19625e17dbef8cc14ad145e3
                                                      • Instruction ID: ea6c87b772e1732ab43308ae86839e612303978453ababda325eafe193b29d17
                                                      • Opcode Fuzzy Hash: 124e72cdcb08d76e521dfb96d1c23e66486e662c19625e17dbef8cc14ad145e3
                                                      • Instruction Fuzzy Hash: 3801A171604709AFC310EF65DC0AEAB7B9EBB85750F00091EB545961D2EF70E604CBA6
                                                      Function 005E61C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005E4F10: CreateFileW.KERNEL32(000000FF,?,00000007,00000000,0069D2DE,08000000,00000000,00000000), ref: 005E4F9A
                                                        • Part of subcall function 005E4F10: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0069D2DE,000000FF,?,005E623C,80000000,00000003), ref: 005E4FB4
                                                        • Part of subcall function 005E4F10: CloseHandle.KERNEL32(00000064,?,?,?,?,?,?,?,?,0069D2DE,000000FF,?,005E623C,80000000,00000003), ref: 005E500C
                                                      • LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 005E6295
                                                      • UnlockFileEx.KERNEL32(?,00000000,FFFFFFFF,00000000,?), ref: 005E62C1
                                                      • SetLastError.KERNEL32(00000000,000000FF), ref: 005E62D8
                                                      • CloseHandle.KERNEL32(00000000), ref: 005E6330
                                                      • GetLastError.KERNEL32(couldn't obtain shared file lock), ref: 005E6379
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005E6383
                                                        • Part of subcall function 005E8CF0: GetFileSizeEx.KERNEL32(00000000,?,945323AF,005F54DE,?), ref: 005E8D68
                                                        • Part of subcall function 005E8CF0: ReadFile.KERNEL32(?,000000FF,?,00000000,?), ref: 005E8DFB
                                                      Strings
                                                      • couldn't obtain shared file lock, xrefs: 005E6374
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$ErrorLast$CloseHandle$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateLockReadSizeUnlock
                                                      • String ID: couldn't obtain shared file lock
                                                      • API String ID: 2755012231-3717060661
                                                      • Opcode ID: d3da77a67cf5146b66cafc8df9ef22df232399700c14cfba38e207063602a3fa
                                                      • Instruction ID: a78ee4ef3f7df0e6b7f316a28e8021dc404ea820fa3a3d65e55ee207197d3f61
                                                      • Opcode Fuzzy Hash: d3da77a67cf5146b66cafc8df9ef22df232399700c14cfba38e207063602a3fa
                                                      • Instruction Fuzzy Hash: 37519A71D002499FDB14DFA4CC49BEEBBB4BF59314F208219E420B7291EB746A05CFA5
                                                      Function 00646E40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 006688FE: EnterCriticalSection.KERNEL32(00706D80,006A5E5D,00000000,?,00646E58,00000000,006A5E5D,00000000,00000000,?,006477DE,?,?,?,?,945323AF), ref: 00668909
                                                        • Part of subcall function 006688FE: LeaveCriticalSection.KERNEL32(00706D80,?,00646E58,00000000,006A5E5D,00000000,00000000,?,006477DE,?,?,?,?,945323AF,00000000,00000000), ref: 00668935
                                                      • FindResourceExW.KERNEL32(00000000,00000006,CAE85006,00000000,00000000,006A5E5D,00000000,00000000,?,006477DE,?,?,?,?,945323AF,00000000), ref: 00646E86
                                                      • FindResourceW.KERNEL32(00000000,CAE85006,00000006,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646ECF
                                                      • LoadResource.KERNEL32(00000000,00000000,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646EE2
                                                      • LockResource.KERNEL32(00000000,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646EF1
                                                      • SizeofResource.KERNEL32(00000000,006477DE,?,?,006477DE,?,?,?,?,945323AF,00000000,00000000,?,006A5E5D,000000FF), ref: 00646F05
                                                        • Part of subcall function 00647AF0: RtlAllocateHeap.NTDLL(006D9DE8,00000000,?,?,?,006F8E90,?,?,?,00643B16,80004005), ref: 00647B1B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Resource$CriticalFindSection$AllocateEnterHeapLeaveLoadLockSizeof
                                                      • String ID: lmp$lmp
                                                      • API String ID: 2290156291-1913219935
                                                      • Opcode ID: 573ac93188f5c515608377399549f99b0f872ef682933b299451c36a8a0dad5d
                                                      • Instruction ID: abb71c0bd5bdc2be3402ab63de9c191313c8c4343940e651ac0aebe89b8fe794
                                                      • Opcode Fuzzy Hash: 573ac93188f5c515608377399549f99b0f872ef682933b299451c36a8a0dad5d
                                                      • Instruction Fuzzy Hash: 4241F775A045149BCB609F5AEC44BBEB7EBEF56300F0401AEF981DB351EB31AC048752
                                                      Function 0064A092 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0064A10D,0064A2B6), ref: 0064A0A9
                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0064A0BF
                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0064A0D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule
                                                      • String ID: 4fp$AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                      • API String ID: 667068680-942721438
                                                      • Opcode ID: c3354ad5952f429844f241598733fe5749517089bf21993c6f17c53f138177e9
                                                      • Instruction ID: a12a2ce3370d5ec6e752b8053479b31fee1c36b9c40347d94b481d8775e0cf6a
                                                      • Opcode Fuzzy Hash: c3354ad5952f429844f241598733fe5749517089bf21993c6f17c53f138177e9
                                                      • Instruction Fuzzy Hash: CAF0C232789222BF8B306FF55C942E632CB5A07B54711823AF502E3740EE65DC519A97
                                                      Function 00648090 Relevance: 12.1, APIs: 8, Instructions: 99sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?), ref: 006480C1
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 006480EC
                                                      • MoveFileExW.KERNEL32(?,?,?), ref: 00648112
                                                      • GetLastError.KERNEL32 ref: 00648121
                                                      • Sleep.KERNEL32(000000C8), ref: 0064813C
                                                      • GetLastError.KERNEL32 ref: 0064814A
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00648164
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00648186
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: File$Attributes$ErrorLast$MoveSleep
                                                      • String ID:
                                                      • API String ID: 2113869211-0
                                                      • Opcode ID: e1a2b67c6dce7ae98a168b3cab3dd76af061af253b368e6026e4e9ff286ae4e2
                                                      • Instruction ID: cb88bd2e0f6ac3cb41466035b0c211ec66164e981d9b5f938d111021385c2fbf
                                                      • Opcode Fuzzy Hash: e1a2b67c6dce7ae98a168b3cab3dd76af061af253b368e6026e4e9ff286ae4e2
                                                      • Instruction Fuzzy Hash: 7531E271B00115AFCB249F68DC446AEB7FAEF4A711B140A1AE891C7390DB30AD46CFA0
                                                      Function 00668D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 00668D87
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00668D8F
                                                      • _ValidateLocalCookies.LIBCMT ref: 00668E18
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00668E43
                                                      • _ValidateLocalCookies.LIBCMT ref: 00668E98
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 1170836740-1018135373
                                                      • Opcode ID: 41c74780e987cdf90559ed91fe897f24023e03a9dda38cc7d69f3e027a80ef53
                                                      • Instruction ID: afa514ec4a47e6b5773eec0de1b91188e17743ccff686880299804ecc54d1e9d
                                                      • Opcode Fuzzy Hash: 41c74780e987cdf90559ed91fe897f24023e03a9dda38cc7d69f3e027a80ef53
                                                      • Instruction Fuzzy Hash: BD41A434A00209AFCF10DF79C844AEEBBB7AF45324F148259E9145B392DB32AD11CBA0
                                                      Function 005B81F0 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 005B8226
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 005B8249
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 005B8269
                                                        • Part of subcall function 005B7FE0: std::_Lockit::_Lockit.LIBCPMT ref: 005B8069
                                                        • Part of subcall function 005B7FE0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005B80BE
                                                        • Part of subcall function 005B7FE0: __Getctype.LIBCPMT ref: 005B80D7
                                                        • Part of subcall function 005B7FE0: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005B8121
                                                      • std::_Facet_Register.LIBCPMT ref: 005B82DB
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 005B82FD
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 005B8320
                                                      • __Towlower.LIBCPMT ref: 005B833A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_$Locinfo::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo_ctorLocinfo_dtorRegisterTowlower
                                                      • String ID:
                                                      • API String ID: 1467388372-0
                                                      • Opcode ID: 54d6e665b27ae0d2275885b6e6399e08d5cf74a4bfc5de719c29443fe08f1631
                                                      • Instruction ID: 1e23bd8b356d9cf1139c74a785d6b1a1c43d55437c2fda61a3497cc66a28c3c5
                                                      • Opcode Fuzzy Hash: 54d6e665b27ae0d2275885b6e6399e08d5cf74a4bfc5de719c29443fe08f1631
                                                      • Instruction Fuzzy Hash: 09419B75900609DFCB01DF98D881ABEFBBAFB44320F14821AE816A7351EB35BD41CB95
                                                      Function 005A8680 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 005A86D1
                                                      • InitializeCriticalSection.KERNEL32(00708704,005E3C77), ref: 005A86E5
                                                      • GetModuleHandleW.KERNEL32(00000000,asw_process_storage_allocate_connector,005E3C77), ref: 005A8707
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005A870E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalHandleInitializeModuleSection
                                                      • String ID: Ym$asw_process_storage_allocate_connector
                                                      • API String ID: 3576218667-2120277219
                                                      • Opcode ID: 801b85c4a5340a3fd6daf975f6fdb7308e93ee5a4434e0f0f35172a422bbd740
                                                      • Instruction ID: ebed622371b0cf74b0e2ed4dcd9df1033f5669e3f0c9ee05d55f857ef828c720
                                                      • Opcode Fuzzy Hash: 801b85c4a5340a3fd6daf975f6fdb7308e93ee5a4434e0f0f35172a422bbd740
                                                      • Instruction Fuzzy Hash: 5D112972E485819ECB117F786C193643F52BB63315F28459EE811E71E2CF316802CF69
                                                      Function 005E48C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,005E47B2,?,00000000), ref: 005E48DD
                                                      • CloseHandle.KERNEL32(00000000,?,005E47B2,?,00000000,?,?,?,?,?,?,?,005E43CD), ref: 005E48FD
                                                      • GetLastError.KERNEL32(?,005E47B2,?,00000000,?,?,?,?,?,?,?,005E43CD), ref: 005E4911
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005E4920
                                                      • CloseHandle.KERNEL32(00000000,005E47B2,006F8810,00000000,Cannot create event,?,005E47B2,?,00000000), ref: 005E494E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorCreateErrorEventLast
                                                      • String ID: Cannot create event
                                                      • API String ID: 135146951-3475436419
                                                      • Opcode ID: 6fc7da21d47b3a0a2312c90fbdcbd22e1c314bba22e082fe5fb50ce1498d0de9
                                                      • Instruction ID: ec3bbe50aec44e094b6316713ade4c4dc4cbf12f40a66d8b9bae049d5565a989
                                                      • Opcode Fuzzy Hash: 6fc7da21d47b3a0a2312c90fbdcbd22e1c314bba22e082fe5fb50ce1498d0de9
                                                      • Instruction Fuzzy Hash: 19012431B143165BCB04AB799C05B7737DDAF44701F044579BD89E3291EE24DC008BE1
                                                      Function 0064C9D2 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,?), ref: 0064CA1B
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0064CA86
                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064CAA3
                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0064CAE2
                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064CB41
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0064CB64
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiStringWide
                                                      • String ID:
                                                      • API String ID: 2829165498-0
                                                      • Opcode ID: 9e94108314b1dfe3256797b35b54385ba8981a6c5018fe1792b179c70a42ebae
                                                      • Instruction ID: c76143a8779d51738b990fe820d0c7156e86de4ddec109246c4e08d93f4332d7
                                                      • Opcode Fuzzy Hash: 9e94108314b1dfe3256797b35b54385ba8981a6c5018fe1792b179c70a42ebae
                                                      • Instruction Fuzzy Hash: 7251CF7260220AABEF609F64CC46FEB7BABEF457A0F154029FD01A6350D730DD109BA0
                                                      Function 00672739 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • DName::operator+.LIBCMT ref: 0067277D
                                                      • DName::operator+.LIBCMT ref: 00672789
                                                        • Part of subcall function 0066CC24: shared_ptr.LIBCMT ref: 0066CC40
                                                      • DName::operator+=.LIBCMT ref: 00672847
                                                        • Part of subcall function 00670FC6: DName::operator+.LIBCMT ref: 00671031
                                                        • Part of subcall function 00670FC6: DName::operator+.LIBCMT ref: 006712FB
                                                        • Part of subcall function 0066CB4F: DName::operator+.LIBCMT ref: 0066CB70
                                                      • DName::operator+.LIBCMT ref: 00672804
                                                        • Part of subcall function 0066CC7C: DName::operator=.LIBVCRUNTIME ref: 0066CC9D
                                                      • DName::DName.LIBVCRUNTIME ref: 0067286B
                                                      • DName::operator+.LIBCMT ref: 00672877
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                                      • String ID:
                                                      • API String ID: 2795783184-0
                                                      • Opcode ID: f906b2cc0b81fc5ff96b653153ae61e092083e800e2683231b1cd1b62a3385b7
                                                      • Instruction ID: f4ad0fe255e76180d4a89e1cfae141f88d206dfcf4226261820ed678ea7c73b0
                                                      • Opcode Fuzzy Hash: f906b2cc0b81fc5ff96b653153ae61e092083e800e2683231b1cd1b62a3385b7
                                                      • Instruction Fuzzy Hash: E241C6B0A00245AFDB18EF68C865BEE7BFBEB09300F44845DE18997391DB359944C759
                                                      Function 005C6600 Relevance: 9.1, APIs: 6, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 005C6636
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 005C6659
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 005C6679
                                                        • Part of subcall function 005C6260: std::_Lockit::_Lockit.LIBCPMT ref: 005C6306
                                                        • Part of subcall function 005C6260: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005C6361
                                                      • std::_Facet_Register.LIBCPMT ref: 005C66EB
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 005C670D
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 005C6730
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
                                                      • String ID:
                                                      • API String ID: 2294326227-0
                                                      • Opcode ID: 137d346feec6276f5e856523dec5289fe6c65ea37622908b3c76b5db6393ec3c
                                                      • Instruction ID: db58c989d27c435699e5e0f64448ea2f13eab004c00e021ccaa207057be152ee
                                                      • Opcode Fuzzy Hash: 137d346feec6276f5e856523dec5289fe6c65ea37622908b3c76b5db6393ec3c
                                                      • Instruction Fuzzy Hash: B441AB71900209DFCF15DF98C985BAEBBB6FF84324F24421EE845A7251DB34AE41CB96
                                                      Function 005D88F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 291COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteCriticalSection.KERNEL32(?,?), ref: 005D8AD0
                                                      • DeleteCriticalSection.KERNEL32(?), ref: 005D8AE5
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 005D8B43
                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 005D8B51
                                                        • Part of subcall function 0064C0BC: WakeConditionVariable.KERNEL32(?,?,005F894F,?,?,?), ref: 0064C0C6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Cpp_errorCriticalDeleteSectionThrow_std::_$ConditionVariableWake
                                                      • String ID: Hnm
                                                      • API String ID: 3021290238-1236623014
                                                      • Opcode ID: 493c9e973859284e4087e5c75338d50a170d39b99243ab4049190dc6955ff302
                                                      • Instruction ID: e9771b17ba0f4688f7764fe592090d6970848db62935271eae71928910df629e
                                                      • Opcode Fuzzy Hash: 493c9e973859284e4087e5c75338d50a170d39b99243ab4049190dc6955ff302
                                                      • Instruction Fuzzy Hash: E5A1F571A006118FDB24DF28C885B6AFBA5FF41724F08465FE9099B782DB30BD05CB91
                                                      Function 00622C00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00622DF3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                      • String ID: 1498$4EEB$Load source data failed$Not enough data in buffer
                                                      • API String ID: 116670465-1197102986
                                                      • Opcode ID: 7421ceb022d7f2e01de98c0a005d840a8c06391b82b63ad429d4472977f1d118
                                                      • Instruction ID: dbfc7eb6d4c1c21a21e5c0befc24e8ef2321993840bf14be1cc148a7eef4fe03
                                                      • Opcode Fuzzy Hash: 7421ceb022d7f2e01de98c0a005d840a8c06391b82b63ad429d4472977f1d118
                                                      • Instruction Fuzzy Hash: 7D718971E002199FCB04DFA4C995BAEBBB6FF49304F10865EE405AB380DB35AA45CF91
                                                      Function 005CC3A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000400,00000000,?,945323AF), ref: 005CC3E9
                                                      • GetLastError.KERNEL32(?,945323AF), ref: 005CC41F
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,006F8810,00000000,Unable to get handle for pid: {}!,00000021,?,?,945323AF), ref: 005CC49A
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,006F8810,00000000,Unable to get handle for pid: {}!,00000021,?,?,945323AF), ref: 005CC4AE
                                                      Strings
                                                      • Unable to get handle for pid: {}!, xrefs: 005CC42B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$ErrorLastOpenProcess
                                                      • String ID: Unable to get handle for pid: {}!
                                                      • API String ID: 3379443537-1504398310
                                                      • Opcode ID: 5c036cd6bc8a73e12a7f76c3c822af36897a8e441540bfcb5846c7dd47461433
                                                      • Instruction ID: 33d20af6f054f6fe990270dace04fc0a3f9df4e23dd643ab20089fe664450854
                                                      • Opcode Fuzzy Hash: 5c036cd6bc8a73e12a7f76c3c822af36897a8e441540bfcb5846c7dd47461433
                                                      • Instruction Fuzzy Hash: D9317070A006159FDF14DFA4DC94B6ABBB9FF09721F00462EF515D7290DB74A900CB90
                                                      Function 005D0BF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005CC3A0: OpenProcess.KERNEL32(00000400,00000000,?,945323AF), ref: 005CC3E9
                                                      • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,0069BC56,000000FF), ref: 005D0C64
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,0069BC56,000000FF), ref: 005D0C76
                                                      • GetLastError.KERNEL32(failed to open process token,?,?,?,?,0069BC56,000000FF), ref: 005D0C9D
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005D0CA7
                                                      Strings
                                                      • failed to open process token, xrefs: 005D0C98
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: OpenProcess$CloseConcurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorErrorHandleLastToken
                                                      • String ID: failed to open process token
                                                      • API String ID: 14111348-3555776696
                                                      • Opcode ID: e810e1debcda46e085a680fb4b018ecefd6d3ae01d12726f61e845a0de52e61a
                                                      • Instruction ID: b8f63f2b702d90c2de6e6b6e4630b360b00856d372b318281d1217f4c27a1941
                                                      • Opcode Fuzzy Hash: e810e1debcda46e085a680fb4b018ecefd6d3ae01d12726f61e845a0de52e61a
                                                      • Instruction Fuzzy Hash: 31216DB1D04209DFDB14EFA4DD49BAEBBB9FB08710F10451EE815A3281DB756A04CBA1
                                                      Function 006709B1 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: operator+shared_ptr$NameName::
                                                      • String ID:
                                                      • API String ID: 2894330373-0
                                                      • Opcode ID: f53a174b5cd21bdb974b7bfa07bbf812652e8e0694c4c24385112b362db1e50d
                                                      • Instruction ID: ea015e6d16e201a29f6e1fb697cbbce0328d01cd5b01e91236a12eb6616ab0a3
                                                      • Opcode Fuzzy Hash: f53a174b5cd21bdb974b7bfa07bbf812652e8e0694c4c24385112b362db1e50d
                                                      • Instruction Fuzzy Hash: 97617A7590020AEFEF14DFA8C8549F97BB6FB04308F14C25AE4489B252E776DA05CBA4
                                                      Function 006489D0 Relevance: 7.7, APIs: 5, Instructions: 176registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000057,945323AF), ref: 00648A09
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,945323AF), ref: 00648A4A
                                                      • SetLastError.KERNEL32(00000000), ref: 00648A55
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Open
                                                      • String ID:
                                                      • API String ID: 1333505713-0
                                                      • Opcode ID: 189e37cc62585d7da9bd97c4727c71a23641f34347d8b600e0821ddb7a9cd0be
                                                      • Instruction ID: 47eff428192a64030efb17354ae9f8419575efe32ca3fea9d92f8663dc02e2fe
                                                      • Opcode Fuzzy Hash: 189e37cc62585d7da9bd97c4727c71a23641f34347d8b600e0821ddb7a9cd0be
                                                      • Instruction Fuzzy Hash: E2616E71D00249AFDB10DFA4D844BEEBBB6FF89314F144159E805B7341EB746985CBA0
                                                      Function 00648780 Relevance: 7.7, APIs: 5, Instructions: 153registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000057,945323AF), ref: 006487C2
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,945323AF), ref: 00648815
                                                      • SetLastError.KERNEL32(00000000), ref: 00648820
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Open
                                                      • String ID:
                                                      • API String ID: 1333505713-0
                                                      • Opcode ID: b11a9e61d4d2868fde8414156b00e2cf38b658a30fb502b75a073ea0a069d7db
                                                      • Instruction ID: dee16217cae342db2c15cc883c7a61dbb550b883727bf73f88758f1b32d67146
                                                      • Opcode Fuzzy Hash: b11a9e61d4d2868fde8414156b00e2cf38b658a30fb502b75a073ea0a069d7db
                                                      • Instruction Fuzzy Hash: 2D615871D04229AEDB25DF64DC88BEEB7B5FB54304F1042D9E809A7280EB746E84CF90
                                                      Function 0064C383 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 0064C397
                                                      • AcquireSRWLockExclusive.KERNEL32(006D9DF0,?,005F7C6B,00000080,?,00000006,?,?,?,?,?,?,00000001,?,945323AF,?), ref: 0064C3B6
                                                      • AcquireSRWLockExclusive.KERNEL32(006D9DF0,?,?,?,005F7C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 0064C3E4
                                                      • TryAcquireSRWLockExclusive.KERNEL32(006D9DF0,?,?,?,005F7C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 0064C43F
                                                      • TryAcquireSRWLockExclusive.KERNEL32(006D9DF0,?,?,?,005F7C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 0064C456
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AcquireExclusiveLock$CurrentThread
                                                      • String ID:
                                                      • API String ID: 66001078-0
                                                      • Opcode ID: 29ad2e6b2224cae03447dd66cf8cfa967bccf77d88451d4b0d1f499cecc93bb8
                                                      • Instruction ID: bcd37db40c01baf9fe245d591802f468893f75f414609b8e9c4f7b2006df1c2e
                                                      • Opcode Fuzzy Hash: 29ad2e6b2224cae03447dd66cf8cfa967bccf77d88451d4b0d1f499cecc93bb8
                                                      • Instruction Fuzzy Hash: 4B415871602A0ADFCB60DF65CAA09BAB3F6FF09320B60492AE456D7750D730F981CB54
                                                      Function 0064A844 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3.LIBCMT ref: 0064A84B
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0064A856
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0064A8C4
                                                        • Part of subcall function 0064A9A7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0064A9BF
                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 0064A871
                                                      • _Yarn.LIBCPMT ref: 0064A887
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                      • String ID:
                                                      • API String ID: 1088826258-0
                                                      • Opcode ID: 87497ddf8d1f3900397c2eeecf376bc190d397947e2c975da3b193435ab12ad1
                                                      • Instruction ID: b7dfdfad3085b5101cb1455070e0af0de52971829b55acf86104fd6765a4d5b2
                                                      • Opcode Fuzzy Hash: 87497ddf8d1f3900397c2eeecf376bc190d397947e2c975da3b193435ab12ad1
                                                      • Instruction Fuzzy Hash: B8017CB5A40210ABCB06EF60D95297D7BB7FF85350B15414DE80197381CF386E42CB9A
                                                      Function 005B6B80 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,005CE5E2,00000000,00000000,00000000,00000000,945323AF), ref: 005B6DB6
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,945323AF,?), ref: 005B6E21
                                                      Strings
                                                      • to_narrow<wchar_t> invalid arguments, xrefs: 005B6E74
                                                      • to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 005B6E59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide
                                                      • String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
                                                      • API String ID: 626452242-1534530176
                                                      • Opcode ID: 2115ee65cb5cb8e013d2874e4b60407fc97d77c28774c45471767f900eab8ca0
                                                      • Instruction ID: 9438b231b38298eeabfe5b10598c22dea3b8dcc18178939800f25a35e1d6dd41
                                                      • Opcode Fuzzy Hash: 2115ee65cb5cb8e013d2874e4b60407fc97d77c28774c45471767f900eab8ca0
                                                      • Instruction Fuzzy Hash: BF91A471A00209ABCB14DFA8D841BEEFFB9FF44310F24426AE915A7381D774AE14CB94
                                                      Function 005B6D00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,005CE5E2,00000000,00000000,00000000,00000000,945323AF), ref: 005B6DB6
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,945323AF,?), ref: 005B6E21
                                                      Strings
                                                      • to_narrow<wchar_t> invalid arguments, xrefs: 005B6E74
                                                      • to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 005B6E59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide
                                                      • String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
                                                      • API String ID: 626452242-1534530176
                                                      • Opcode ID: cd32188aeff4f28fd3c31bb9d4227169da1c3a88a12bb9026503c180eb12c0fd
                                                      • Instruction ID: 3eda8b6430953c902708fba0a1023909ee214c93463937694821d8293ff4ebe7
                                                      • Opcode Fuzzy Hash: cd32188aeff4f28fd3c31bb9d4227169da1c3a88a12bb9026503c180eb12c0fd
                                                      • Instruction Fuzzy Hash: 2B41D271A0030AABDB24DF65CC05BEABFB9FB84700F10461AE904A76C0DBB4B944CBD4
                                                      Function 005F25C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InitOnceBeginInitialize.KERNEL32(00708B38,00000000,?,00000000,945323AF,?,?,?), ref: 005F2611
                                                      • InitOnceComplete.KERNEL32(00708B38,00000000,00000000), ref: 005F264F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: InitOnce$BeginCompleteInitialize
                                                      • String ID: Singleton already destroyed$!_
                                                      • API String ID: 51270584-2496294838
                                                      • Opcode ID: b652fd91a38034c7291361fd0aa06ae2e00ba6194fc1f4fc5fc4be06b90179f2
                                                      • Instruction ID: 3cac3fff7777e9ad9ad5501ffb43cd227434ea5ccd1c2b783f153984c17a22da
                                                      • Opcode Fuzzy Hash: b652fd91a38034c7291361fd0aa06ae2e00ba6194fc1f4fc5fc4be06b90179f2
                                                      • Instruction Fuzzy Hash: 3C312DF0A01209DFDB54DF95C906BAEBBF4FB05700F50861EE945E7680DBB8A904CB5A
                                                      Function 00610950 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::generic_category.LIBCPMTD ref: 00610A2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: std::generic_category
                                                      • String ID: ,a$cookie$cookie
                                                      • API String ID: 2374251199-3958213626
                                                      • Opcode ID: 6d4d5f12f11ebea065cfc337022eb3621561006f08d8a50f41356bfe11c71c52
                                                      • Instruction ID: 0bdc2d6885021183e2d3e65e456cff84dba1bbdb69b71545792ffc28057be62b
                                                      • Opcode Fuzzy Hash: 6d4d5f12f11ebea065cfc337022eb3621561006f08d8a50f41356bfe11c71c52
                                                      • Instruction Fuzzy Hash: F6314C75A002189FCB14DF54D895FAEB7B9FB49310F5005AAE906A7391DB30AE44CFA4
                                                      Function 005DE030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 005DE08B
                                                      • UnmapViewOfFile.KERNEL32(00000000,?,?,006F8810,?,Unable to retrieve pointer of the unmapped view!,945323AF), ref: 005DE0DB
                                                      Strings
                                                      • Unable to retrieve pointer of the unmapped view!, xrefs: 005DE09E
                                                      • Unable to read outside of the mapped view!, xrefs: 005DE081
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorFileUnmapView
                                                      • String ID: Unable to read outside of the mapped view!$Unable to retrieve pointer of the unmapped view!
                                                      • API String ID: 1092805491-1890325749
                                                      • Opcode ID: d68d523b68d1e57b1f63580dcbca1711b6ce70709d1aa6ce95fdf8e0c61bbbe5
                                                      • Instruction ID: 4ad3cbf239c24d1ae856bc36878ffcb13347b1dcb90384f240b7ec1a17608de2
                                                      • Opcode Fuzzy Hash: d68d523b68d1e57b1f63580dcbca1711b6ce70709d1aa6ce95fdf8e0c61bbbe5
                                                      • Instruction Fuzzy Hash: 5721B431A00608AFCB20EFA8DC49F9EBBF9FB04700F14856AF41497681DB75B941CB55
                                                      Function 00648C00 Relevance: 6.1, APIs: 4, Instructions: 99registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000057,?,?,?,?,?,?,?,0062505C,?,00000007), ref: 00648C2B
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0062505C), ref: 00648C84
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastOpen
                                                      • String ID:
                                                      • API String ID: 3359735512-0
                                                      • Opcode ID: 0e27b52e9fd3b7a8aae0d162d4c744ee490db59aa85a62a2357cf7aec42329d3
                                                      • Instruction ID: f7caab33f42b590599007512f46f169f90d5adf65942e888163f2681c9b41acd
                                                      • Opcode Fuzzy Hash: 0e27b52e9fd3b7a8aae0d162d4c744ee490db59aa85a62a2357cf7aec42329d3
                                                      • Instruction Fuzzy Hash: 8431B170549306AFD710DF24DC85B9FBBE5AF89714F00891EF88893290EB34D548CBA6
                                                      Function 005F4B50 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005B6D00: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,005CE5E2,00000000,00000000,00000000,00000000,945323AF), ref: 005B6DB6
                                                        • Part of subcall function 005B6D00: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,945323AF,?), ref: 005B6E21
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005F4BC6
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005F4BD9
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005F4BE3
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005F4BF6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide___std_exception_copy___std_exception_destroy
                                                      • String ID:
                                                      • API String ID: 2337458698-0
                                                      • Opcode ID: 6c393d1ed77b4cef212311eec94c65738b87828807f3b62ab38fa1d9def33542
                                                      • Instruction ID: 65b48693106809a67983a431aec5c2f51c6852fbc2567496b576df52b39306a2
                                                      • Opcode Fuzzy Hash: 6c393d1ed77b4cef212311eec94c65738b87828807f3b62ab38fa1d9def33542
                                                      • Instruction Fuzzy Hash: 62319172D0011C9BCF04DFA8DC85AEEBBB9FF45310F10462AF915A7241E734A9448BA5
                                                      Function 005DC290 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(006D59BA,?,?,?,?,?,?,?,?,?,?,?,?,005DC0F8), ref: 005DC2A4
                                                      • HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,005DC0F8), ref: 005DC2DA
                                                      • asw_process_storage_allocate_connector.SECURITEINFO.COM.TROJAN.SIGGEN29.7508.16428.4641(?,?,?,?,?,?,?,?,?,?,?,005DC0F8), ref: 005DC2EA
                                                      • LeaveCriticalSection.KERNEL32(?,?,?,006F88C4,?,006F88C4), ref: 005DC35B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocCriticalLeaveN29.7508.16428ProcessSectionasw_process_storage_allocate_connector.
                                                      • String ID:
                                                      • API String ID: 747641609-0
                                                      • Opcode ID: bc29629b219ec3e0d5f6349bd7fb3963b903d2cf7425669bb4c1ddbff8021660
                                                      • Instruction ID: 51a79b798558e18ca2f3ddc7240e4bd802b5b7544bd655285c3c0ee46445b4f6
                                                      • Opcode Fuzzy Hash: bc29629b219ec3e0d5f6349bd7fb3963b903d2cf7425669bb4c1ddbff8021660
                                                      • Instruction Fuzzy Hash: FB215E705007069FD724EFA9DC48A6ABBA9FF05310F10C92EE966D3691DB74A844CB94
                                                      Function 0061CA20 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(?), ref: 0061CA4A
                                                      • SelectObject.GDI32(00000000,?), ref: 0061CA58
                                                      • GetTextExtentPoint32W.GDI32(?,00000000,-00000002,?), ref: 0061CABE
                                                      • ReleaseDC.USER32(?,?), ref: 0061CB00
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ExtentObjectPoint32ReleaseSelectText
                                                      • String ID:
                                                      • API String ID: 4006923989-0
                                                      • Opcode ID: bcbe8d8a9288d142bfa75297f7aea6bef3482a51c8d9686b66f3f8bbb95cc88d
                                                      • Instruction ID: 90f93b4c53a4817b4d795accf9c7d95c9973df4bd1ff5c810e6f2f1afc36d1c5
                                                      • Opcode Fuzzy Hash: bcbe8d8a9288d142bfa75297f7aea6bef3482a51c8d9686b66f3f8bbb95cc88d
                                                      • Instruction Fuzzy Hash: EA214F75A002189FCB50EF64DD45EDA77F9FF49710F0481A9E949D7211EA30AE85CFA0
                                                      Function 00626670 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindResourceW.KERNEL32(?,?,?), ref: 0062669F
                                                      • LoadResource.KERNEL32(?,00000000), ref: 006266C5
                                                      • LockResource.KERNEL32(00000000), ref: 006266D0
                                                      • SizeofResource.KERNEL32(?,00000000), ref: 006266E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoadLockSizeof
                                                      • String ID:
                                                      • API String ID: 3473537107-0
                                                      • Opcode ID: b4bdadf71c05efd5b98326621bbf978eeb3fb19f9a4adc46af0c397cfdf2a15c
                                                      • Instruction ID: e91e23bcb7400b8b6c1d7358ead0569de71bf0c41922b0ec5ef393b0b92c6337
                                                      • Opcode Fuzzy Hash: b4bdadf71c05efd5b98326621bbf978eeb3fb19f9a4adc46af0c397cfdf2a15c
                                                      • Instruction Fuzzy Hash: 812149B0A00A1AAFDB00DF55DD44AAAF7FAFF09304F10852EF85593650DB30AD50CBA0
                                                      Function 005C8160 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005C81A8
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005C81B8
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005C81C2
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005C81D5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_copy___std_exception_destroy
                                                      • String ID:
                                                      • API String ID: 2970364248-0
                                                      • Opcode ID: 0fa8df756f1da1338e56057133ae74f7c53d0b4fcce3d8b1a70ddd04f26c5284
                                                      • Instruction ID: 432051c72c1e2020fd0ad5114f5439ade20cc8879c4edd669941e0a26f52f941
                                                      • Opcode Fuzzy Hash: 0fa8df756f1da1338e56057133ae74f7c53d0b4fcce3d8b1a70ddd04f26c5284
                                                      • Instruction Fuzzy Hash: FB115EB1D0020DABCB00EFA9D8458DEFBBDBF45310B50426EE805E3201EB70A659CBE5
                                                      Function 005F4AD0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005F4B04
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005F4B17
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 005F4B21
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 005F4B34
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_copy___std_exception_destroy
                                                      • String ID:
                                                      • API String ID: 2970364248-0
                                                      • Opcode ID: 6cb91b93b23172bc61f23f42932933671fa7f2853cfd1a03c5c09280ed434b98
                                                      • Instruction ID: 6625a4896428b0e47c317d667a1784246e5fb208471aba0c8011bcad141bab7b
                                                      • Opcode Fuzzy Hash: 6cb91b93b23172bc61f23f42932933671fa7f2853cfd1a03c5c09280ed434b98
                                                      • Instruction Fuzzy Hash: D7012571C0011D9BCB10EFA5D8458EFBBBDAF05310F40416AED05A3202EB719758CBE5
                                                      Function 00698697 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteConsoleW.KERNEL32(00000000,?,00000020,00000000,00000000,?,00696B65,00000000,00000001,00000000,00000000,?,0068B410,00000000,?,00000000), ref: 006986AE
                                                      • GetLastError.KERNEL32(?,00696B65,00000000,00000001,00000000,00000000,?,0068B410,00000000,?,00000000,00000000,00000000,?,0068B9CE,?), ref: 006986BA
                                                        • Part of subcall function 00698680: CloseHandle.KERNEL32(FFFFFFFE,006986CA,?,00696B65,00000000,00000001,00000000,00000000,?,0068B410,00000000,?,00000000,00000000,00000000), ref: 00698690
                                                      • ___initconout.LIBCMT ref: 006986CA
                                                        • Part of subcall function 00698642: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00698671,00696B52,00000000,?,0068B410,00000000,?,00000000,00000000), ref: 00698655
                                                      • WriteConsoleW.KERNEL32(00000000,?,00000020,00000000,?,00696B65,00000000,00000001,00000000,00000000,?,0068B410,00000000,?,00000000,00000000), ref: 006986DF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                      • String ID:
                                                      • API String ID: 2744216297-0
                                                      • Opcode ID: 36678dee334844c53b2c45515b22be7ae19440ef626b54663d3b08b211683db1
                                                      • Instruction ID: f784e00827d120d7f2154d72d5fe058dc7dc8f7be51e452929082042cf0516a3
                                                      • Opcode Fuzzy Hash: 36678dee334844c53b2c45515b22be7ae19440ef626b54663d3b08b211683db1
                                                      • Instruction Fuzzy Hash: EAF03036100118BFCF222FE6DD08A993F2BFB4A3A0B054510FE1D8A631CA329960DF90
                                                      Function 00626B50 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationwindowthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00626B67
                                                      • WaitForSingleObject.KERNEL32(00000000,00002710,?,?,?,?,?,?,?,?,?,?,?,?,00627BF5,945323AF), ref: 00626B7C
                                                      • TerminateThread.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00627BF5,945323AF), ref: 00626B8E
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00627BF5,945323AF), ref: 00626B97
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleMessageObjectPostSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 2369523621-0
                                                      • Opcode ID: 124bab5e402b8f95d1c5d789f1e63c40d52538aaefd05331f83c3467756c0047
                                                      • Instruction ID: 17d01f95ae2cab6390e8769369ab0685e304b24686f80411c1a0d2129cee0358
                                                      • Opcode Fuzzy Hash: 124bab5e402b8f95d1c5d789f1e63c40d52538aaefd05331f83c3467756c0047
                                                      • Instruction Fuzzy Hash: 08F0AC31244B209BEB316B14ED49B8676F6AF05B15F140818F652956E1C7B6B890DF04
                                                      Function 005B4470 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 005B4661
                                                        • Part of subcall function 0064C037: MultiByteToWideChar.KERNEL32(?,00000008,?,00000001,?,00000001,?,?,005B4666,000004E4,?,00000001,?,00000001,?,?), ref: 0064C04C
                                                        • Part of subcall function 0064C037: GetLastError.KERNEL32(?,005B4666,000004E4,?,00000001,?,00000001,?,?), ref: 0064C058
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide___std_fs_convert_narrow_to_wide@20
                                                      • String ID: \u{$\x{
                                                      • API String ID: 426171095-3325273574
                                                      • Opcode ID: a0b2ba91faa85a01d958f1e8552bcabf84c68a812c42cb6d8cb8f57251bfc542
                                                      • Instruction ID: 13c3828c76308e9e8118b1120ff81642ab916a39dd5bad692bb19c1dab87fb1e
                                                      • Opcode Fuzzy Hash: a0b2ba91faa85a01d958f1e8552bcabf84c68a812c42cb6d8cb8f57251bfc542
                                                      • Instruction Fuzzy Hash: CDE16A34A046989FCB25DF58D8D09AEBFB6FF4A310B14844DE89A5B752C730B946CF60
                                                      Function 006282E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00628427
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID: $m$hm
                                                      • API String ID: 118556049-3161302181
                                                      • Opcode ID: cedd25b96097d13b3d578fc70a470a6a4d62f73b1aaead5801f276c2edbac88e
                                                      • Instruction ID: 20069ad58643322f81443ff8118f12ba1a334844a57988334847f346fbf5b874
                                                      • Opcode Fuzzy Hash: cedd25b96097d13b3d578fc70a470a6a4d62f73b1aaead5801f276c2edbac88e
                                                      • Instruction Fuzzy Hash: 9971DFB1A00A12AFD714DF68CC85B5AFBE9FF45310F10862DE859DB780DB75AA14CB90
                                                      Function 005F0890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,000000FF,945323AF,0000000C,0000000C), ref: 005F0911
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,00000100,00000100,00000000), ref: 005F0A42
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      • Cannot query registry data due to '{}' value changed too often, xrefs: 005F0B0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$DispatcherExceptionUser
                                                      • String ID: Cannot query registry data due to '{}' value changed too often
                                                      • API String ID: 4162549903-325687415
                                                      • Opcode ID: f03d4f1b42e1a2cc51b9d763dc5fc5b1aab1ce5bb7720c7ca0a392da49194e80
                                                      • Instruction ID: 3ff8a625391141618abdfa779fa5d736d3f3242da02464c6a314bc9fd29bd6c1
                                                      • Opcode Fuzzy Hash: f03d4f1b42e1a2cc51b9d763dc5fc5b1aab1ce5bb7720c7ca0a392da49194e80
                                                      • Instruction Fuzzy Hash: D5816871D1021D9FDB14DFA8C945BEEBBB1FF98304F00565AE809B7291EB746A84CB90
                                                      Function 00698885 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEndOfFile.KERNEL32(00000000,Aui,00000000,006977D8,?,?,?,?,?,00698873,00000000,006977D8,00697541,?,00000000,006977D8), ref: 006989D7
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00698873,00000000,006977D8,00697541,?,00000000,006977D8), ref: 006989E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLast
                                                      • String ID: Aui
                                                      • API String ID: 734332943-3896470186
                                                      • Opcode ID: f98f879c131036dabf5d36f2c03f40cb1de26d21c9ab8fdf0a57df29c3a9e143
                                                      • Instruction ID: 001f75f46d83db0d1facd3f72b2ba477b3c78565d6f69e656ef526373b65d79b
                                                      • Opcode Fuzzy Hash: f98f879c131036dabf5d36f2c03f40cb1de26d21c9ab8fdf0a57df29c3a9e143
                                                      • Instruction Fuzzy Hash: B8511432900645AEDF149F6DCC45BEE7BABBF46324F140209F411A7A91DB70EC51CBA6
                                                      Function 005DC3F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InitOnceBeginInitialize.KERNEL32(00708AD4,00000000,?,00000000,945323AF,00000010,00000010,005B9627,?,00000000,0069CD35,000000FF,?,005DC38C,00000000,00000000), ref: 005DC438
                                                        • Part of subcall function 005DD270: InitializeCriticalSection.KERNEL32(00000028,00000010,000000FF,?,005DC49C), ref: 005DD2F5
                                                      • InitOnceComplete.KERNEL32(00708AD4,00000000,00000000,00708AD4,0000004C), ref: 005DC506
                                                      Strings
                                                      • Singleton already destroyed, xrefs: 005DC584
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: InitInitializeOnce$BeginCompleteCriticalSection
                                                      • String ID: Singleton already destroyed
                                                      • API String ID: 1264858881-257684709
                                                      • Opcode ID: c7620b9d4bbf8ce249b7f8009abd30cba2f980b76f38fa16bb8bb2f51f23569f
                                                      • Instruction ID: 26964086ebf469b94909868be8030a38f1c9c9b7cc234dd14d5d7b0752a076d9
                                                      • Opcode Fuzzy Hash: c7620b9d4bbf8ce249b7f8009abd30cba2f980b76f38fa16bb8bb2f51f23569f
                                                      • Instruction Fuzzy Hash: D7517BB0A01219DFCB60DF59D844BAEBFB5FF49720F14825BE805A7380DB74A901CBA5
                                                      Function 00668000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9Af
                                                      • API String ID: 0-2571681060
                                                      • Opcode ID: f0cbe71798b5d80cff648a2197ec0149bc242947ba427e8aa70c3194f5d5b1d7
                                                      • Instruction ID: 3657726e59b5920c9d9f7ecd4a5bc95bf6115b284f9c2ef12833fdc1152552bb
                                                      • Opcode Fuzzy Hash: f0cbe71798b5d80cff648a2197ec0149bc242947ba427e8aa70c3194f5d5b1d7
                                                      • Instruction Fuzzy Hash: 0D4137B24007059FDB30AEB1EC45B97B7EEAB54318F440A2DE88683602FF35F5498B65
                                                      Function 005EEE40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 005C8160: ___std_exception_copy.LIBVCRUNTIME ref: 005C81A8
                                                        • Part of subcall function 005C8160: ___std_exception_destroy.LIBVCRUNTIME ref: 005C81B8
                                                        • Part of subcall function 005C8160: ___std_exception_copy.LIBVCRUNTIME ref: 005C81C2
                                                        • Part of subcall function 005C8160: ___std_exception_destroy.LIBVCRUNTIME ref: 005C81D5
                                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 005EEF53
                                                      • GetLastError.KERNEL32 ref: 005EEF5D
                                                      Strings
                                                      • Unable to retrieve a path of the known folder ({})!, xrefs: 005EEF99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_copy___std_exception_destroy$EnvironmentErrorExpandLastStrings
                                                      • String ID: Unable to retrieve a path of the known folder ({})!
                                                      • API String ID: 90833314-3064207712
                                                      • Opcode ID: de782542c06614e5e3f8d602001daae795e4fafdc404d09ca89b636f55a35984
                                                      • Instruction ID: 37a0993d1a59330b92885189e6294db867a9a4beee36dce8e7948acb378f510d
                                                      • Opcode Fuzzy Hash: de782542c06614e5e3f8d602001daae795e4fafdc404d09ca89b636f55a35984
                                                      • Instruction Fuzzy Hash: 0C41F571A102489FDB04EF59DC86B6EBBF9FB45710F004619F85597391E771AE00CBA2
                                                      Function 0063A0C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000001,00000005,00000000,00000003,08000000,00000000,945323AF,945323AF,945323AF,006A507E,000000FF), ref: 0063A111
                                                      • GetLastError.KERNEL32 ref: 0063A148
                                                      Strings
                                                      • Unable to open file '{}'!, xrefs: 0063A154
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorFileLast
                                                      • String ID: Unable to open file '{}'!
                                                      • API String ID: 1214770103-3496713056
                                                      • Opcode ID: ac7f10b7f0ad928a786c570a9cff6361a4dd090227b74649d2a02fbd1cdc8424
                                                      • Instruction ID: 459fe0b7fde5cfd334add8992d1c7b7610d5412bbb3ac9bca29172e194d90ec4
                                                      • Opcode Fuzzy Hash: ac7f10b7f0ad928a786c570a9cff6361a4dd090227b74649d2a02fbd1cdc8424
                                                      • Instruction Fuzzy Hash: 4E119470A44609AFDB24DF99CC4AFAEBBB8FB08B14F10061EF515A72D0DBB52500CB94
                                                      Function 005D6010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(00000000,?,945323AF,?,00000001,0000000D,945323AF), ref: 005D60C4
                                                        • Part of subcall function 0064D907: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D912
                                                        • Part of subcall function 0064D907: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,?,?,005B7BE1,00707650,945323AF,00000000,0069AB01,000000FF,?,005EF6AE,\Device\LanmanRedirector\,00000019,945323AF), ref: 0064D94C
                                                      • RtlNtStatusToDosError.NTDLL ref: 005D60BD
                                                        • Part of subcall function 005D8D00: GetModuleHandleW.KERNEL32 ref: 005D8D24
                                                        • Part of subcall function 005D8D00: GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 005D8D34
                                                        • Part of subcall function 0064D8B6: AcquireSRWLockExclusive.KERNEL32(00706D3C,?,?,005B7C08,00707650), ref: 0064D8C0
                                                        • Part of subcall function 0064D8B6: ReleaseSRWLockExclusive.KERNEL32(00706D3C,?,005B7C08,00707650), ref: 0064D8F3
                                                        • Part of subcall function 0064D8B6: WakeAllConditionVariable.KERNEL32(00706D38,?,005B7C08,00707650), ref: 0064D8FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ExclusiveLock$AcquireErrorRelease$AddressConditionHandleLastModuleProcStatusVariableWake
                                                      • String ID: NtSetInformationFile
                                                      • API String ID: 515452689-1659534519
                                                      • Opcode ID: 539f4900d7a2130ba8400cee0e6ccf2b86c2ef427cfba5b82fad19bae2d7e4d3
                                                      • Instruction ID: 0f5d1290b5c477326a7fe7fffa71268d4f484ff9cc14fb8ecab4935c163a4dc4
                                                      • Opcode Fuzzy Hash: 539f4900d7a2130ba8400cee0e6ccf2b86c2ef427cfba5b82fad19bae2d7e4d3
                                                      • Instruction Fuzzy Hash: C521F2B1B04209DFCB50DF68DC55BAABBA9FB08720F00422BE811D37C1DF3869018B99
                                                      Function 005E65F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 005E6695
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: Ios_base_dtorstd::ios_base::_
                                                      • String ID: `{m$h{m
                                                      • API String ID: 323602529-2160181836
                                                      • Opcode ID: a66a911410f0dcb5ba1d3661f2f8d266e188c547e5809a51ccfaf0eda371101f
                                                      • Instruction ID: f74390d78cff9f777fd34f14a17e158181363987a5e5dfce79e1e393c1a36479
                                                      • Opcode Fuzzy Hash: a66a911410f0dcb5ba1d3661f2f8d266e188c547e5809a51ccfaf0eda371101f
                                                      • Instruction Fuzzy Hash: A021B374A0828A8FC720CF19C584E59FBE5FB19718F2585AEE8598B351E771E905CF80
                                                      Function 005ECA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesExW.KERNEL32(?,00000000,?,?), ref: 005ECAB9
                                                      • GetLastError.KERNEL32(?,00000000,?,?), ref: 005ECADB
                                                        • Part of subcall function 00669660: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,005C838C,?,?,?,?,005C838C,945323AF,006F87D4,945323AF), ref: 006696C0
                                                      Strings
                                                      • Unable to get size of file '{}'!, xrefs: 005ECAE4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AttributesDispatcherErrorExceptionFileLastUser
                                                      • String ID: Unable to get size of file '{}'!
                                                      • API String ID: 907581484-2221600392
                                                      • Opcode ID: bd2d6c72a5323a89f759f76567c80ea266844ae92d2603bc4d59fefd93018bd7
                                                      • Instruction ID: 1289c52710c58f53f641f17a7e5353574a11a8fe261b0bcaef59b7a8a074d6e5
                                                      • Opcode Fuzzy Hash: bd2d6c72a5323a89f759f76567c80ea266844ae92d2603bc4d59fefd93018bd7
                                                      • Instruction Fuzzy Hash: F5F08171604308AFC314EF65DC4AE6BBBE9AB45710F40092EB99183291EA70E905CBD6
                                                      Function 0064A147 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0064A158
                                                      • GetSystemInfo.KERNEL32(?), ref: 0064A173
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: InfoQuerySystemVirtual
                                                      • String ID: D
                                                      • API String ID: 401686933-2746444292
                                                      • Opcode ID: 65cb05298bdfc3c5e2c12ea22c80dbb543f4f624fe8c26430ab75762d1421b04
                                                      • Instruction ID: 7daffddb7be5aaebd0dd203d5d8a9732696441c65a65c53de62b0741a679bcaf
                                                      • Opcode Fuzzy Hash: 65cb05298bdfc3c5e2c12ea22c80dbb543f4f624fe8c26430ab75762d1421b04
                                                      • Instruction Fuzzy Hash: 2D01F7726401096BDB14DE69DC05BEE7BABAFC5324F0CC221ED59DB340D634ED05CA80
                                                      Function 005A8720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,asw_process_storage_deallocate_connector), ref: 005A8727
                                                      • GetProcAddress.KERNEL32(00000000), ref: 005A872E
                                                      Strings
                                                      • asw_process_storage_deallocate_connector, xrefs: 005A8720
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: asw_process_storage_deallocate_connector
                                                      • API String ID: 1646373207-2412585098
                                                      • Opcode ID: ba409b651884e59307b5cf4532a98d15f12de930b42e58b83c0006b0138aeb4e
                                                      • Instruction ID: a120cf7593ef3bb682162ad1c476772c8358ada74d74dcafb1b5270aae63f6e5
                                                      • Opcode Fuzzy Hash: ba409b651884e59307b5cf4532a98d15f12de930b42e58b83c0006b0138aeb4e
                                                      • Instruction Fuzzy Hash: C5B092B2A492019FC7402BB0AC0DB047A66BB46742F059046F905C16A0DE7412009F1A
                                                      Function 00624D50 Relevance: 5.1, APIs: 4, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2891991220.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true
                                                      • Associated: 00000000.00000002.2891811751.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2892688392.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893200490.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893414123.00000000006FE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893701206.0000000000706000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2893953302.000000000070A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: ba4c3f5f90ce2b345766bf15b874b0eabc23caff42bd8ec0657efbb8117c38b6
                                                      • Instruction ID: f88e547fd88479604d1e282a5d7871c7bbc7d0a17b7b34c185faf85bb7d90c8b
                                                      • Opcode Fuzzy Hash: ba4c3f5f90ce2b345766bf15b874b0eabc23caff42bd8ec0657efbb8117c38b6
                                                      • Instruction Fuzzy Hash: FA419A72D0062A9BDB10DFA4E848BAFBBB6FF45710F114519E815AB341DB34AA41CFE1