Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
External.exe

Overview

General Information

Sample name:External.exe
Analysis ID:1505583
MD5:7b9641ed9ec61b9373a59bf5a2f03d72
SHA1:68b9c7560f8c2a907fb7b917fce027a206084550
SHA256:a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536
Tags:exe
Infos:

Detection

Ades Stealer, BlackGuard, VEGA Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected Ades Stealer
Yara detected BlackGuard
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected VEGA Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • External.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\External.exe" MD5: 7B9641ED9EC61B9373A59BF5A2F03D72)
    • windows.exe (PID: 2124 cmdline: "C:\Users\user\AppData\Local\Temp\windows.exe" MD5: CFCF2DF87DD10EDFF1E1B2BE2E811236)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BlackGuardAccording to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\windows.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    C:\Users\user\AppData\Local\Temp\windows.exeJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
      C:\Users\user\AppData\Local\Temp\windows.exeJoeSecurity_VEGAStealerYara detected VEGA StealerJoe Security
        C:\Users\user\AppData\Local\Temp\windows.exeJoeSecurity_AdesStealerYara detected Ades StealerJoe Security
          C:\Users\user\AppData\Local\Temp\windows.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
              • 0x18454:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
              00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
                00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_VEGAStealerYara detected VEGA StealerJoe Security
                  00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_AdesStealerYara detected Ades StealerJoe Security
                    Click to see the 19 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.0.windows.exe.2a583810000.0.unpackJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
                      2.0.windows.exe.2a583810000.0.unpackJoeSecurity_VEGAStealerYara detected VEGA StealerJoe Security
                        2.0.windows.exe.2a583810000.0.unpackJoeSecurity_AdesStealerYara detected Ades StealerJoe Security
                          2.0.windows.exe.2a583810000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                            2.0.windows.exe.2a583810000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                              Click to see the 4 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Startup Folder File Write
                              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\External.exe, ProcessId: 5580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-09-06T14:34:02.550556+020028033053Unknown Traffic192.168.2.549708208.95.112.180TCP
                              2024-09-06T14:34:03.347322+020028033053Unknown Traffic192.168.2.549709208.95.112.180TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: External.exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeAvira: detection malicious, Label: TR/AD.GenSteal.apiqi
                              Multi AV Scanner detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeReversingLabs: Detection: 65%
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: External.exeJoe Sandbox ML: detected

                              Location Tracking

                              barindex
                              Tries to detect the country of the analysis system (by using the IP)
                              Source: unknownDNS query: name: freegeoip.app
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D9030 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,2_2_00007FF8A32D9030
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D8FF0 CryptReleaseContext,2_2_00007FF8A32D8FF0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D8DD0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,2_2_00007FF8A32D8DD0
                              Source: External.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.5:49707 version: TLS 1.2
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.dr
                              Source: Binary string: .Inter@op.pdbe source: External.exe, 00000000.00000003.2034661692.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.dr
                              Source: Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2112625869.000002A59E492000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.0.dr
                              Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.dr
                              Source: Binary string: pto.pdb source: External.exe, 00000000.00000003.2032078044.0000000002984000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdb source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2113672550.000002A59F582000.00000002.00000001.01000000.0000000B.sdmp, BouncyCastle.Crypto.dll.0.dr
                              Source: Binary string: 2024\SHARP\obj\Release\sharp_build.pdb source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.dr
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2113672550.000002A59F582000.00000002.00000001.01000000.0000000B.sdmp, BouncyCastle.Crypto.dll.0.dr
                              Source: Binary string: Crypto.pdb source: External.exe, 00000000.00000003.2032078044.0000000002984000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D1DC0 FindFirstFileExA,2_2_00007FF8A32D1DC0
                              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /json/8.46.123.33 HTTP/1.1Host: ip-api.com
                              Source: global trafficHTTP traffic detected: GET /json/8.46.123.33 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownDNS query: name: api.ipify.org
                              Source: unknownDNS query: name: api.ipify.org
                              Source: unknownDNS query: name: ip-api.com
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 208.95.112.1:80
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 208.95.112.1:80
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
                              Source: global trafficHTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /json/8.46.123.33 HTTP/1.1Host: ip-api.com
                              Source: global trafficHTTP traffic detected: GET /json/8.46.123.33 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                              Source: global trafficDNS traffic detected: DNS query: freegeoip.app
                              Source: global trafficDNS traffic detected: DNS query: ip-api.com
                              Source: global trafficDNS traffic detected: DNS query: ipbase.com
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 12:34:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 23011Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J73N7GWZFYP5KNG170E4X5GVCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2yrX%2B5n6UR9kdGMCi4AF12payaGG%2FA%2Fc4VQmUoZDEY0Qayg9xesyFHNxZDLLy8%2Fph1xhuGVOuiCtIY%2Ffjf%2F8TuB2qUtJU2SrPM6zckIbb7PojDSEgByCE5kTe0m"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bee7da5aaed435b-EWRalt-svc: h3=":443"; ma=86400
                              Source: External.exe, 00000000.00000003.2034378462.000000000098A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.di
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                              Source: cert9.db.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                              Source: cert9.db.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: cert9.db.2.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                              Source: External.exe, 00000000.00000003.2034661692.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: cert9.db.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                              Source: cert9.db.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: System.Data.SQLite.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: cert9.db.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: cert9.db.2.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                              Source: windows.exe, 00000002.00000002.2095840397.000002A5859B5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095840397.000002A585685000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe, 00000002.00000002.2095840397.000002A5856F9000.00000004.00000800.00020000.00000000.sdmp, windows.exe.0.drString found in binary or memory: http://ip-api.com/json/
                              Source: windows.exe, 00000002.00000002.2095840397.000002A5856F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.33
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe, 00000002.00000002.2095840397.000002A5859B5000.00000004.00000800.00020000.00000000.sdmp, windows.exe.0.drString found in binary or memory: http://ip-api.com/xml
                              Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: External.exe, 00000000.00000003.2035717561.0000000000996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicer
                              Source: External.exe, 00000000.00000003.2034378462.000000000098A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.
                              Source: External.exe, 00000000.00000003.2035717561.0000000000996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.c
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, cert9.db.2.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.dr, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://ocsp.digicert.com0H
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://ocsp.digicert.com0I
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: cert9.db.2.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.dr, SQLite.Interop.dll.0.dr, System.Data.SQLite.dll.0.dr, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                              Source: cert9.db.2.drString found in binary or memory: http://x1.c.lencr.org/0
                              Source: cert9.db.2.drString found in binary or memory: http://x1.i.lencr.org/0
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drString found in binary or memory: https://api.ipify.org/1------------------------
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drString found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: windows.exe.0.drString found in binary or memory: https://discord.com/api/v10/users/
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: https://github.com/novotnyllc/bc-csharp
                              Source: windows.exe, 00000002.00000002.2095840397.000002A585657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipbase.com/xml/
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drString found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://support.mozilla.org
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                              Source: System.Data.SQLite.dll.0.drString found in binary or memory: https://system.data.sqlite.org/
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2112932662.000002A59E4F2000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.0.drString found in binary or memory: https://system.data.sqlite.org/X
                              Source: windows.exe.0.dr, Information.txt.2.drString found in binary or memory: https://t.me/VegaStealer_shop_bot
                              Source: System.Data.SQLite.dll.0.drString found in binary or memory: https://urn.to/r/sds_see
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                              Source: windows.exe, 00000002.00000002.2098662351.000002A596333000.00000004.00000800.00020000.00000000.sdmp, tmpE579.tmp.tmpdb.2.dr, tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                              Source: tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: windows.exe, 00000002.00000002.2098662351.000002A596333000.00000004.00000800.00020000.00000000.sdmp, tmpE579.tmp.tmpdb.2.dr, tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                              Source: windows.exe, 00000002.00000002.2098662351.000002A596333000.00000004.00000800.00020000.00000000.sdmp, tmpE579.tmp.tmpdb.2.dr, tmp3543.tmp.tmpdb.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: windows.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drString found in binary or memory: https://www.sqlite.org/copyright.html2
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                              Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.5:49707 version: TLS 1.2

                              E-Banking Fraud

                              barindex
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                              Source: 00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: Detects A310Logger Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33FE9502_2_00007FF8A33FE950
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A334F3502_2_00007FF8A334F350
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33F51002_2_00007FF8A33F5100
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32E64202_2_00007FF8A32E6420
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330C4702_2_00007FF8A330C470
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CC4502_2_00007FF8A32CC450
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32E44502_2_00007FF8A32E4450
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33D24802_2_00007FF8A33D2480
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C84E82_2_00007FF8A32C84E8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332E3702_2_00007FF8A332E370
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33143002_2_00007FF8A3314300
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32E28A02_2_00007FF8A32E28A0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33A68E02_2_00007FF8A33A68E0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33027C02_2_00007FF8A33027C0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33226A02_2_00007FF8A33226A0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C45002_2_00007FF8A32C4500
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33405B02_2_00007FF8A33405B0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330ECC02_2_00007FF8A330ECC0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33ACCE02_2_00007FF8A33ACCE0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3342CB02_2_00007FF8A3342CB0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33AAB102_2_00007FF8A33AAB10
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32F0BA02_2_00007FF8A32F0BA0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A331CAD02_2_00007FF8A331CAD0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3324AE02_2_00007FF8A3324AE0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32EA9702_2_00007FF8A32EA970
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A334A9102_2_00007FF8A334A910
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D49502_2_00007FF8A32D4950
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33F09302_2_00007FF8A33F0930
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32DC9B02_2_00007FF8A32DC9B0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A340E9D02_2_00007FF8A340E9D0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330E9E02_2_00007FF8A330E9E0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330C9F02_2_00007FF8A330C9F0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33389802_2_00007FF8A3338980
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A336F0502_2_00007FF8A336F050
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D4E202_2_00007FF8A32D4E20
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33FAE502_2_00007FF8A33FAE50
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CCE402_2_00007FF8A32CCE40
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3332E902_2_00007FF8A3332E90
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33234502_2_00007FF8A3323450
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A337D4E02_2_00007FF8A337D4E0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33A54F02_2_00007FF8A33A54F0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33614802_2_00007FF8A3361480
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33F34902_2_00007FF8A33F3490
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33114A02_2_00007FF8A33114A0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CF2F82_2_00007FF8A32CF2F8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C73902_2_00007FF8A32C7390
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33153E02_2_00007FF8A33153E0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33373802_2_00007FF8A3337380
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33133902_2_00007FF8A3313390
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32ED2202_2_00007FF8A32ED220
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33B52C02_2_00007FF8A33B52C0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332F2D62_2_00007FF8A332F2D6
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A337D1402_2_00007FF8A337D140
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D98502_2_00007FF8A32D9850
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330B8F02_2_00007FF8A330B8F0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332B7802_2_00007FF8A332B780
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D37D82_2_00007FF8A32D37D8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32FD6202_2_00007FF8A32FD620
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330D6C02_2_00007FF8A330D6C0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32F16A02_2_00007FF8A32F16A0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332F6802_2_00007FF8A332F680
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332553A2_2_00007FF8A332553A
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A340F5002_2_00007FF8A340F500
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33FB5202_2_00007FF8A33FB520
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32F95902_2_00007FF8A32F9590
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33DF5802_2_00007FF8A33DF580
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A334FB602_2_00007FF8A334FB60
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D1BB42_2_00007FF8A32D1BB4
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3323BA02_2_00007FF8A3323BA0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32F7A202_2_00007FF8A32F7A20
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32FDAE02_2_00007FF8A32FDAE0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32EF9302_2_00007FF8A32EF930
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A339F9602_2_00007FF8A339F960
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C59542_2_00007FF8A32C5954
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32E19A02_2_00007FF8A32E19A0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C999C2_2_00007FF8A32C999C
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33479F02_2_00007FF8A33479F0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32DA0302_2_00007FF8A32DA030
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32DC0302_2_00007FF8A32DC030
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33480702_2_00007FF8A3348070
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A339E0302_2_00007FF8A339E030
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A332A0B02_2_00007FF8A332A0B0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A33440B02_2_00007FF8A33440B0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3335F102_2_00007FF8A3335F10
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32FFE502_2_00007FF8A32FFE50
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A3401D802_2_00007FF8A3401D80
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E63A512_2_00007FF848E63A51
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E56B262_2_00007FF848E56B26
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E62D582_2_00007FF848E62D58
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E58D4C2_2_00007FF848E58D4C
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E51E112_2_00007FF848E51E11
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E7433B2_2_00007FF848E7433B
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E514652_2_00007FF848E51465
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E578D22_2_00007FF848E578D2
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E60D6D2_2_00007FF848E60D6D
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E5031D2_2_00007FF848E5031D
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF84911E8502_2_00007FF84911E850
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8491100802_2_00007FF849110080
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: String function: 00007FF8A340E350 appears 93 times
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: String function: 00007FF8A340F9F0 appears 114 times
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: String function: 00007FF8A340F830 appears 234 times
                              Source: External.exe, 00000000.00000002.2038222465.0000000000994000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesharp_build.exe0 vs External.exe
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBouncyCastle.Crypto.dll\ vs External.exe
                              Source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Data.SQLite.dllF vs External.exe
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSQLite.Interop.dllF vs External.exe
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesharp_build.exe0 vs External.exe
                              Source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs External.exe
                              Source: External.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                              Source: 00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPEDMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/60@4/4
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile created: C:\Users\Public\v6zchhhv.default-releaseJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeMutant created: NULL
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dllJump to behavior
                              Source: External.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\External.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\External.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                              Source: tmpE657.tmp.dat.2.dr, 0802e777-ffcd-4f89-9714-685e3389c209.2.dr, 9ded605c-9d28-499a-b3b4-287f6b8e9c6f.2.dr, tmpDCA.tmp.dat.2.dr, tmp5BCC.tmp.dat.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                              Source: unknownProcess created: C:\Users\user\Desktop\External.exe "C:\Users\user\Desktop\External.exe"
                              Source: C:\Users\user\Desktop\External.exeProcess created: C:\Users\user\AppData\Local\Temp\windows.exe "C:\Users\user\AppData\Local\Temp\windows.exe"
                              Source: C:\Users\user\Desktop\External.exeProcess created: C:\Users\user\AppData\Local\Temp\windows.exe "C:\Users\user\AppData\Local\Temp\windows.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\Desktop\External.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: External.exeStatic file information: File size 4252160 > 1048576
                              Source: External.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x40c400
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.dr
                              Source: Binary string: .Inter@op.pdbe source: External.exe, 00000000.00000003.2034661692.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: External.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.dr
                              Source: Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: External.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2112625869.000002A59E492000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.0.dr
                              Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.dr
                              Source: Binary string: pto.pdb source: External.exe, 00000000.00000003.2032078044.0000000002984000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdb source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2113672550.000002A59F582000.00000002.00000001.01000000.0000000B.sdmp, BouncyCastle.Crypto.dll.0.dr
                              Source: Binary string: 2024\SHARP\obj\Release\sharp_build.pdb source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.dr
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2113672550.000002A59F582000.00000002.00000001.01000000.0000000B.sdmp, BouncyCastle.Crypto.dll.0.dr
                              Source: Binary string: Crypto.pdb source: External.exe, 00000000.00000003.2032078044.0000000002984000.00000004.00000020.00020000.00000000.sdmp
                              Source: BouncyCastle.Crypto.dll.0.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32EC7E1 push r8; ret 2_2_00007FF8A32EC7E3
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C38FD push rdi; ret 2_2_00007FF8A32C3904
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C3E97 push rdi; ret 2_2_00007FF8A32C3EA2
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E62D58 pushad ; retf 5F54h2_2_00007FF848E6D8ED
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E648C5 push eax; ret 2_2_00007FF848E6F1E4
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E6494D push eax; ret 2_2_00007FF848E6F1E4
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E75BAD push ebx; retn 0009h2_2_00007FF848E75B8A
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E75CED push ebx; retf 0009h2_2_00007FF848E75CFA
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E50DE8 push ebx; ret 2_2_00007FF848E50E0A
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E50DF0 push ebx; ret 2_2_00007FF848E50E0A
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E6FE01 push eax; ret 2_2_00007FF848E6FE24
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E7517C push eax; ret 2_2_00007FF848E75194
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E5021D push E95D9098h; ret 2_2_00007FF848E50259
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF848E65338 push eax; ret 2_2_00007FF848E6F1E4
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF849116291 push cs; retn 5F23h2_2_00007FF84911631F
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeFile created: C:\Users\user\AppData\Local\Temp\windows.exeJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                              Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeMemory allocated: 2A583BB0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeMemory allocated: 2A59D600000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599844Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599712Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599588Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599465Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599217Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599090Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598969Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598640Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598531Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598421Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598297Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598187Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598078Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597968Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597640Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597531Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597420Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597310Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597187Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597078Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596968Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596619Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596500Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596390Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596281Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596172Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596062Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 595953Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 595843Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWindow / User API: threadDelayed 1884Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWindow / User API: threadDelayed 5124Jump to behavior
                              Source: C:\Users\user\Desktop\External.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Users\user\Desktop\External.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeAPI coverage: 0.4 %
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -600000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599844s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599712s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599588s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599465s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599217s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -599090s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598969s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598859s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598750s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598640s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598531s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598421s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598297s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598187s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -598078s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597968s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597859s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597750s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597640s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597531s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597420s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597310s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597187s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -597078s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596968s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596859s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596750s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596619s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596500s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596390s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596281s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596172s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -596062s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -595953s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6552Thread sleep time: -595843s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 7120Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exe TID: 6408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32D1DC0 FindFirstFileExA,2_2_00007FF8A32D1DC0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599844Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599712Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599588Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599465Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599217Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 599090Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598969Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598640Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598531Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598421Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598297Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598187Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 598078Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597968Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597640Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597531Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597420Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597310Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597187Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 597078Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596968Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596859Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596750Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596619Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596500Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596390Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596281Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596172Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 596062Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 595953Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 595843Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: discord.comVMware20,11696428655f
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: global block list test formVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: outlook.office.comVMware20,11696428655s
                              Source: windows.exe, 00000002.00000002.2095278378.000002A583AA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllii
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: AMC password management pageVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: tasks.office.comVMware20,11696428655o
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: dev.azure.comVMware20,11696428655j
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                              Source: tmp3532.tmp.dat.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                              Source: C:\Users\user\Desktop\External.exeAPI call chain: ExitProcess graph end nodegraph_0-13
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CD4D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8A32CD4D8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330ECC0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,OutputDebugStringA,2_2_00007FF8A330ECC0
                              Source: C:\Users\user\Desktop\External.exeCode function: 0_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,PathFindFileNameA,0_2_00401AE1
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CD4D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8A32CD4D8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C1214 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8A32C1214
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C1D14 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8A32C1D14
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\External.exeProcess created: C:\Users\user\AppData\Local\Temp\windows.exe "C:\Users\user\AppData\Local\Temp\windows.exe" Jump to behavior

                              Language, Device and Operating System Detection

                              barindex
                              Yara detected Telegram Recon
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CCDD0 cpuid 2_2_00007FF8A32CCDD0
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Users\user\AppData\Local\Temp\windows.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32C1C18 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00007FF8A32C1C18
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A32CF2F8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FF8A32CF2F8
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Ades Stealer
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected VEGA Stealer
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: JaxxDir
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusDir
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                              Source: External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: External.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: [Org.BouncyCastle.Pkcs12.IgnoreUselessPasswordtrueqpassword supplied for keystore that does not require one
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                              Tries to steal Crypto Currency Wallets
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected Ades Stealer
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Yara detected VEGA Stealer
                              Source: Yara matchFile source: 2.0.windows.exe.2a583810000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: External.exe PID: 5580, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: windows.exe PID: 2124, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\windows.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\windows.exeCode function: 2_2_00007FF8A330F700 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,2_2_00007FF8A330F700

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		11
                              Process Injection                              		1
                              Masquerading                              		1
                              OS Credential Dumping                              		2
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		21
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		LSASS Memory451
                              Security Software Discovery                              		Remote Desktop Protocol3
                              Data from Local System                              		3
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                              Virtualization/Sandbox Evasion                              		Security Account Manager1
                              Process Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive3
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                              Process Injection                              		NTDS251
                              Virtualization/Sandbox Evasion                              		Distributed Component Object ModelInput Capture4
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              Deobfuscate/Decode Files or Information                              		LSA Secrets1
                              Application Window Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                              Obfuscated Files or Information                              		Cached Domain Credentials1
                              System Network Configuration Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Timestomp                              		DCSync2
                              File and Directory Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              DLL Side-Loading                              		Proc Filesystem44
                              System Information Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              External.exe100%AviraTR/Dropper.Gen
                              External.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Local\Temp\windows.exe100%AviraTR/AD.GenSteal.apiqi
                              C:\Users\user\AppData\Local\Temp\windows.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\windows.exe66%ReversingLabsByteCode-MSIL.Infostealer.Stealgen

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                              http://ocsp.digicert.c0%Avira URL Cloudsafe
                              https://www.newtonsoft.com/json0%Avira URL Cloudsafe
                              https://api.telegram.org/bot0%Avira URL Cloudsafe
                              https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                              https://www.sqlite.org/copyright.html0%Avira URL Cloudsafe
                              https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/1250%Avira URL Cloudsafe
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe
                              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                              https://system.data.sqlite.org/X0%Avira URL Cloudsafe
                              http://ocsp.digicert.0%Avira URL Cloudsafe
                              http://x1.c.lencr.org/00%Avira URL Cloudsafe
                              http://x1.i.lencr.org/00%Avira URL Cloudsafe
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%Avira URL Cloudsafe
                              http://ip-api.com/json/0%Avira URL Cloudsafe
                              https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/0%Avira URL Cloudsafe
                              http://ip-api.com0%Avira URL Cloudsafe
                              https://t.me/VegaStealer_shop_bot0%Avira URL Cloudsafe
                              https://api.vimeworld.ru/user/name/0%Avira URL Cloudsafe
                              https://github.com/JamesNK/Newtonsoft.Json0%Avira URL Cloudsafe
                              https://api.ipify.org/0%Avira URL Cloudsafe
                              https://freegeoip.app/xml/0%Avira URL Cloudsafe
                              http://cacerts.di0%Avira URL Cloudsafe
                              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                              https://discord.com/api/v10/users/0%Avira URL Cloudsafe
                              http://crl3.digicert0%Avira URL Cloudsafe
                              https://steamcommunity.com/profiles/ASOFTWARE0%Avira URL Cloudsafe
                              http://crl.rootca1.amazontrust.com/rootca1.crl00%Avira URL Cloudsafe
                              http://ip-api.com/xml0%Avira URL Cloudsafe
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                              https://www.sqlite.org/copyright.html20%Avira URL Cloudsafe
                              https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
                              http://ip-api.com/json/8.46.123.330%Avira URL Cloudsafe
                              https://api.ipify.org/1------------------------0%Avira URL Cloudsafe
                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%Avira URL Cloudsafe
                              http://james.newtonking.com/projects/json0%Avira URL Cloudsafe
                              https://www.newtonsoft.com/jsonschema0%Avira URL Cloudsafe
                              https://ac.ecosia.org/autocomplete?q=0%Avira URL Cloudsafe
                              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%Avira URL Cloudsafe
                              https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%Avira URL Cloudsafe
                              http://ocsp.digicer0%Avira URL Cloudsafe
                              https://ipbase.com/xml/0%Avira URL Cloudsafe
                              https://support.mozilla.org0%Avira URL Cloudsafe
                              https://system.data.sqlite.org/0%Avira URL Cloudsafe
                              https://www.nuget.org/packages/Newtonsoft.Json.Bson0%Avira URL Cloudsafe
                              https://urn.to/r/sds_see0%Avira URL Cloudsafe
                              https://github.com/novotnyllc/bc-csharp0%Avira URL Cloudsafe
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              bg.microsoft.map.fastly.net
                              		199.232.210.172
                              		truefalse
                                		unknown
                                api.ipify.org
                                		104.26.12.205
                                		truefalse
                                  		unknown
                                  ip-api.com
                                  		208.95.112.1
                                  		truefalse
                                    		unknown
                                    ipbase.com
                                    		172.67.209.71
                                    		truefalse
                                      		unknown
                                      freegeoip.app
                                      		188.114.96.3
                                      		truetrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://api.ipify.org/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://freegeoip.app/xml/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.com/xmlfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.com/json/8.46.123.33false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ipbase.com/xml/false
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabtmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/botExternal.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://discordapp.com/api/v9/users/External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.digicert.cExternal.exe, 00000000.00000003.2035717561.0000000000996000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://system.data.sqlite.org/XExternal.exe, 00000000.00000003.2036257519.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2112932662.000002A59E4F2000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.newtonsoft.com/jsonExternal.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.sqlite.org/copyright.htmlwindows.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125windows.exe, 00000002.00000002.2095840397.000002A585653000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.digicert.External.exe, 00000000.00000003.2034378462.000000000098A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://x1.c.lencr.org/0cert9.db.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://x1.i.lencr.org/0cert9.db.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.com/json/External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe, 00000002.00000002.2095840397.000002A5856F9000.00000004.00000800.00020000.00000000.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.comwindows.exe, 00000002.00000002.2095840397.000002A5859B5000.00000004.00000800.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095840397.000002A585685000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://t.me/VegaStealer_shop_botwindows.exe.0.dr, Information.txt.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.vimeworld.ru/user/name/windows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewindows.exe, 00000002.00000002.2095840397.000002A585601000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/JamesNK/Newtonsoft.JsonExternal.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://cacerts.diExternal.exe, 00000000.00000003.2034378462.000000000098A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://discord.com/api/v10/users/windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://steamcommunity.com/profiles/ASOFTWAREExternal.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl3.digicertExternal.exe, 00000000.00000003.2034661692.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.rootca1.amazontrust.com0:cert9.db.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.sqlite.org/copyright.html2External.exe, 00000000.00000003.2035466643.0000000002F61000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmp, SQLite.Interop.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.ipify.org/1------------------------External.exe, 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, windows.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmp3543.tmp.tmpdb.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?cert9.db.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLtmp3543.tmp.tmpdb.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.digicerExternal.exe, 00000000.00000003.2035717561.0000000000996000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.nuget.org/packages/Newtonsoft.Json.BsonExternal.exe, 00000000.00000003.2034162058.000000000298E000.00000004.00000020.00020000.00000000.sdmp, windows.exe, 00000002.00000002.2095674922.000002A585512000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.mozilla.orgtmp3543.tmp.tmpdb.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://urn.to/r/sds_seeSystem.Data.SQLite.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://system.data.sqlite.org/System.Data.SQLite.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/novotnyllc/bc-csharpExternal.exe, 00000000.00000003.2032848782.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpE0C.tmp.dat.2.dr, tmpE5E8.tmp.dat.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.95.112.1
                                        		ip-api.comUnited States
                                        		53334TUT-ASUSfalse
                                        104.26.12.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        172.67.209.71
                                        		ipbase.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        188.114.96.3
                                        		freegeoip.appEuropean Union
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1505583
                                        Start date and time:2024-09-06 14:33:07 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 3s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:3
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:External.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@3/60@4/4
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: External.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:33:59API Interceptor37x Sleep call for process: windows.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.95.112.1#U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • ip-api.com/json/
                                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        SecuriteInfo.com.Script.SNH-gen.9462.29411.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        PO340188050.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        104.26.12.205fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win64.DropperX-gen.20063.4917.exeGet hashmaliciousStealcBrowse
                                        • api.ipify.org/
                                        Zoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                                        • api.ipify.org/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ip-api.com#U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 208.95.112.1
                                        IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • 208.95.112.1
                                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.Script.SNH-gen.9462.29411.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        PO340188050.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        api.ipify.orgNEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXEGet hashmaliciousAgentTesla, RedLineBrowse
                                        • 104.26.13.205
                                        file.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        HD4 DEMURRAGE INVOICE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        https://webmail_208425654.itdays.net/271702705cloudstore-428375907?data=consumer-in@kenvue.comGet hashmaliciousHTMLPhisherBrowse
                                        • 172.67.74.152
                                        Documenti di spedizione 0002838844.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        https://gunxt71ylj.swanprincessseries.shop/?email=redacted_emailGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                        • 172.67.74.152
                                        D07bcK36ed.exeGet hashmaliciousBLX Stealer, Discord Token StealerBrowse
                                        • 104.26.13.205
                                        D07bcK36ed.exeGet hashmaliciousBLX Stealer, Discord Token StealerBrowse
                                        • 104.26.12.205
                                        RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                        • 104.26.12.205
                                        bg.microsoft.map.fastly.nethttps://rznfilarmonia.ru/bitrix/redirect.php?event1&event2&event3&goto=https://agroserviceica.com/rkos/distGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        https://zoomzle.comGet hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        https://emyoo.com.au/wp-includes/Text/Diff/Renderer/Get hashmaliciousHTMLPhisherBrowse
                                        • 199.232.214.172
                                        https://hye.com.mx/Get hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        ZWlwrTM9HK.exeGet hashmaliciousRemcosBrowse
                                        • 199.232.210.172
                                        http://hikmaa.com/Get hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bt%C2%ADab%C2%ADleg%C2%ADen%C2%ADie%E2%80%8B.%C2%ADi%C2%ADo/dayo/1iuzr/ecqi-resource-center@hhs.govGet hashmaliciousHTMLPhisherBrowse
                                        • 199.232.210.172
                                        IDR-500000000.pdfGet hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        PO#100600574.vbsGet hashmaliciousGuLoaderBrowse
                                        • 199.232.210.172
                                        Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • 199.232.210.172

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUS0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172
                                        0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.146.35
                                        1182d0643d9d0ecb7fb40047604d17b438bcbbd16a3dfad7e8882d1bcad744ed.zipGet hashmaliciousHTMLPhisherBrowse
                                        • 104.26.0.100
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        newvideozones.click.ps1Get hashmaliciousLummaCBrowse
                                        • 104.21.82.93
                                        COD 09256214__et__t_, _____st__ 2024_765124.PDF.exeGet hashmaliciousAzorult, PureLog StealerBrowse
                                        • 188.114.96.3
                                        human-verification5.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172
                                        CLOUDFLARENETUS0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172
                                        0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.146.35
                                        1182d0643d9d0ecb7fb40047604d17b438bcbbd16a3dfad7e8882d1bcad744ed.zipGet hashmaliciousHTMLPhisherBrowse
                                        • 104.26.0.100
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        newvideozones.click.ps1Get hashmaliciousLummaCBrowse
                                        • 104.21.82.93
                                        COD 09256214__et__t_, _____st__ 2024_765124.PDF.exeGet hashmaliciousAzorult, PureLog StealerBrowse
                                        • 188.114.96.3
                                        human-verification5.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172
                                        TUT-ASUS#U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 208.95.112.1
                                        IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • 208.95.112.1
                                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.Script.SNH-gen.9462.29411.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        PO340188050.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        CLOUDFLARENETUS0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172
                                        0driver-updater-setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.146.35
                                        1182d0643d9d0ecb7fb40047604d17b438bcbbd16a3dfad7e8882d1bcad744ed.zipGet hashmaliciousHTMLPhisherBrowse
                                        • 104.26.0.100
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        newvideozones.click.ps1Get hashmaliciousLummaCBrowse
                                        • 104.21.82.93
                                        COD 09256214__et__t_, _____st__ 2024_765124.PDF.exeGet hashmaliciousAzorult, PureLog StealerBrowse
                                        • 188.114.96.3
                                        human-verification5.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.158.147
                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.10.172

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0enewvideozones.click.ps1Get hashmaliciousLummaCBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        human-verification5.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        scan_documet_027839.vbsGet hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        Distributrnets.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        WindowTop.5.23.3.-.setup.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        SecuriteInfo.com.Win32.RATX-gen.1669.23340.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        Quote Order.exeGet hashmaliciousFormBookBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3
                                        RFQ_SCH-053457766.pdf.scr.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        • 172.67.209.71
                                        • 188.114.96.3

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dllnewvideozones.click.ps1Get hashmaliciousUnknownBrowse
                                          use_2024_t#U043e_#U043epen.zipGet hashmaliciousUnknownBrowse
                                            JetBrains.dotPeek.2024.1.3.web.exeGet hashmaliciousUnknownBrowse
                                              JetBrains.dotPeek.2024.1.3.web.exeGet hashmaliciousUnknownBrowse
                                                EmbravaConnect.msiGet hashmaliciousPrivateLoaderBrowse
                                                  lIoOSFYisn.exeGet hashmaliciousUnknownBrowse
                                                    ZG17uv37pi.exeGet hashmaliciousUnknownBrowse
                                                      ZG17uv37pi.exeGet hashmaliciousUnknownBrowse
                                                        tqtYy7oBD5.exeGet hashmaliciousPureLog StealerBrowse
                                                          C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllBingWallpaper.exeGet hashmaliciousUnknownBrowse
                                                            BingWallpaper.exeGet hashmaliciousUnknownBrowse
                                                              SecuriteInfo.com.Trojan.DownLoader47.33281.22903.9484.exeGet hashmaliciousUnknownBrowse
                                                                SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                  4d847.msiGet hashmaliciousUnknownBrowse
                                                                    pdftool-v3.2.1222.0.msiGet hashmaliciousUnknownBrowse
                                                                      https://procore-drive.s3.amazonaws.com/ProcoreDriveSetup.exeGet hashmaliciousUnknownBrowse
                                                                        INVOICE12301201-32013012030123.exeGet hashmaliciousUnknownBrowse
                                                                          INVOICE12301201-32013012030123.exeGet hashmaliciousUnknownBrowse
                                                                            BELOSSetup_v4.5.1.24051_x64.msiGet hashmaliciousUnknownBrowse

                                                                              Created / dropped Files

                                                                              C:\????? ?????\Browsers\Google\Cookie_Google.txt

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):351
                                                                              Entropy (8bit):5.6697027681561085
                                                                              Encrypted:false
                                                                              SSDEEP:6:Pk3rcDxbuM3rcDxbuM3r4KcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAv:c7EEM7EEM74KcW1NOpFwUuQLHaU9WvHK
                                                                              MD5:73F8C4E89826E320F805E0EB0319E591
                                                                              SHA1:A03C2D779599A14AA1D3DBA55D8BA2CE5D40AB0D
                                                                              SHA-256:552FB6B364A8CAC1B0221A47F7A441DEB2294908ED34C790046813D559501579
                                                                              SHA-512:8488A20256E0C97735C0FB851EB3806D01171FFBEFC1A0B5F678C5D2DC39B0EAF33718724791DDBB8BC7F769945DC28A1337482B3AA7C600FB014D581C5027E2
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:.google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13..google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13..google.com.TRUE./.FALSE.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4.

                                                                              C:\????? ?????\Browsers\Google\Cookies_Chrome.txt

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):289
                                                                              Entropy (8bit):5.76524051718901
                                                                              Encrypted:false
                                                                              SSDEEP:6:Pk3rcDxbuQ03r4KcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAy:c7EEQ074KcW1NOpFwUuQLHaU9WvH9
                                                                              MD5:B11F445211C21DB45D7B779A5C6E2444
                                                                              SHA1:27641DD5D8824CD6596FB862681846DAE17A8BBB
                                                                              SHA-256:11CB0CB1CC5B9BAF4FFB0F950F667FBCC688979D5096DEDCE9883242990955FC
                                                                              SHA-512:A504B9E59E392209298C2E3113FB06DF75167FD2B36D69BA408BC6BA682D47F015656B06AE270928A7BEF685705E28C20E85786B53DFC308F6952984EA6FC2A0
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:.google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13...google.com.TRUE./.FALSE.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4..

                                                                              C:\????? ?????\Files\BJZFPPWAPT.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.704346314649071
                                                                              Encrypted:false
                                                                              SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                              MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                              SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                              SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                              SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                              C:\????? ?????\Files\BJZFPPWAPT\GLTYDMDUST.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.69569301223482
                                                                              Encrypted:false
                                                                              SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                              MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                              SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                              SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                              SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                              C:\????? ?????\Files\BJZFPPWAPT\KLIZUSIQEN.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696703751818505
                                                                              Encrypted:false
                                                                              SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                              MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                              SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                              SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                              SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                              C:\????? ?????\Files\BJZFPPWAPT\NYMMPCEIMA.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.6957997909429325
                                                                              Encrypted:false
                                                                              SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                              MD5:4F49714E789620AEDB7B9565DC949466
                                                                              SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                              SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                              SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                              Malicious:false
                                                                              Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                              C:\????? ?????\Files\DUUDTUBZFW.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.701195573484743
                                                                              Encrypted:false
                                                                              SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                              MD5:2530C45A92F347020337052A8A7D7B00
                                                                              SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                              SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                              SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                              Malicious:false
                                                                              Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                              C:\????? ?????\Files\EFOYFBOLXA\DUUDTUBZFW.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.701195573484743
                                                                              Encrypted:false
                                                                              SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                              MD5:2530C45A92F347020337052A8A7D7B00
                                                                              SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                              SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                              SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                              Malicious:false
                                                                              Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                              C:\????? ?????\Files\EFOYFBOLXA\EWZCVGNOWT.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.690071120548773
                                                                              Encrypted:false
                                                                              SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                              MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                              SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                              SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                              SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                              Malicious:false
                                                                              Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                              C:\????? ?????\Files\EFOYFBOLXA\ZGGKNSUKOP.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.6959554225029665
                                                                              Encrypted:false
                                                                              SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                              MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                              SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                              SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                              SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                              Malicious:false
                                                                              Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                              C:\????? ?????\Files\EIVQSAOTAQ.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.692024230831571
                                                                              Encrypted:false
                                                                              SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                              MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                              SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                              SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                              SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                              Malicious:false
                                                                              Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                              C:\????? ?????\Files\EWZCVGNOWT.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.690071120548773
                                                                              Encrypted:false
                                                                              SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                              MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                              SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                              SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                              SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                              Malicious:false
                                                                              Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                              C:\????? ?????\Files\GLTYDMDUST.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.69569301223482
                                                                              Encrypted:false
                                                                              SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                              MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                              SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                              SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                              SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                              Malicious:false
                                                                              Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                              C:\????? ?????\Files\GRXZDKKVDB.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.697358951122591
                                                                              Encrypted:false
                                                                              SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                              MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                              SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                              SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                              SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                              Malicious:false
                                                                              Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                              C:\????? ?????\Files\GRXZDKKVDB\EIVQSAOTAQ.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.692024230831571
                                                                              Encrypted:false
                                                                              SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                              MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                              SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                              SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                              SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                              Malicious:false
                                                                              Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                              C:\????? ?????\Files\GRXZDKKVDB\KLIZUSIQEN.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696703751818505
                                                                              Encrypted:false
                                                                              SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                              MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                              SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                              SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                              SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                              Malicious:false
                                                                              Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                              C:\????? ?????\Files\GRXZDKKVDB\QCOILOQIKC.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.697125102277996
                                                                              Encrypted:false
                                                                              SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                              MD5:207485EFCE70435971C31586A1E4CF97
                                                                              SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                              SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                              SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                              Malicious:false
                                                                              Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                              C:\????? ?????\Files\KLIZUSIQEN.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696703751818505
                                                                              Encrypted:false
                                                                              SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                              MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                              SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                              SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                              SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                              Malicious:false
                                                                              Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                              C:\????? ?????\Files\KLIZUSIQEN.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696703751818505
                                                                              Encrypted:false
                                                                              SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                              MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                              SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                              SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                              SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                              Malicious:false
                                                                              Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                              C:\????? ?????\Files\NVWZAPQSQL\BJZFPPWAPT.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.704346314649071
                                                                              Encrypted:false
                                                                              SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                              MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                              SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                              SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                              SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                              Malicious:false
                                                                              Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                              C:\????? ?????\Files\NVWZAPQSQL\GRXZDKKVDB.pdf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.697358951122591
                                                                              Encrypted:false
                                                                              SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                              MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                              SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                              SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                              SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                              Malicious:false
                                                                              Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                              C:\????? ?????\Files\NVWZAPQSQL\PALRGUCVEH.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696508269038202
                                                                              Encrypted:false
                                                                              SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                              MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                              SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                              SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                              SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                              Malicious:false
                                                                              Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                              C:\????? ?????\Files\NYMMPCEIMA.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.6957997909429325
                                                                              Encrypted:false
                                                                              SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                              MD5:4F49714E789620AEDB7B9565DC949466
                                                                              SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                              SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                              SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                              Malicious:false
                                                                              Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                              C:\????? ?????\Files\PALRGUCVEH.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.696508269038202
                                                                              Encrypted:false
                                                                              SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                              MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                              SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                              SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                              SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                              Malicious:false
                                                                              Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                              C:\????? ?????\Files\QCOILOQIKC.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.697125102277996
                                                                              Encrypted:false
                                                                              SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                              MD5:207485EFCE70435971C31586A1E4CF97
                                                                              SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                              SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                              SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                              Malicious:false
                                                                              Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                              C:\????? ?????\Files\ZGGKNSUKOP.jpg

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1026
                                                                              Entropy (8bit):4.6959554225029665
                                                                              Encrypted:false
                                                                              SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                              MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                              SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                              SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                              SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                              Malicious:false
                                                                              Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                              C:\????? ?????\Information.txt

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:Unicode text, UTF-8 text
                                                                              Category:dropped
                                                                              Size (bytes):1657
                                                                              Entropy (8bit):4.617901678813081
                                                                              Encrypted:false
                                                                              SSDEEP:48:uMMOEMshMp11IATMphEQlpkayohCo6iD/p2pQLY7jp36z:u4E+1IATpQURErps7hk
                                                                              MD5:36986EB1DF2BFE2BA54977776E640CCD
                                                                              SHA1:16F32D48726D34977F7CF28B840AE6A5CDDAF21F
                                                                              SHA-256:AB796A4620AFDEE36FE501B10FB9387E2067FB3FD3A2A2CAE05FA173B466CFC2
                                                                              SHA-512:81B5C65D3F7997EDC4CC6762F60784E0037545606965459FDCBD212D654931E350A9E1CB2E67C32AA0FD0172B92086DF68B47C93C1AFE33500976E19A2FAFC84
                                                                              Malicious:false
                                                                              Preview:. * ******************************************. * .................................. *. * .................................. *. * .................................. *. * .................................. *. * .................................. *. * .................................. *. * https://t.me/VegaStealer_shop_bot *. * *. * ******************************************. ==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 571345/user. C

                                                                              C:\????? ?????\Process.txt

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):4747
                                                                              Entropy (8bit):4.978022179436053
                                                                              Encrypted:false
                                                                              SSDEEP:24:uNqNQUNHINNNNqqNFqNmnQUNqQzuqNNqNNqNNNPtrxxNqpqNL+VEqqqNqpNQUNqk:yki5tudLR5AZp5ww
                                                                              MD5:90779A13054DB46EE8B7C9A6582AD49F
                                                                              SHA1:9A9764C64BCE40438485A1A5F31B1884C0FA4628
                                                                              SHA-256:A1CC0ED612B3D5D2A26EAACDB039F53ECF3F09EDD524AD8E65070A1E21925055
                                                                              SHA-512:F0CCDB49722FF8AA919C8D44FA4D4177DCB73304B623D6698E2AA9AF24D5567F69DC03CFD1F272C57E63240983A3A8B0F2A09C6D37274D2B8170723AF15856A4
                                                                              Malicious:false
                                                                              Preview:NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: RuntimeBroker..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: csrss..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: windows..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: upfc..NAME: RuntimeBroker..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME: spoolsv..NAME: sihost..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: backgroundTaskHost..NAME: fontdrvhost..NAME: fontdrvhost..NAME: UNkGRqTMdOgvJzsvxgcSQQijXPsP..NAME: svchost..NAME:

                                                                              C:\????? ?????\Screen.png

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                              Category:dropped
                                                                              Size (bytes):707797
                                                                              Entropy (8bit):7.928611272868417
                                                                              Encrypted:false
                                                                              SSDEEP:12288:zylLqizyhBUnxItnkhYyyg5p8DgL/IswVEtWS8n4FgiEGatIUOnW4oPwMcU9nCBy:z7izDnxffu2IZVEtWS8n4CfOnW4a1rCg
                                                                              MD5:6EE065B41B2C39A72A21E0399BF3B945
                                                                              SHA1:EB0E33CFA9E8096CC86BFA8CDC42A9D5740B1F6D
                                                                              SHA-256:7EBD0D6CEECA672866595598360E22490BC86C23BA57BE225772A695512FE6D1
                                                                              SHA-512:DA26A5A19F69E7686D07D57F3E6E79AF1DA5D358788506B658927E6D297A12FBC1A1A7CB4E0D2D50942222040EFC500D6BC6050ED1E8CF9A1C5E7B3A5D23071F
                                                                              Malicious:false
                                                                              Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.....e.........{j......vf}#ZRwKxST.MQ@.%........Oa$|.0.C .N@U.....J..._....}#..&.........#.7...v..h..f.,...Z.qnQlE...Z.FG..O....=L2n..vO..s.._mE...PF3.. ..=-C'..<............+...G..b.x..q/...}a..X.|W..#^lK..o....?.#..........66h..=..C........!O...AOM,.<9P..z.'.2..|.o..x.b......?6.....eh?..wAs..8...........=....+..6>._}.-..C_.e..q}d.a..1......b.K...=.Wl..x.[.w....}......zo..F.p."..X.|..]....;.6..|.(...bx...`.-..w..w.)..;.,.k..;.......}..(.$cJ.......Cd...T....1.5Cq~x~...1...C............M..0u~.c.[..7'...........n.S..9...v.....04....jihl.$..O.6.[.i,....maz...).b..T.b...Mi..p.......P..m.q..ri..U.....qn...f7U...n........e\.E.w.Bs..S;.Y...oL.mvChn....0u.x..66.>.M.rqbd.x.]KK..i.N....f7.Vc.F6..o........\.....q>....%.7.>..{.0....<...q.9.....C.\..S7...!.um5o..........6.k...q}l5.. ..m.......'.3..M.(~.1f..7.*4.&.5.:...q-.t=.1%..x..1

                                                                              C:\Users\Public\v6zchhhv.default-release\cert9.db

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                              Category:dropped
                                                                              Size (bytes):229376
                                                                              Entropy (8bit):0.643383182059925
                                                                              Encrypted:false
                                                                              SSDEEP:384:A1zkVmvQhyn+Zoz67kMMTNlH333JqN8j/LKXu5Uu/:AlM0sCyW
                                                                              MD5:F23F48363C7BAA0709698208A7E833A0
                                                                              SHA1:07D2AEE271A0F2BA14608FE5A9A677E2594D22CC
                                                                              SHA-256:51DFB72705CBEB6AF5A14F2BE20FC39172E86263E25704F50BEB292F776B7713
                                                                              SHA-512:F8F16198A96F047E320EF82026160EBD5A0836B48FC3496C427F90965CF3BF5FAB5EBE0FB9016E3BDE56657EB42627D7286AED3167A422D69F865524892C3DFA
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\Public\v6zchhhv.default-release\key4.db

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):294912
                                                                              Entropy (8bit):0.08438200565341271
                                                                              Encrypted:false
                                                                              SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
                                                                              MD5:F7EEE7B0D281E250D1D8E36486F5A2C3
                                                                              SHA1:309736A27E794672BD1BDFBAC69B2C6734FC25CE
                                                                              SHA-256:378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
                                                                              SHA-512:CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2808
                                                                              Entropy (8bit):5.356197301867119
                                                                              Encrypted:false
                                                                              SSDEEP:48:MxHKQEAHKKkKYHKGSI6oPtHTH0HNpZH81qHGIsjJHxLHOHKmHKe6nmHKwlCayH5K:iqaqKkKYqGSI6oPtzH0tpZcwmjVRLuqS
                                                                              MD5:3EB1618757487C322C673E156B318F53
                                                                              SHA1:FAD16E1461EE38F7407E23B7112A0442F0540EBE
                                                                              SHA-256:13D43352E900723B614526716C6F4AFD0B9E0262C74282F796C6D165C264A272
                                                                              SHA-512:CDEB560F58E030575D8E9CB3D6256A8A0D3DFB13B8A14F89A3E455DC1947F791D0B16392F61F848321CC0B80FE73DFDA46CBE3D00A4A4DB30FC9C16C1408E541
                                                                              Malicious:false
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Managemen

                                                                              C:\Users\user\AppData\Local\Temp\03313739-3598-4512-85e9-4dd47dd4f262

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.6732424250451717
                                                                              Encrypted:false
                                                                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\0802e777-ffcd-4f89-9714-685e3389c209

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):40960
                                                                              Entropy (8bit):0.8553638852307782
                                                                              Encrypted:false
                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\42c72e21-d06a-4a35-bb44-7f751e5c9671

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):98304
                                                                              Entropy (8bit):0.08235737944063153
                                                                              Encrypted:false
                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\42c72e21-d06a-4a35-bb44-7f751e5c9671-shm

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):32768
                                                                              Entropy (8bit):0.017262956703125623
                                                                              Encrypted:false
                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                              Malicious:false
                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\9ded605c-9d28-499a-b3b4-287f6b8e9c6f

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):51200
                                                                              Entropy (8bit):0.8746135976761988
                                                                              Encrypted:false
                                                                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\External.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3316968
                                                                              Entropy (8bit):6.532906510598102
                                                                              Encrypted:false
                                                                              SSDEEP:49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
                                                                              MD5:0CF454B6ED4D9E46BC40306421E4B800
                                                                              SHA1:9611AA929D35CBD86B87E40B628F60D5177D2411
                                                                              SHA-256:E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                                                                              SHA-512:85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: newvideozones.click.ps1, Detection: malicious, Browse
                                                                              • Filename: use_2024_t#U043e_#U043epen.zip, Detection: malicious, Browse
                                                                              • Filename: JetBrains.dotPeek.2024.1.3.web.exe, Detection: malicious, Browse
                                                                              • Filename: JetBrains.dotPeek.2024.1.3.web.exe, Detection: malicious, Browse
                                                                              • Filename: EmbravaConnect.msi, Detection: malicious, Browse
                                                                              • Filename: lIoOSFYisn.exe, Detection: malicious, Browse
                                                                              • Filename: ZG17uv37pi.exe, Detection: malicious, Browse
                                                                              • Filename: ZG17uv37pi.exe, Detection: malicious, Browse
                                                                              • Filename: tqtYy7oBD5.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                              C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\External.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):711952
                                                                              Entropy (8bit):5.967185619483575
                                                                              Encrypted:false
                                                                              SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
                                                                              MD5:195FFB7167DB3219B217C4FD439EEDD6
                                                                              SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
                                                                              SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                                                                              SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: BingWallpaper.exe, Detection: malicious, Browse
                                                                              • Filename: BingWallpaper.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.DownLoader47.33281.22903.9484.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe, Detection: malicious, Browse
                                                                              • Filename: 4d847.msi, Detection: malicious, Browse
                                                                              • Filename: pdftool-v3.2.1222.0.msi, Detection: malicious, Browse
                                                                              • Filename: , Detection: malicious, Browse
                                                                              • Filename: INVOICE12301201-32013012030123.exe, Detection: malicious, Browse
                                                                              • Filename: INVOICE12301201-32013012030123.exe, Detection: malicious, Browse
                                                                              • Filename: BELOSSetup_v4.5.1.24051_x64.msi, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                              C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\External.exe
                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1796784
                                                                              Entropy (8bit):6.559515637357591
                                                                              Encrypted:false
                                                                              SSDEEP:24576:EpmVXSlb6q7SKjK2RMP1lfuqluu3cAG8WqMkXbbz38MJBbMNCoUpgLPNwEcIMK:6mVXy7SKjyfTFMwEkr3VJBbKCoUYt
                                                                              MD5:A73FDFB6815B151848257ECA042A42EF
                                                                              SHA1:73F18E6B4D1F638E7CE2A7AD36635018482F2C55
                                                                              SHA-256:10C9CCEC863ED80850C7B7080E4F2E34B133CE259D1AE3EA7A305CEBF6E2940D
                                                                              SHA-512:111F5A7BD916AB317FC127CBF49A2A81C2A614CE3A655A0446F2EBF3C2E61509DB5633A391BEF06C4BA0B58A71C752262EC2467A09ABC56827263C647B08A09D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aiN\%. .%. .%. .....1. ....... ....... ..V#.". ..V%.1. ..V$.5. .....-. .;Z..&. .%.!... ..V(.$. ..V .$. ..V..$. ..V".$. .Rich%. .........PE..d...Z.c.........." .....d...................................................p......m|....`..........................................|..........x....@..........@........T...P..p...0...p...............................................x............................text...0b.......d.................. ..`.rdata...#.......$...h..............@..@.data... _.......J..................@....pdata..@...........................@..@.gfids.......0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\External.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):411832
                                                                              Entropy (8bit):6.1644059300329195
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ZGGoS+lVQ7ECFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cH:ZGGmlq7E
                                                                              MD5:B0911D27918A1E20088B4E6B6EC29AD3
                                                                              SHA1:93A285C96A4D391EA4FE6655CAAA0BBF2EE52683
                                                                              SHA-256:24043EF4472D9D035CD1A8294F68D2BBFDF76F5455AF80C09C89E64F6ED15917
                                                                              SHA-512:518DA2E73B849BE38570D7DB218ADEB47F85FDE89C15DAC577EB1446A9A55BB4CFAF31D371428B9C4F0C69C0BE3E2CB10FAFCADBEC24E8AB793B639392E3F029
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.c.........." ..0.................. ... ....... .......................`............`.................................`...O.... ..p................T...@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@..@.reloc.......@......................@..B........................H.......tB...3..........Xv..P...........................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....r)..p.(........(K.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...C....%...!....%...%.........%....%.........s....(!...*vra..p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(b.....}.....*.................0..T........{..

                                                                              C:\Users\user\AppData\Local\Temp\a5350a5e-bea2-466b-9e2a-e0987d293719

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.8439810553697228
                                                                              Encrypted:false
                                                                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                              MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                              SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                              SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                              SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp3512.tmp.tmpdb

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):98304
                                                                              Entropy (8bit):0.08235737944063153
                                                                              Encrypted:false
                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp3532.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp3543.tmp.tmpdb

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):5242880
                                                                              Entropy (8bit):0.03859996294213402
                                                                              Encrypted:false
                                                                              SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                              MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                              SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                              SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                              SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5BCC.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):51200
                                                                              Entropy (8bit):0.8746135976761988
                                                                              Encrypted:false
                                                                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5BEC.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):155648
                                                                              Entropy (8bit):0.5407252242845243
                                                                              Encrypted:false
                                                                              SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                              MD5:7B955D976803304F2C0505431A0CF1CF
                                                                              SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                              SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                              SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5C0C.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):155648
                                                                              Entropy (8bit):0.5407252242845243
                                                                              Encrypted:false
                                                                              SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                              MD5:7B955D976803304F2C0505431A0CF1CF
                                                                              SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                              SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                              SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5C2C.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpDCA.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):51200
                                                                              Entropy (8bit):0.8746135976761988
                                                                              Encrypted:false
                                                                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpDDB.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):159744
                                                                              Entropy (8bit):0.5394293526345721
                                                                              Encrypted:false
                                                                              SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                              MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                              SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                              SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                              SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpDEB.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):159744
                                                                              Entropy (8bit):0.5394293526345721
                                                                              Encrypted:false
                                                                              SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                              MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                              SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                              SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                              SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE0C.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):1.136413900497188
                                                                              Encrypted:false
                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                              MD5:429F49156428FD53EB06FC82088FD324
                                                                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE0D.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):155648
                                                                              Entropy (8bit):0.5407252242845243
                                                                              Encrypted:false
                                                                              SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                              MD5:7B955D976803304F2C0505431A0CF1CF
                                                                              SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                              SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                              SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE579.tmp.tmpdb

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):5242880
                                                                              Entropy (8bit):0.03859996294213402
                                                                              Encrypted:false
                                                                              SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                              MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                              SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                              SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                              SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE599.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE5E8.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):1.136413900497188
                                                                              Encrypted:false
                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                              MD5:429F49156428FD53EB06FC82088FD324
                                                                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE618.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmpE657.tmp.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                              Category:dropped
                                                                              Size (bytes):40960
                                                                              Entropy (8bit):0.8553638852307782
                                                                              Encrypted:false
                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\windows.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\External.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):405504
                                                                              Entropy (8bit):5.920777951624397
                                                                              Encrypted:false
                                                                              SSDEEP:6144:NbODqpwPEuxGH6OrwX3pwzZwEq7EtE6pBpgwSOm92BUz7BJwaPEqrPlTuKW:NyPPDLOrwX3pwzZwyB7k2uvfwARrW
                                                                              MD5:CFCF2DF87DD10EDFF1E1B2BE2E811236
                                                                              SHA1:82FFE1F1B75EFDD5215D7CBEFB116F778E0F3864
                                                                              SHA-256:E49BF534EC416F57A546FC1CB0600EC1A441FBA576FD1C6212D38090E5DACBE8
                                                                              SHA-512:E5807F901B884C71668DEAEBC042F1A9BD4335AA3E41258023A8D9E8D5559BE454DFA6F1B71AFEF1D9BFC1C8E8F27628DC9375EC29559377566C845F6BFEA2F8
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..$............... ...`....@.. ....................................`.....................................O....`..................................8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc..............................@..B........................H.......<....;............................................................{....*"..}....*.*..('...*..0..F.......s(...%r...po)....{.........(<...o)...r...po)....|....(*...o)...&o+...*...0...........s,......o-...(....*.0.............{......E............,.......8...D...+Q..{..........+M..{.......+A..{..........+2..{.......+&..{.......+...{..........+.r...ps....z.*6..o....(....*..(....*....0..a.......s(...%.|..........o+...o)...r...po)....{.........(<...o)...r...po)....|....r#..p

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.9355487480143125
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • VXD Driver (31/22) 0.00%
                                                                              File name:External.exe
                                                                              File size:4'252'160 bytes
                                                                              MD5:7b9641ed9ec61b9373a59bf5a2f03d72
                                                                              SHA1:68b9c7560f8c2a907fb7b917fce027a206084550
                                                                              SHA256:a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536
                                                                              SHA512:74cbae4d841f5749013b01324e3ccc2920686de5da3107e2c42604afafcd038acfb53837b0433d2f160201d68910a103f6abe6dfe5d21becf3fcd594734dc59e
                                                                              SSDEEP:98304:DjQw068KkM3pcPuOI66CF+EVeeVlRi0Du4Cs:1kY6Pbpt+ETlRDu4Cs
                                                                              TLSH:DC1633D2C6CA6E1FD56D90759542223B3FFC92E359420635F0AD5A6322A39F7CD00B8E
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Q......................@.............. ....@...........................A............................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x401ae1
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x51BC99EC [Sat Jun 15 16:44:28 2013 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:d5d9d937853db8b666bd4b525813d7bd

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F8510947971h
                                                                              mov dword ptr [0040300Bh], eax
                                                                              push 00000000h
                                                                              call 00007F851094797Dh
                                                                              mov dword ptr [00403013h], eax
                                                                              call 00007F851094797Fh
                                                                              mov dword ptr [00403C70h], eax
                                                                              push 0000000Ah
                                                                              push dword ptr [0040300Bh]
                                                                              push 00000000h
                                                                              push dword ptr [00403013h]
                                                                              call 00007F8510946DFFh
                                                                              push 00000000h
                                                                              call 00007F8510947928h
                                                                              int3
                                                                              jmp dword ptr [0040207Ch]
                                                                              jmp dword ptr [00402008h]
                                                                              jmp dword ptr [0040200Ch]
                                                                              jmp dword ptr [00402010h]
                                                                              jmp dword ptr [00402014h]
                                                                              jmp dword ptr [00402018h]
                                                                              jmp dword ptr [0040201Ch]
                                                                              jmp dword ptr [00402020h]
                                                                              jmp dword ptr [00402024h]
                                                                              jmp dword ptr [00402028h]
                                                                              jmp dword ptr [0040202Ch]
                                                                              jmp dword ptr [00402030h]
                                                                              jmp dword ptr [00402034h]
                                                                              jmp dword ptr [00402038h]
                                                                              jmp dword ptr [0040203Ch]
                                                                              jmp dword ptr [00402040h]
                                                                              jmp dword ptr [00402044h]
                                                                              jmp dword ptr [00402048h]
                                                                              jmp dword ptr [0040204Ch]
                                                                              jmp dword ptr [00402050h]
                                                                              jmp dword ptr [00402054h]
                                                                              jmp dword ptr [00402058h]
                                                                              jmp dword ptr [00402000h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x20bc0x50.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x40c3c4.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000xbc.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000xc260xe00a941ede160cf12509be8dd37ae2b6a57False0.47935267857142855data5.1463325678068115IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x20000x4c00x600930587e8eece4537e4be6a4476dc03faFalse0.4055989583333333data4.212357479426224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x30000xd6f00x6007f95694b637a8e9d84e496462c4af938False0.16927083333333334data1.7255508052001818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x110000x40c3c40x40c400b2ce3025927e0a54e75d30501c6ee542unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              IMAGE0x1119c0x42PC bitmap, Windows 3.x format, 1 x 1 x 1, image size 4, cbSize 66, bits offset 62EnglishUnited States0.5151515151515151
                                                                              RT_RCDATA0x111e00x1f82b0data0.9877729415893555
                                                                              RT_RCDATA0x2094900x6073adata0.9847949456546501
                                                                              RT_RCDATA0x269bcc0x1430efdata0.9925355911254883
                                                                              RT_RCDATA0x3accbc0x38034data0.9903281203689175
                                                                              RT_RCDATA0x3e4cf00x38564data0.9889970358300543
                                                                              RT_RCDATA0x41d2540x16ddata0.8

                                                                              Imports

                                                                              DLLImport
                                                                              shlwapi.dllPathFindFileNameA
                                                                              kernel32.dllLockResource, lstrlenA, CloseHandle, CreateFileA, ExitProcess, FindResourceA, FreeResource, GetCommandLineA, GetEnvironmentVariableA, GetFileSize, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetProcessHeap, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, HeapAlloc, HeapFree, LoadLibraryA, LoadResource, lstrcpynA, RtlMoveMemory, SetFileAttributesA, SizeofResource, WriteFile, lstrcatA, lstrcpyA
                                                                              user32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, GetMessageA, LoadCursorA, LoadIconA, MessageBoxA, PostQuitMessage, RegisterClassExA, SendMessageA, ShowWindow, TranslateMessage, UpdateWindow

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-09-06T14:34:02.550556+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549708208.95.112.180TCP
                                                                              2024-09-06T14:34:03.347322+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549709208.95.112.180TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Sep 6, 2024 14:33:58.996768951 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:58.996793032 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:58.996911049 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.116036892 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.116058111 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.581093073 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.581188917 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.600332022 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.600349903 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.600694895 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.644192934 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.662476063 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.704495907 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.769922972 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.769989967 CEST44349704104.26.12.205192.168.2.5
                                                                              Sep 6, 2024 14:33:59.770096064 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:33:59.787197113 CEST49704443192.168.2.5104.26.12.205
                                                                              Sep 6, 2024 14:34:00.069344044 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.069385052 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.069453955 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.069756985 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.069772959 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.387135983 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:00.391943932 CEST8049706208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.392025948 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:00.392141104 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:00.396996975 CEST8049706208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.541480064 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.541544914 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.544565916 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.544579983 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.544841051 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.545640945 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.592500925 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.685508013 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.685575008 CEST44349705188.114.96.3192.168.2.5
                                                                              Sep 6, 2024 14:34:00.685713053 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.686265945 CEST49705443192.168.2.5188.114.96.3
                                                                              Sep 6, 2024 14:34:00.698864937 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:00.698898077 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:00.699012041 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:00.699419975 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:00.699433088 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:00.846251011 CEST8049706208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.894213915 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:01.162010908 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.162239075 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.164366961 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.164376020 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.164750099 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.170758963 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.212505102 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300086975 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300131083 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300159931 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300196886 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.300209045 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300256968 CEST44349707172.67.209.71192.168.2.5
                                                                              Sep 6, 2024 14:34:01.300259113 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.300318956 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:01.313349009 CEST49707443192.168.2.5172.67.209.71
                                                                              Sep 6, 2024 14:34:02.042354107 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.043133974 CEST4970880192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.048522949 CEST8049708208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:02.048614979 CEST4970880192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.048696041 CEST4970880192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.049000978 CEST8049706208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:02.049057007 CEST4970680192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.053905010 CEST8049708208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:02.505902052 CEST8049708208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:02.550555944 CEST4970880192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.726943970 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.732067108 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:02.732144117 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.732243061 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:02.737023115 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.189901114 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.191498041 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.196399927 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.293822050 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.347321987 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.502820969 CEST4970880192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.661248922 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.662128925 CEST4971080192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.666239977 CEST8049709208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.666301966 CEST4970980192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.666944027 CEST8049710208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:03.667016029 CEST4971080192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.667151928 CEST4971080192.168.2.5208.95.112.1
                                                                              Sep 6, 2024 14:34:03.671902895 CEST8049710208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:04.145308971 CEST8049710208.95.112.1192.168.2.5
                                                                              Sep 6, 2024 14:34:04.187467098 CEST4971080192.168.2.5208.95.112.1

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Sep 6, 2024 14:33:58.973767042 CEST6447253192.168.2.51.1.1.1
                                                                              Sep 6, 2024 14:33:58.981106043 CEST53644721.1.1.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.059468031 CEST6497053192.168.2.51.1.1.1
                                                                              Sep 6, 2024 14:34:00.066984892 CEST53649701.1.1.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.376902103 CEST6335853192.168.2.51.1.1.1
                                                                              Sep 6, 2024 14:34:00.383877039 CEST53633581.1.1.1192.168.2.5
                                                                              Sep 6, 2024 14:34:00.687727928 CEST5573453192.168.2.51.1.1.1
                                                                              Sep 6, 2024 14:34:00.698115110 CEST53557341.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Sep 6, 2024 14:33:58.973767042 CEST192.168.2.51.1.1.10xe902Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.059468031 CEST192.168.2.51.1.1.10x3717Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.376902103 CEST192.168.2.51.1.1.10x16b2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.687727928 CEST192.168.2.51.1.1.10xf166Standard query (0)ipbase.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Sep 6, 2024 14:33:58.981106043 CEST1.1.1.1192.168.2.50xe902No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:33:58.981106043 CEST1.1.1.1192.168.2.50xe902No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:33:58.981106043 CEST1.1.1.1192.168.2.50xe902No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.066984892 CEST1.1.1.1192.168.2.50x3717No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.066984892 CEST1.1.1.1192.168.2.50x3717No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.383877039 CEST1.1.1.1192.168.2.50x16b2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.698115110 CEST1.1.1.1192.168.2.50xf166No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:00.698115110 CEST1.1.1.1192.168.2.50xf166No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:14.489645958 CEST1.1.1.1192.168.2.50x7d5dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                              Sep 6, 2024 14:34:14.489645958 CEST1.1.1.1192.168.2.50x7d5dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • api.ipify.org
                                                                              • freegeoip.app
                                                                              • ipbase.com
                                                                              • ip-api.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549706208.95.112.1802124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 6, 2024 14:34:00.392141104 CEST63OUTGET /xml HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Connection: Keep-Alive
                                                                              Sep 6, 2024 14:34:00.846251011 CEST641INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:34:00 GMT
                                                                              Content-Type: application/xml; charset=utf-8
                                                                              Content-Length: 465
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 60
                                                                              X-Rl: 44
                                                                              Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED]
                                                                              Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.549708208.95.112.1802124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 6, 2024 14:34:02.048696041 CEST39OUTGET /xml HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Sep 6, 2024 14:34:02.505902052 CEST641INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:34:01 GMT
                                                                              Content-Type: application/xml; charset=utf-8
                                                                              Content-Length: 465
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 58
                                                                              X-Rl: 43
                                                                              Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED]
                                                                              Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.549709208.95.112.1802124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 6, 2024 14:34:02.732243061 CEST63OUTGET /xml HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Connection: Keep-Alive
                                                                              Sep 6, 2024 14:34:03.189901114 CEST641INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:34:02 GMT
                                                                              Content-Type: application/xml; charset=utf-8
                                                                              Content-Length: 465
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 57
                                                                              X-Rl: 42
                                                                              Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED]
                                                                              Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>
                                                                              Sep 6, 2024 14:34:03.191498041 CEST52OUTGET /json/8.46.123.33 HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Sep 6, 2024 14:34:03.293822050 CEST482INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:34:02 GMT
                                                                              Content-Type: application/json; charset=utf-8
                                                                              Content-Length: 305
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 57
                                                                              X-Rl: 41
                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                              Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.549710208.95.112.1802124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 6, 2024 14:34:03.667151928 CEST76OUTGET /json/8.46.123.33 HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Connection: Keep-Alive
                                                                              Sep 6, 2024 14:34:04.145308971 CEST482INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:34:03 GMT
                                                                              Content-Type: application/json; charset=utf-8
                                                                              Content-Length: 305
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 56
                                                                              X-Rl: 40
                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                              Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704104.26.12.2054432124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-06 12:33:59 UTC63OUTGET / HTTP/1.1
                                                                              Host: api.ipify.org
                                                                              Connection: Keep-Alive
                                                                              2024-09-06 12:33:59 UTC211INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Sep 2024 12:33:59 GMT
                                                                              Content-Type: text/plain
                                                                              Content-Length: 11
                                                                              Connection: close
                                                                              Vary: Origin
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Server: cloudflare
                                                                              CF-RAY: 8bee7d9c3dd46a56-EWR
                                                                              2024-09-06 12:33:59 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                              Data Ascii: 8.46.123.33


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.549705188.114.96.34432124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-06 12:34:00 UTC67OUTGET /xml/ HTTP/1.1
                                                                              Host: freegeoip.app
                                                                              Connection: Keep-Alive
                                                                              2024-09-06 12:34:00 UTC645INHTTP/1.1 301 Moved Permanently
                                                                              Date: Fri, 06 Sep 2024 12:34:00 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 167
                                                                              Connection: close
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Fri, 06 Sep 2024 13:34:00 GMT
                                                                              Location: https://ipbase.com/xml/
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UJYcRVBfoehxYZeRv9TkxxHxXAXSiWsO5J5SX6I5BYsx0tKpmEy%2FVr%2Bj%2B7kFd0FH6ic%2Bt4MtyIFOm23OqL1KYafY2KFGPGFyV7I%2B%2BBwWhnguPdkY9OQ0cGOe2m7HDT9Q"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8bee7da1eeac42fd-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-09-06 12:34:00 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.549707172.67.209.714432124C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-06 12:34:01 UTC64OUTGET /xml/ HTTP/1.1
                                                                              Host: ipbase.com
                                                                              Connection: Keep-Alive
                                                                              2024-09-06 12:34:01 UTC741INHTTP/1.1 404 Not Found
                                                                              Date: Fri, 06 Sep 2024 12:34:01 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Age: 23011
                                                                              Cache-Control: public,max-age=0,must-revalidate
                                                                              Cache-Status: "Netlify Edge"; hit
                                                                              Vary: Accept-Encoding
                                                                              X-Nf-Request-Id: 01J73N7GWZFYP5KNG170E4X5GV
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2yrX%2B5n6UR9kdGMCi4AF12payaGG%2FA%2Fc4VQmUoZDEY0Qayg9xesyFHNxZDLLy8%2Fph1xhuGVOuiCtIY%2Ffjf%2F8TuB2qUtJU2SrPM6zckIbb7PojDSEgByCE5kTe0m"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8bee7da5aaed435b-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-09-06 12:34:01 UTC628INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                                                              Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                                                              2024-09-06 12:34:01 UTC1369INData Raw: 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69
                                                                              Data Ascii: adding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; hei
                                                                              2024-09-06 12:34:01 UTC1092INData Raw: 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37
                                                                              Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7
                                                                              2024-09-06 12:34:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:08:33:57
                                                                              Start date:06/09/2024
                                                                              Path:C:\Users\user\Desktop\External.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\External.exe"
                                                                              Imagebase:0x400000
                                                                              File size:4'252'160 bytes
                                                                              MD5 hash:7B9641ED9EC61B9373A59BF5A2F03D72
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000003.2036894159.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:08:33:57
                                                                              Start date:06/09/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\windows.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\windows.exe"
                                                                              Imagebase:0x2a583810000
                                                                              File size:405'504 bytes
                                                                              MD5 hash:CFCF2DF87DD10EDFF1E1B2BE2E811236
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000002.00000002.2095840397.000002A58565B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000002.00000000.2037525173.000002A583812000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: Joe Security
                                                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\windows.exe, Author: ditekSHen
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 66%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:83.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:40%
                                                                                Total number of Nodes:5
                                                                                Total number of Limit Nodes:1

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_00401000 1 Function_00401AE1 1->0

                                                                                Executed Functions

                                                                                Function 00401AE1 Relevance: 6.0, APIs: 4, Instructions: 16memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCommandLineA.KERNEL32 ref: 00401AE1
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00401AED
                                                                                • GetProcessHeap.KERNEL32(00000000), ref: 00401AF7
                                                                                  • Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                                                                  • Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                                                                  • Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
                                                                                  • Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                                                                  • Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
                                                                                  • Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
                                                                                  • Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                                                                  • Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
                                                                                  • Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED
                                                                                • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2037785343.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2037770140.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037799964.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037815436.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037815436.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037848511.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2038118367.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_External.jbxd
                                                                                Similarity
                                                                                • API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
                                                                                • String ID:
                                                                                • API String ID: 673778540-0
                                                                                • Opcode ID: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
                                                                                • Instruction ID: 8601b60a343ef63eca695c0712cadf30932154ab05066af7af19716e0146d46f
                                                                                • Opcode Fuzzy Hash: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
                                                                                • Instruction Fuzzy Hash: 72E06774959300AAE7217F71AE06B143E74E70474BF10407BF6157A1F6EB786A10AB1D
                                                                                Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                                                                • RegisterClassExA.USER32(00000030), ref: 0040106E
                                                                                • CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                                                                • ShowWindow.USER32(00000001,?), ref: 004010BC
                                                                                • UpdateWindow.USER32(00000001), ref: 004010C7
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                                                                • TranslateMessage.USER32(?), ref: 004010E4
                                                                                • DispatchMessageA.USER32(?), ref: 004010ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2037785343.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2037770140.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037799964.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037815436.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037815436.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2037848511.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2038118367.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_External.jbxd
                                                                                Similarity
                                                                                • API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
                                                                                • String ID: 0$WinClass32
                                                                                • API String ID: 282685165-2329282442
                                                                                • Opcode ID: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
                                                                                • Instruction ID: db64ee9f6a3c3da8bd2a7b60d0102d68ead382408d30bf1f106ff4c9428f50ce
                                                                                • Opcode Fuzzy Hash: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
                                                                                • Instruction Fuzzy Hash: F7213C70D44248AAEF11DFD0CD46BDDBFB8AB04708F20802AF600BA1E5D7B966459B5C

                                                                                Execution Graph

                                                                                Execution Coverage:6.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:8.1%
                                                                                Total number of Nodes:595
                                                                                Total number of Limit Nodes:56
                                                                                execution_graph 106828 7ff8a33b2a60 106829 7ff8a33b2a81 106828->106829 106832 7ff8a33b2a86 _raise_excf 106828->106832 106842 7ff8a33903a0 106829->106842 106831 7ff8a33b2a8a 106832->106831 106833 7ff8a33b2b71 106832->106833 106838 7ff8a33b2b5e 106832->106838 106846 7ff8a3390c40 8 API calls 106832->106846 106834 7ff8a33b2bb8 106833->106834 106835 7ff8a33b2bce 106833->106835 106840 7ff8a33b2b75 106833->106840 106848 7ff8a340e350 8 API calls 3 library calls 106834->106848 106849 7ff8a340e350 8 API calls 3 library calls 106835->106849 106838->106833 106847 7ff8a3374e90 8 API calls 2 library calls 106838->106847 106843 7ff8a33903b9 106842->106843 106845 7ff8a33903c5 106842->106845 106850 7ff8a3390410 106843->106850 106845->106832 106846->106838 106847->106833 106848->106840 106849->106840 106851 7ff8a339044c 106850->106851 106854 7ff8a3390459 106850->106854 106856 7ff8a33904e0 106851->106856 106853 7ff8a33904ad 106853->106845 106854->106853 106855 7ff8a33904e0 _raise_excf 10 API calls 106854->106855 106855->106854 106886 7ff8a33908a0 106856->106886 106858 7ff8a33905c1 106955 7ff8a32c11f0 106858->106955 106860 7ff8a3390598 _raise_excf 106860->106858 106868 7ff8a3390627 _raise_excf 106860->106868 106870 7ff8a3390622 _raise_excf 106860->106870 106913 7ff8a33f4130 106860->106913 106861 7ff8a339085c 106954 7ff8a33b1f90 8 API calls 3 library calls 106861->106954 106866 7ff8a3390606 106867 7ff8a339060d _raise_excf 106866->106867 106866->106868 106947 7ff8a3411f20 8 API calls 3 library calls 106867->106947 106871 7ff8a33906d4 106868->106871 106872 7ff8a339068d _raise_excf 106868->106872 106870->106858 106870->106861 106953 7ff8a3411e80 8 API calls _raise_excf 106870->106953 106948 7ff8a3411f20 8 API calls 3 library calls 106871->106948 106874 7ff8a3390746 106872->106874 106875 7ff8a339072e 106872->106875 106921 7ff8a340fb40 106874->106921 106949 7ff8a3411f20 8 API calls 3 library calls 106875->106949 106881 7ff8a33907d9 106884 7ff8a33906e7 106881->106884 106951 7ff8a33b1ea0 8 API calls 3 library calls 106881->106951 106882 7ff8a33907ad _raise_excf 106882->106881 106950 7ff8a33b4f90 10 API calls 3 library calls 106882->106950 106884->106870 106952 7ff8a33f31c0 8 API calls _raise_excf 106884->106952 106887 7ff8a33908c2 106886->106887 106897 7ff8a3390abf 106886->106897 106888 7ff8a33908e3 106887->106888 106889 7ff8a33908cb 106887->106889 106890 7ff8a33908ea 106888->106890 106891 7ff8a33908ff 106888->106891 107004 7ff8a3390b20 8 API calls _raise_excf 106889->107004 107005 7ff8a3390b20 8 API calls _raise_excf 106890->107005 106898 7ff8a3390933 _raise_excf 106891->106898 106904 7ff8a3390a3a _raise_excf 106891->106904 106894 7ff8a33908d6 106894->106860 106895 7ff8a33908f5 106895->106860 106897->106860 106899 7ff8a3390985 106898->106899 107006 7ff8a3390b20 8 API calls _raise_excf 106898->107006 106964 7ff8a338f820 106899->106964 106902 7ff8a33909f2 106991 7ff8a33de580 106902->106991 106904->106897 107010 7ff8a3390b20 8 API calls _raise_excf 106904->107010 106905 7ff8a3390a2b 106905->106860 106907 7ff8a33909f4 106907->106902 107008 7ff8a33508a0 8 API calls 2 library calls 106907->107008 106908 7ff8a33909ea 107007 7ff8a3411e80 8 API calls _raise_excf 106908->107007 106911 7ff8a3390a05 107009 7ff8a3390b20 8 API calls _raise_excf 106911->107009 106914 7ff8a33f416b _raise_excf 106913->106914 106915 7ff8a33f41bf _raise_excf 106914->106915 106917 7ff8a33f4352 106914->106917 107121 7ff8a33f4610 106914->107121 107128 7ff8a33f44d0 8 API calls _raise_excf 106914->107128 107129 7ff8a34017b0 8 API calls 2 library calls 106914->107129 106915->106866 106917->106915 107130 7ff8a33fd730 8 API calls _raise_excf 106917->107130 107169 7ff8a340fb70 106921->107169 106924 7ff8a33968b0 106925 7ff8a33968e2 106924->106925 106926 7ff8a33968d9 106924->106926 106925->106926 106941 7ff8a339694d Concurrency::details::SchedulerProxy::DeleteThis _DeleteExceptionPtr _raise_excf 106925->106941 107222 7ff8a340f830 8 API calls __swprintf_l 106926->107222 106928 7ff8a3396911 107223 7ff8a340f830 8 API calls __swprintf_l 106928->107223 106930 7ff8a339693b 106930->106882 106933 7ff8a3396c65 106935 7ff8a33e0e90 _raise_excf 10 API calls 106933->106935 106936 7ff8a3396c7e _DeleteExceptionPtr _raise_excf 106933->106936 106935->106936 106937 7ff8a3396dc9 memcpy_s _raise_excf 106936->106937 107227 7ff8a33508a0 8 API calls 2 library calls 106936->107227 106937->106882 106938 7ff8a3412400 _raise_excf 8 API calls 106938->106941 106939 7ff8a33e0e90 _raise_excf 10 API calls 106939->106941 106941->106933 106941->106936 106941->106938 106941->106939 106942 7ff8a3396c67 106941->106942 106945 7ff8a3396c55 106941->106945 107190 7ff8a338f650 106941->107190 107202 7ff8a33dd370 106941->107202 107224 7ff8a33dc530 8 API calls 2 library calls 106941->107224 107225 7ff8a33dc7c0 8 API calls _raise_excf 106941->107225 106942->106936 106944 7ff8a33e0e90 _raise_excf 10 API calls 106942->106944 106944->106936 107226 7ff8a3411e80 8 API calls _raise_excf 106945->107226 106947->106870 106948->106884 106949->106884 106950->106881 106951->106884 106952->106870 106953->106861 106954->106858 106956 7ff8a32c11fa 106955->106956 106957 7ff8a32c1248 IsProcessorFeaturePresent 106956->106957 106958 7ff8a32c1206 106956->106958 106959 7ff8a32c125f 106957->106959 106958->106854 107265 7ff8a32c143c RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 106959->107265 106961 7ff8a32c1272 107266 7ff8a32c1214 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 106961->107266 106965 7ff8a338f88a memcpy_s 106964->106965 106973 7ff8a338f8d2 _raise_excf 106965->106973 107026 7ff8a340e350 8 API calls 3 library calls 106965->107026 106967 7ff8a338fa4b 107014 7ff8a3354b70 106967->107014 106968 7ff8a338f928 _raise_excf 106968->106967 106969 7ff8a338f995 106968->106969 106971 7ff8a338f9eb 106969->106971 106972 7ff8a338f99e 106969->106972 106987 7ff8a338fa24 _raise_excf 106971->106987 107011 7ff8a3412400 106971->107011 107027 7ff8a340e4b0 8 API calls _raise_excf 106972->107027 106973->106968 106976 7ff8a338f9c6 106973->106976 107028 7ff8a340e4b0 8 API calls _raise_excf 106976->107028 106979 7ff8a338fa8b 106982 7ff8a338fa91 106979->106982 106990 7ff8a338f9b2 _DeleteExceptionPtr _raise_excf 106979->106990 107030 7ff8a3390070 8 API calls _raise_excf 106979->107030 106980 7ff8a338faef _raise_excf 106980->106990 107037 7ff8a340e4b0 8 API calls _raise_excf 106980->107037 106981 7ff8a338f9fc memcpy_s 106984 7ff8a3354b70 _raise_excf 8 API calls 106981->106984 106981->106987 106982->106980 107031 7ff8a33e0e90 106982->107031 106984->106987 106986 7ff8a32c11f0 _handle_error 8 API calls 106989 7ff8a338fc86 106986->106989 106987->106979 107029 7ff8a33e54b0 8 API calls 2 library calls 106987->107029 106989->106902 106989->106907 106989->106908 106990->106986 106992 7ff8a33de592 106991->106992 106993 7ff8a33de59f 106991->106993 106992->106905 106994 7ff8a33de5a7 106993->106994 106999 7ff8a33de5ec _raise_excf 106993->106999 107064 7ff8a340f830 8 API calls __swprintf_l 106994->107064 106996 7ff8a33de5b6 107065 7ff8a340f830 8 API calls __swprintf_l 106996->107065 106997 7ff8a33e0e90 _raise_excf 10 API calls 107001 7ff8a33de61d _raise_excf 106997->107001 106999->106997 107000 7ff8a33de5de 107000->106905 107056 7ff8a3352650 107001->107056 107003 7ff8a33de649 107003->106905 107004->106894 107005->106895 107006->106899 107007->106902 107008->106911 107009->106902 107010->106897 107012 7ff8a3412430 107011->107012 107038 7ff8a3411e80 8 API calls _raise_excf 107012->107038 107017 7ff8a3354bc9 _raise_excf 107014->107017 107015 7ff8a3354dc9 _raise_excf 107021 7ff8a340fb40 _raise_excf 8 API calls 107015->107021 107023 7ff8a3354ec9 107015->107023 107025 7ff8a3354ee7 Concurrency::details::SchedulerProxy::DeleteThis _DeleteExceptionPtr _raise_excf 107015->107025 107017->107015 107019 7ff8a3354dab 107017->107019 107039 7ff8a3355c00 107017->107039 107049 7ff8a340e350 8 API calls 3 library calls 107019->107049 107021->107023 107022 7ff8a32c11f0 _handle_error 8 API calls 107024 7ff8a3354fe1 107022->107024 107050 7ff8a340f830 8 API calls __swprintf_l 107023->107050 107024->106987 107025->107022 107026->106973 107027->106990 107028->106990 107029->106979 107030->106982 107032 7ff8a33e0eae 107031->107032 107033 7ff8a33e0ea9 107031->107033 107036 7ff8a33e0ec8 Concurrency::details::SchedulerProxy::DeleteThis _DeleteExceptionPtr 107032->107036 107055 7ff8a33e0f80 8 API calls _raise_excf 107032->107055 107054 7ff8a33e1070 10 API calls _raise_excf 107033->107054 107036->106980 107037->106990 107046 7ff8a3355c32 _raise_excf 107039->107046 107040 7ff8a3355ce9 107042 7ff8a3355d2a 107040->107042 107043 7ff8a3355d17 107040->107043 107048 7ff8a3355cbf _raise_excf 107040->107048 107041 7ff8a3355ca1 107041->107048 107051 7ff8a3359240 8 API calls _raise_excf 107041->107051 107053 7ff8a340e350 8 API calls 3 library calls 107042->107053 107052 7ff8a340e350 8 API calls 3 library calls 107043->107052 107046->107040 107046->107041 107048->107017 107049->107015 107050->107025 107051->107048 107052->107048 107053->107048 107054->107032 107055->107036 107057 7ff8a3352665 107056->107057 107063 7ff8a3352723 _DeleteExceptionPtr _raise_excf 107056->107063 107057->107063 107066 7ff8a33524e0 107057->107066 107059 7ff8a3352711 107059->107063 107080 7ff8a33a7630 107059->107080 107062 7ff8a33526c2 _raise_excf 107062->107059 107072 7ff8a33f4ea0 107062->107072 107063->107003 107064->106996 107065->107000 107067 7ff8a335250f _raise_excf 107066->107067 107069 7ff8a335257f _raise_excf 107067->107069 107084 7ff8a33f2ea0 107067->107084 107071 7ff8a33525e0 _raise_excf 107069->107071 107096 7ff8a33b1ea0 8 API calls 3 library calls 107069->107096 107071->107062 107073 7ff8a33f4eb7 _raise_excf 107072->107073 107074 7ff8a33f2ea0 _raise_excf 8 API calls 107073->107074 107076 7ff8a33f4ed2 _raise_excf 107074->107076 107078 7ff8a33f4f17 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107076->107078 107106 7ff8a33ff7a0 107076->107106 107077 7ff8a33f4f03 107077->107078 107079 7ff8a33a7630 8 API calls 107077->107079 107078->107062 107079->107078 107081 7ff8a33a766e memcpy_s _raise_excf 107080->107081 107082 7ff8a32c11f0 _handle_error 8 API calls 107081->107082 107083 7ff8a33a7909 107082->107083 107083->107063 107085 7ff8a33f2ec7 _raise_excf 107084->107085 107086 7ff8a33f2ef8 107085->107086 107101 7ff8a33f7840 8 API calls _raise_excf 107085->107101 107088 7ff8a33f2f2e 107086->107088 107102 7ff8a33f3040 8 API calls _raise_excf 107086->107102 107090 7ff8a33f2fce _raise_excf 107088->107090 107103 7ff8a33fd150 8 API calls _raise_excf 107088->107103 107097 7ff8a33f32f0 107090->107097 107093 7ff8a33f2fe3 _raise_excf 107093->107067 107094 7ff8a33f2f4a _raise_excf 107094->107090 107104 7ff8a34017b0 8 API calls 2 library calls 107094->107104 107096->107071 107098 7ff8a33f3310 _raise_excf 107097->107098 107099 7ff8a33f3319 107098->107099 107105 7ff8a34017b0 8 API calls 2 library calls 107098->107105 107099->107093 107101->107086 107102->107088 107103->107094 107104->107090 107105->107099 107107 7ff8a33ff7cd _raise_excf 107106->107107 107112 7ff8a33fa1e0 107107->107112 107110 7ff8a33ff81a _raise_excf 107111 7ff8a33ff864 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107110->107111 107118 7ff8a34017b0 8 API calls 2 library calls 107110->107118 107111->107077 107113 7ff8a33fa2c1 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107112->107113 107114 7ff8a33fa20f 107112->107114 107113->107110 107114->107113 107119 7ff8a33f8390 8 API calls _raise_excf 107114->107119 107116 7ff8a33fa27c 107116->107113 107120 7ff8a33fa360 8 API calls __swprintf_l 107116->107120 107118->107111 107119->107116 107120->107113 107131 7ff8a33fe450 107121->107131 107123 7ff8a33f480d _raise_excf 107126 7ff8a33f4748 _raise_excf 107123->107126 107142 7ff8a34017b0 8 API calls 2 library calls 107123->107142 107125 7ff8a33f4621 _raise_excf 107125->107123 107125->107126 107141 7ff8a334ec60 8 API calls __swprintf_l 107125->107141 107126->106914 107128->106914 107129->106914 107130->106915 107132 7ff8a33fe47f _raise_excf 107131->107132 107137 7ff8a33fe618 _raise_excf 107131->107137 107134 7ff8a33fe510 _raise_excf 107132->107134 107132->107137 107138 7ff8a33fe5d3 _raise_excf 107132->107138 107147 7ff8a334ebe0 8 API calls __swprintf_l 107132->107147 107135 7ff8a32c11f0 _handle_error 8 API calls 107134->107135 107136 7ff8a33fe729 107135->107136 107136->107125 107137->107134 107143 7ff8a3400590 107137->107143 107138->107134 107138->107137 107148 7ff8a3400a20 8 API calls 2 library calls 107138->107148 107141->107123 107142->107126 107144 7ff8a34005b1 _raise_excf 107143->107144 107149 7ff8a33f9470 107144->107149 107146 7ff8a34005c2 _raise_excf 107146->107134 107147->107138 107148->107137 107153 7ff8a33f94a0 _raise_excf 107149->107153 107150 7ff8a33f9793 107150->107146 107153->107150 107154 7ff8a33f9e60 107153->107154 107164 7ff8a33f9b40 8 API calls 3 library calls 107153->107164 107155 7ff8a33f9e75 _raise_excf 107154->107155 107157 7ff8a33f9ed3 _raise_excf 107155->107157 107159 7ff8a33fa013 _raise_excf 107155->107159 107165 7ff8a33fa060 8 API calls 2 library calls 107155->107165 107161 7ff8a33f9ef0 107157->107161 107166 7ff8a33fa060 8 API calls 2 library calls 107157->107166 107159->107153 107161->107159 107168 7ff8a340f830 8 API calls __swprintf_l 107161->107168 107162 7ff8a33f9f9c 107162->107161 107167 7ff8a33fb520 8 API calls 5 library calls 107162->107167 107164->107153 107165->107157 107166->107162 107167->107161 107168->107159 107178 7ff8a3410340 107169->107178 107171 7ff8a340fbf6 107172 7ff8a340fc0f 107171->107172 107187 7ff8a3411e80 8 API calls _raise_excf 107171->107187 107173 7ff8a32c11f0 _handle_error 8 API calls 107172->107173 107176 7ff8a339077f 107173->107176 107176->106924 107179 7ff8a341038f 107178->107179 107182 7ff8a3411a01 107179->107182 107184 7ff8a341049e memcpy_s 107179->107184 107188 7ff8a3410090 8 API calls 2 library calls 107179->107188 107180 7ff8a32c11f0 _handle_error 8 API calls 107181 7ff8a340fbcc 107180->107181 107181->107171 107186 7ff8a340ff50 8 API calls 2 library calls 107181->107186 107182->107180 107184->107182 107189 7ff8a3410090 8 API calls 2 library calls 107184->107189 107186->107171 107187->107172 107188->107184 107189->107182 107191 7ff8a338f680 107190->107191 107192 7ff8a338f678 107190->107192 107193 7ff8a338f6fd 107191->107193 107195 7ff8a338f688 107191->107195 107229 7ff8a340f830 8 API calls __swprintf_l 107192->107229 107193->107192 107199 7ff8a338f702 _raise_excf 107193->107199 107228 7ff8a340f830 8 API calls __swprintf_l 107195->107228 107197 7ff8a338f6ca 107197->106941 107198 7ff8a338f820 _raise_excf 10 API calls 107198->107199 107199->107198 107201 7ff8a338f791 _raise_excf 107199->107201 107230 7ff8a33b1f90 8 API calls 3 library calls 107199->107230 107201->106941 107203 7ff8a33dd395 107202->107203 107204 7ff8a33dd384 107202->107204 107205 7ff8a33dd3ab 107203->107205 107246 7ff8a340f830 8 API calls __swprintf_l 107203->107246 107245 7ff8a340f830 8 API calls __swprintf_l 107204->107245 107208 7ff8a33dd393 107205->107208 107209 7ff8a33dd3f2 107205->107209 107247 7ff8a340f830 8 API calls __swprintf_l 107208->107247 107231 7ff8a33dd540 107209->107231 107211 7ff8a33dd3e2 107211->106941 107213 7ff8a33dd470 _raise_excf 107213->106941 107216 7ff8a33dd416 107216->107213 107217 7ff8a33dd475 107216->107217 107219 7ff8a33dd540 _raise_excf 10 API calls 107216->107219 107248 7ff8a338f580 10 API calls _raise_excf 107216->107248 107249 7ff8a33de4c0 10 API calls _raise_excf 107216->107249 107220 7ff8a33dd481 _raise_excf 107217->107220 107250 7ff8a33e6b10 8 API calls _raise_excf 107217->107250 107219->107216 107220->107213 107251 7ff8a3412130 8 API calls 2 library calls 107220->107251 107222->106928 107223->106930 107224->106941 107225->106941 107226->106933 107227->106937 107228->107192 107229->107197 107230->107199 107240 7ff8a33dd56b 107231->107240 107241 7ff8a33dd5bf _raise_excf 107231->107241 107232 7ff8a33dd635 107252 7ff8a33d2e30 107232->107252 107233 7ff8a33dd62e 107261 7ff8a33e26e0 8 API calls _raise_excf 107233->107261 107234 7ff8a33dd58e 107235 7ff8a33dd597 107234->107235 107234->107241 107244 7ff8a33dd5b8 _raise_excf 107235->107244 107260 7ff8a33e0f80 8 API calls _raise_excf 107235->107260 107240->107234 107240->107241 107259 7ff8a33de4c0 10 API calls _raise_excf 107240->107259 107241->107232 107241->107233 107242 7ff8a33dd633 _raise_excf 107242->107244 107262 7ff8a33e0f80 8 API calls _raise_excf 107242->107262 107244->107216 107245->107208 107246->107205 107247->107211 107248->107216 107249->107216 107250->107220 107251->107213 107254 7ff8a33d2eb8 _raise_excf 107252->107254 107255 7ff8a33d2f2e 107254->107255 107263 7ff8a3411e80 8 API calls _raise_excf 107254->107263 107256 7ff8a33d9e69 107264 7ff8a33e5540 8 API calls 3 library calls 107256->107264 107258 7ff8a33d9e78 107259->107240 107260->107244 107261->107242 107262->107244 107263->107256 107264->107258 107265->106961 107586 7ff8a33f19d0 107588 7ff8a33f19f3 107586->107588 107591 7ff8a33f1a47 _raise_excf 107586->107591 107589 7ff8a33f1a07 107588->107589 107588->107591 107597 7ff8a33f12b0 107588->107597 107594 7ff8a33f1a59 107591->107594 107609 7ff8a33f1f60 8 API calls 3 library calls 107591->107609 107592 7ff8a33f1bf6 107611 7ff8a340f830 8 API calls __swprintf_l 107592->107611 107595 7ff8a33f1a78 107595->107592 107595->107594 107610 7ff8a33f21f0 8 API calls __swprintf_l 107595->107610 107600 7ff8a33f12be 107597->107600 107598 7ff8a33f12df 107603 7ff8a33f12e5 107598->107603 107604 7ff8a33f1f0f 107598->107604 107612 7ff8a33f5ad0 107598->107612 107599 7ff8a33f143e 107622 7ff8a340f830 8 API calls __swprintf_l 107599->107622 107600->107597 107600->107598 107600->107599 107600->107603 107605 7ff8a33f1398 107600->107605 107620 7ff8a33f7660 8 API calls Concurrency::details::SchedulerProxy::DeleteThis 107600->107620 107603->107591 107623 7ff8a340f830 8 API calls __swprintf_l 107604->107623 107621 7ff8a33f21f0 8 API calls __swprintf_l 107605->107621 107609->107595 107610->107595 107611->107594 107613 7ff8a33f5af2 107612->107613 107614 7ff8a33f5b4f 107612->107614 107624 7ff8a340f830 8 API calls __swprintf_l 107613->107624 107616 7ff8a33f5bb0 107614->107616 107619 7ff8a33f5b1e _raise_excf 107614->107619 107625 7ff8a33f5e60 8 API calls 2 library calls 107614->107625 107616->107619 107626 7ff8a334ec60 8 API calls __swprintf_l 107616->107626 107619->107598 107620->107600 107621->107598 107622->107603 107623->107603 107624->107619 107625->107616 107626->107619 107267 7ff8a3307170 107268 7ff8a33071a0 GetCurrentProcessId 107267->107268 107269 7ff8a3307199 107267->107269 107268->107269 107270 7ff8a33071cb 107268->107270 107274 7ff8a334f350 107270->107274 107272 7ff8a33071dc 107272->107269 107326 7ff8a33077c0 8 API calls 107272->107326 107275 7ff8a334f3ba 107274->107275 107276 7ff8a334f381 107274->107276 107327 7ff8a3354220 107275->107327 107436 7ff8a340f830 8 API calls __swprintf_l 107276->107436 107279 7ff8a334f3a9 107279->107272 107280 7ff8a3350640 8 API calls 107281 7ff8a334f8d2 107280->107281 107282 7ff8a334f8ea 107281->107282 107443 7ff8a3352e40 8 API calls 2 library calls 107281->107443 107287 7ff8a334f911 Concurrency::details::SchedulerProxy::DeleteThis 107282->107287 107444 7ff8a334f960 137 API calls _handle_error 107282->107444 107283 7ff8a334f3c2 memcpy_s _raise_excf 107283->107287 107308 7ff8a334f4ca Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107283->107308 107338 7ff8a33502d0 107283->107338 107287->107272 107288 7ff8a334f5d0 107289 7ff8a33502d0 8 API calls 107288->107289 107290 7ff8a334f5ef 107289->107290 107291 7ff8a33502d0 8 API calls 107290->107291 107292 7ff8a334f60e 107291->107292 107293 7ff8a33502d0 8 API calls 107292->107293 107294 7ff8a334f638 107293->107294 107295 7ff8a33502d0 8 API calls 107294->107295 107296 7ff8a334f65f 107295->107296 107297 7ff8a334f679 107296->107297 107298 7ff8a334f685 107296->107298 107296->107308 107437 7ff8a334ec20 8 API calls __swprintf_l 107297->107437 107438 7ff8a334fb60 8 API calls 2 library calls 107298->107438 107301 7ff8a334f683 107302 7ff8a334f6cb 107301->107302 107303 7ff8a334f703 107301->107303 107305 7ff8a334f6d8 107302->107305 107439 7ff8a3411e80 8 API calls _raise_excf 107302->107439 107350 7ff8a33f5100 107303->107350 107440 7ff8a340e4b0 8 API calls _raise_excf 107305->107440 107308->107280 107309 7ff8a334f726 _raise_excf 107309->107308 107358 7ff8a33a74c0 107309->107358 107311 7ff8a334f78e _raise_excf 107312 7ff8a33a74c0 8 API calls 107311->107312 107313 7ff8a334f7d3 _raise_excf 107312->107313 107313->107308 107363 7ff8a33a1340 107313->107363 107317 7ff8a334f8ad 107323 7ff8a334f86a _raise_excf 107317->107323 107442 7ff8a3395cf0 8 API calls _raise_excf 107317->107442 107318 7ff8a334f846 107318->107317 107318->107323 107373 7ff8a331f7c0 107318->107373 107397 7ff8a3345450 107318->107397 107321 7ff8a334f8b9 107322 7ff8a3350640 8 API calls 107321->107322 107322->107323 107323->107308 107441 7ff8a3350df0 8 API calls __swprintf_l 107323->107441 107326->107269 107328 7ff8a335422d 107327->107328 107329 7ff8a3354234 _raise_excf 107327->107329 107328->107283 107331 7ff8a3354365 _raise_excf 107329->107331 107333 7ff8a335428d memcpy_s _raise_excf 107329->107333 107445 7ff8a3412f20 107329->107445 107331->107283 107332 7ff8a3354345 107332->107331 107449 7ff8a3413a10 107332->107449 107333->107331 107333->107332 107452 7ff8a3405b30 8 API calls _raise_excf 107333->107452 107336 7ff8a335435a 107336->107331 107453 7ff8a3406640 8 API calls _raise_excf 107336->107453 107339 7ff8a3350301 107338->107339 107343 7ff8a33502f9 _raise_excf 107338->107343 107340 7ff8a33504e5 107339->107340 107339->107343 107457 7ff8a340f830 8 API calls __swprintf_l 107340->107457 107342 7ff8a335050f 107342->107288 107344 7ff8a3350367 107343->107344 107349 7ff8a3350393 _raise_excf 107343->107349 107455 7ff8a340e4b0 8 API calls _raise_excf 107344->107455 107347 7ff8a335037b 107347->107288 107348 7ff8a3350439 _raise_excf 107348->107288 107349->107348 107456 7ff8a33a8060 8 API calls 2 library calls 107349->107456 107355 7ff8a33f5147 memcpy_s Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107350->107355 107351 7ff8a32c11f0 _handle_error 8 API calls 107352 7ff8a33f52e2 107351->107352 107352->107309 107354 7ff8a33ff7a0 _raise_excf 8 API calls 107357 7ff8a33f52bd Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107354->107357 107356 7ff8a33f5519 memcpy_s _raise_excf 107355->107356 107355->107357 107458 7ff8a33fe950 107355->107458 107356->107354 107356->107357 107357->107351 107359 7ff8a33a74d5 memcpy_s _raise_excf 107358->107359 107360 7ff8a33a75d3 107359->107360 107463 7ff8a3411e80 8 API calls _raise_excf 107359->107463 107360->107311 107362 7ff8a33a75c5 107362->107311 107464 7ff8a3351630 107363->107464 107365 7ff8a334f83e 107366 7ff8a3350640 107365->107366 107367 7ff8a3350649 107366->107367 107368 7ff8a33506a5 107366->107368 107367->107368 107531 7ff8a340f830 8 API calls __swprintf_l 107367->107531 107368->107318 107370 7ff8a3350671 107532 7ff8a340f830 8 API calls __swprintf_l 107370->107532 107372 7ff8a335069b 107372->107318 107374 7ff8a3351aa0 8 API calls 107373->107374 107375 7ff8a331f808 107374->107375 107376 7ff8a331fa48 107375->107376 107377 7ff8a3351aa0 8 API calls 107375->107377 107376->107318 107378 7ff8a331f852 107377->107378 107378->107376 107379 7ff8a3351aa0 8 API calls 107378->107379 107380 7ff8a331f89b 107379->107380 107380->107376 107381 7ff8a331f8a8 107380->107381 107382 7ff8a331f91a 107380->107382 107533 7ff8a340f830 8 API calls __swprintf_l 107381->107533 107535 7ff8a33773d0 8 API calls 2 library calls 107382->107535 107384 7ff8a331f8e0 107534 7ff8a340f830 8 API calls __swprintf_l 107384->107534 107387 7ff8a331f90a 107387->107318 107388 7ff8a331f94c _raise_excf 107388->107376 107389 7ff8a331f980 107388->107389 107390 7ff8a331f9e6 107388->107390 107536 7ff8a340f830 8 API calls __swprintf_l 107389->107536 107538 7ff8a33773d0 8 API calls 2 library calls 107390->107538 107393 7ff8a331f9a7 107537 7ff8a340f830 8 API calls __swprintf_l 107393->107537 107394 7ff8a331fa16 _raise_excf 107394->107318 107396 7ff8a331f9d1 107396->107318 107539 7ff8a3340dc0 107397->107539 107399 7ff8a334545e 107400 7ff8a3354220 _raise_excf 8 API calls 107399->107400 107404 7ff8a3345629 Concurrency::details::SchedulerProxy::DeleteThis 107399->107404 107401 7ff8a334547a _raise_excf 107400->107401 107401->107404 107549 7ff8a333ee10 107401->107549 107403 7ff8a33454cc 107403->107404 107405 7ff8a333ee10 8 API calls 107403->107405 107404->107318 107406 7ff8a33454ee 107405->107406 107406->107404 107407 7ff8a333ee10 8 API calls 107406->107407 107408 7ff8a3345511 107407->107408 107408->107404 107559 7ff8a333cc30 107408->107559 107411 7ff8a3351630 8 API calls 107412 7ff8a3345542 107411->107412 107412->107404 107413 7ff8a3351630 8 API calls 107412->107413 107414 7ff8a334555f 107413->107414 107414->107404 107415 7ff8a3351630 8 API calls 107414->107415 107416 7ff8a334557c 107415->107416 107416->107404 107417 7ff8a3351630 8 API calls 107416->107417 107418 7ff8a3345599 107417->107418 107418->107404 107419 7ff8a3351630 8 API calls 107418->107419 107420 7ff8a33455b6 107419->107420 107420->107404 107421 7ff8a33455c8 107420->107421 107422 7ff8a334562e 107420->107422 107564 7ff8a340f830 8 API calls __swprintf_l 107421->107564 107566 7ff8a33773d0 8 API calls 2 library calls 107422->107566 107424 7ff8a3345602 107565 7ff8a340f830 8 API calls __swprintf_l 107424->107565 107427 7ff8a3345667 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107427->107404 107428 7ff8a33456bb 107427->107428 107429 7ff8a3345715 107427->107429 107567 7ff8a340f830 8 API calls __swprintf_l 107428->107567 107569 7ff8a33773d0 8 API calls 2 library calls 107429->107569 107432 7ff8a33456e4 107568 7ff8a340f830 8 API calls __swprintf_l 107432->107568 107434 7ff8a3345742 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107434->107404 107570 7ff8a333bf20 8 API calls __swprintf_l 107434->107570 107436->107279 107437->107301 107438->107301 107439->107305 107440->107308 107441->107308 107442->107321 107443->107282 107444->107287 107446 7ff8a3412f2e 107445->107446 107447 7ff8a3412f3f 107445->107447 107454 7ff8a3353cb0 8 API calls __swprintf_l 107446->107454 107447->107333 107450 7ff8a3354220 _raise_excf 8 API calls 107449->107450 107451 7ff8a3413a19 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107450->107451 107451->107336 107453->107331 107454->107447 107455->107347 107456->107348 107457->107342 107459 7ff8a33fe9d9 _raise_excf 107458->107459 107459->107459 107461 7ff8a33fe9ed memcpy_s Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107459->107461 107462 7ff8a334ebe0 8 API calls __swprintf_l 107459->107462 107461->107356 107462->107461 107463->107362 107465 7ff8a33516a6 107464->107465 107466 7ff8a335164d 107464->107466 107465->107466 107467 7ff8a33516c8 107465->107467 107504 7ff8a340f830 8 API calls __swprintf_l 107466->107504 107469 7ff8a3351665 107467->107469 107470 7ff8a33516d2 107467->107470 107505 7ff8a340f830 8 API calls __swprintf_l 107469->107505 107479 7ff8a33a7930 107470->107479 107472 7ff8a335168f 107472->107365 107474 7ff8a3351701 107475 7ff8a3351726 107474->107475 107485 7ff8a340f9f0 107474->107485 107475->107365 107477 7ff8a3351747 107477->107475 107491 7ff8a3351aa0 107477->107491 107480 7ff8a33a7967 _raise_excf 107479->107480 107481 7ff8a3412400 _raise_excf 8 API calls 107480->107481 107482 7ff8a33a7a1a 107480->107482 107483 7ff8a33a7aec memcpy_s _raise_excf 107480->107483 107481->107483 107482->107474 107483->107482 107506 7ff8a3411e80 8 API calls _raise_excf 107483->107506 107486 7ff8a3354220 _raise_excf 8 API calls 107485->107486 107487 7ff8a340fa0d 107486->107487 107488 7ff8a340fa11 107487->107488 107507 7ff8a340fa40 8 API calls 3 library calls 107487->107507 107488->107477 107490 7ff8a340fa27 107490->107477 107492 7ff8a3351ad1 107491->107492 107493 7ff8a3351ac8 107491->107493 107492->107493 107500 7ff8a3351b3d _raise_excf 107492->107500 107526 7ff8a340f830 8 API calls __swprintf_l 107493->107526 107495 7ff8a3351b00 107527 7ff8a340f830 8 API calls __swprintf_l 107495->107527 107496 7ff8a3351bdb 107508 7ff8a3351cb0 107496->107508 107499 7ff8a3351b2a 107499->107475 107500->107496 107502 7ff8a3351bc9 107500->107502 107501 7ff8a3351bd1 Concurrency::details::SchedulerProxy::DeleteThis _raise_excf 107501->107475 107528 7ff8a3411e80 8 API calls _raise_excf 107502->107528 107504->107469 107505->107472 107506->107482 107507->107490 107509 7ff8a3351ff7 107508->107509 107512 7ff8a3351cd1 107508->107512 107530 7ff8a340f830 8 API calls __swprintf_l 107509->107530 107511 7ff8a3352021 107511->107501 107512->107509 107515 7ff8a3351d5d 107512->107515 107513 7ff8a3351e71 107514 7ff8a33a7930 8 API calls 107513->107514 107519 7ff8a3351edf 107513->107519 107516 7ff8a3351ea5 107514->107516 107515->107513 107517 7ff8a3351cb0 8 API calls 107515->107517 107523 7ff8a3351ecb 107516->107523 107524 7ff8a3351ef4 107516->107524 107518 7ff8a3351dfa 107517->107518 107518->107519 107520 7ff8a3351cb0 8 API calls 107518->107520 107519->107501 107520->107513 107521 7ff8a33a7930 8 API calls 107522 7ff8a3351f51 107521->107522 107522->107501 107529 7ff8a340e4b0 8 API calls _raise_excf 107523->107529 107524->107521 107524->107522 107526->107495 107527->107499 107528->107501 107529->107519 107530->107511 107531->107370 107532->107372 107533->107384 107534->107387 107535->107388 107536->107393 107537->107396 107538->107394 107540 7ff8a3340dd7 107539->107540 107542 7ff8a3340dce 107539->107542 107541 7ff8a3340e3b 107540->107541 107540->107542 107573 7ff8a33773d0 8 API calls 2 library calls 107541->107573 107571 7ff8a340f830 8 API calls __swprintf_l 107542->107571 107545 7ff8a3340e06 107572 7ff8a340f830 8 API calls __swprintf_l 107545->107572 107547 7ff8a3340e30 107547->107399 107548 7ff8a3340e6f _raise_excf 107548->107399 107550 7ff8a333ee57 107549->107550 107551 7ff8a333eebb 107550->107551 107558 7ff8a333ee7a memcpy_s Concurrency::details::SchedulerProxy::DeleteThis 107550->107558 107574 7ff8a333f190 8 API calls 3 library calls 107550->107574 107553 7ff8a333eed1 107551->107553 107551->107558 107575 7ff8a333f190 8 API calls 3 library calls 107551->107575 107555 7ff8a3354220 _raise_excf 8 API calls 107553->107555 107553->107558 107556 7ff8a333ef03 _raise_excf 107555->107556 107556->107558 107576 7ff8a333f5c0 8 API calls 2 library calls 107556->107576 107558->107403 107560 7ff8a3351aa0 8 API calls 107559->107560 107561 7ff8a333cc85 107560->107561 107562 7ff8a333ccc5 107561->107562 107563 7ff8a3351aa0 8 API calls 107561->107563 107562->107404 107562->107411 107563->107562 107564->107424 107565->107404 107566->107427 107567->107432 107568->107404 107569->107434 107570->107404 107571->107545 107572->107547 107573->107548 107574->107551 107575->107553 107576->107558 107577 7ff8a34007c0 107578 7ff8a34007d9 _raise_excf 107577->107578 107580 7ff8a34007eb _raise_excf 107578->107580 107581 7ff8a34008d0 107578->107581 107582 7ff8a3400913 107581->107582 107583 7ff8a34008fd 107581->107583 107582->107580 107583->107582 107585 7ff8a33f9200 8 API calls 2 library calls 107583->107585 107585->107582 107627 7ff8a3306fd0 107628 7ff8a338f650 _raise_excf 10 API calls 107627->107628 107629 7ff8a3306ffb 107628->107629

                                                                                Executed Functions

                                                                                Function 00007FF848E58D4C Relevance: 22.2, Strings: 17, Instructions: 975COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7ff848e58d4c-7ff848e58d87 call 7ff848e509a8 call 7ff848e50698 4 7ff848e58d8c-7ff848e5915b call 7ff848e5a16b call 7ff848e50818 call 7ff848e50da0 call 7ff848e55b48 0->4 64 7ff848e59605-7ff848e59617 4->64 65 7ff848e59161-7ff848e59182 4->65 66 7ff848e5961a-7ff848e5962b 64->66 65->66 70 7ff848e59188-7ff848e591b0 65->70 67 7ff848e5962f-7ff848e59643 66->67 69 7ff848e59644-7ff848e59656 67->69 71 7ff848e59659-7ff848e5966a 69->71 70->67 75 7ff848e591b6-7ff848e591de 70->75 72 7ff848e5966e-7ff848e5967f 71->72 74 7ff848e59683-7ff848e59695 72->74 76 7ff848e59698-7ff848e596a9 74->76 75->69 80 7ff848e591e4-7ff848e5920f 75->80 77 7ff848e596ad-7ff848e596bf 76->77 79 7ff848e596c2-7ff848e59704 77->79 87 7ff848e5970b-7ff848e5971c 79->87 80->71 83 7ff848e59215-7ff848e59240 80->83 83->72 86 7ff848e59246-7ff848e59271 83->86 86->74 92 7ff848e59277-7ff848e592a2 86->92 88 7ff848e59720-7ff848e59732 87->88 89 7ff848e59735-7ff848e59746 88->89 91 7ff848e5974a-7ff848e5975e 89->91 93 7ff848e5975f-7ff848e59771 91->93 92->76 97 7ff848e592a8-7ff848e592d3 92->97 94 7ff848e59774-7ff848e59785 93->94 96 7ff848e59789-7ff848e5979b 94->96 98 7ff848e5979e-7ff848e597af 96->98 97->77 102 7ff848e592d9-7ff848e59304 97->102 99 7ff848e597b3-7ff848e598e5 call 7ff848e55c30 call 7ff848e55c20 call 7ff848e55c18 98->99 102->79 105 7ff848e5930a-7ff848e59338 102->105 105->87 109 7ff848e5933e-7ff848e59369 105->109 109->88 113 7ff848e5936f-7ff848e5939a 109->113 113->89 118 7ff848e593a0-7ff848e593cb 113->118 118->91 121 7ff848e593d1-7ff848e593fc 118->121 121->93 126 7ff848e59402-7ff848e5942d 121->126 126->94 129 7ff848e59433-7ff848e5945e 126->129 129->96 133 7ff848e59464-7ff848e5948f 129->133 133->98 135 7ff848e59495-7ff848e594c0 133->135 135->99 137 7ff848e594c6-7ff848e595d6 call 7ff848e55c50 135->137 137->64
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1
                                                                                • API String ID: 0-402976411
                                                                                • Opcode ID: 2cdfaca9803a49414568eb9ccbfa611f045c4ff8bb7a5a3f952702126c41a4f3
                                                                                • Instruction ID: 32c961961b8ef3e3d512237cfdd44fe5daec998ea83d631061104b942327c11a
                                                                                • Opcode Fuzzy Hash: 2cdfaca9803a49414568eb9ccbfa611f045c4ff8bb7a5a3f952702126c41a4f3
                                                                                • Instruction Fuzzy Hash: 2A622A10A0DA856FD70DABBC94273AABBF1EF4A740F5884FDE449976D3CD285802CB45
                                                                                Function 00007FF8A334F350 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 305 7ff8a334f350-7ff8a334f37f 306 7ff8a334f3ba-7ff8a334f3c4 call 7ff8a3354220 305->306 307 7ff8a334f381-7ff8a334f3b9 call 7ff8a340f830 305->307 312 7ff8a334f93e-7ff8a334f94b 306->312 313 7ff8a334f3ca-7ff8a334f3e0 306->313 314 7ff8a334f3e7-7ff8a334f3eb 313->314 315 7ff8a334f3e2-7ff8a334f3e5 313->315 317 7ff8a334f3ed-7ff8a334f3f0 314->317 318 7ff8a334f3f2-7ff8a334f3f9 314->318 316 7ff8a334f403-7ff8a334f407 315->316 320 7ff8a334f40f-7ff8a334f415 316->320 321 7ff8a334f409-7ff8a334f40d 316->321 317->316 318->316 319 7ff8a334f3fb 318->319 319->316 322 7ff8a334f41b-7ff8a334f42e 320->322 323 7ff8a334f417 320->323 321->322 324 7ff8a334f470-7ff8a334f47b 322->324 325 7ff8a334f430-7ff8a334f43a 322->325 323->322 331 7ff8a334f47e-7ff8a334f481 324->331 326 7ff8a334f43c 325->326 327 7ff8a334f442-7ff8a334f45e call 7ff8a3412c20 325->327 326->327 332 7ff8a334f466-7ff8a334f46e 327->332 333 7ff8a334f460 327->333 334 7ff8a334f8c7 331->334 335 7ff8a334f487-7ff8a334f49a call 7ff8a32c2930 331->335 332->331 333->332 336 7ff8a334f8ca-7ff8a334f8de call 7ff8a3350640 334->336 335->334 341 7ff8a334f4a0-7ff8a334f4a3 335->341 342 7ff8a334f8ef-7ff8a334f8f1 336->342 343 7ff8a334f8e0-7ff8a334f8ed call 7ff8a3352e40 336->343 344 7ff8a334f4da-7ff8a334f4e1 341->344 345 7ff8a334f4a5-7ff8a334f4ac 341->345 349 7ff8a334f8f7-7ff8a334f902 342->349 350 7ff8a334f8f3 342->350 343->349 351 7ff8a334f4e9-7ff8a334f663 call 7ff8a33502d0 * 5 344->351 352 7ff8a334f4e3 344->352 346 7ff8a334f4ae-7ff8a334f4b4 345->346 347 7ff8a334f4b6-7ff8a334f4be 345->347 353 7ff8a334f4c1-7ff8a334f4c8 346->353 347->353 355 7ff8a334f904-7ff8a334f90c call 7ff8a334f960 349->355 356 7ff8a334f911-7ff8a334f914 349->356 350->349 380 7ff8a334f89c-7ff8a334f8a3 351->380 381 7ff8a334f669-7ff8a334f677 351->381 352->351 353->344 359 7ff8a334f4ca-7ff8a334f4d5 call 7ff8a34129e0 353->359 355->356 361 7ff8a334f93c 356->361 362 7ff8a334f916-7ff8a334f91a 356->362 359->336 361->312 365 7ff8a334f91c-7ff8a334f920 362->365 366 7ff8a334f92e-7ff8a334f931 362->366 365->366 369 7ff8a334f922-7ff8a334f926 365->369 366->362 369->366 372 7ff8a334f928-7ff8a334f92c 369->372 372->366 373 7ff8a334f933-7ff8a334f937 call 7ff8a34129e0 372->373 373->361 380->336 382 7ff8a334f8a5-7ff8a334f8ab 380->382 383 7ff8a334f679-7ff8a334f683 call 7ff8a334ec20 381->383 384 7ff8a334f685-7ff8a334f6c0 call 7ff8a334fb60 381->384 382->336 390 7ff8a334f6c5-7ff8a334f6c9 383->390 384->390 391 7ff8a334f6cb-7ff8a334f6ce 390->391 392 7ff8a334f703-7ff8a334f728 call 7ff8a33f5100 390->392 394 7ff8a334f6d8-7ff8a334f6fe call 7ff8a340e4b0 call 7ff8a34129e0 391->394 395 7ff8a334f6d0-7ff8a334f6d3 call 7ff8a3411e80 391->395 400 7ff8a334f72a-7ff8a334f73c 392->400 401 7ff8a334f762-7ff8a334f76e 392->401 394->380 395->394 405 7ff8a334f73e-7ff8a334f745 400->405 406 7ff8a334f753-7ff8a334f75d call 7ff8a340e650 400->406 402 7ff8a334f77e-7ff8a334f79a call 7ff8a33a74c0 401->402 403 7ff8a334f770-7ff8a334f777 401->403 415 7ff8a334f79c-7ff8a334f7ab call 7ff8a33a7fa0 402->415 416 7ff8a334f7b0-7ff8a334f7bc 402->416 403->402 407 7ff8a334f779 call 7ff8a33f8140 403->407 405->406 410 7ff8a334f747-7ff8a334f74e 405->410 406->380 407->402 410->380 415->416 418 7ff8a334f7be-7ff8a334f7c2 416->418 419 7ff8a334f7c9-7ff8a334f810 call 7ff8a33a74c0 416->419 418->419 420 7ff8a334f7c4 call 7ff8a33f8230 418->420 419->380 424 7ff8a334f816-7ff8a334f821 419->424 420->419 425 7ff8a334f82f 424->425 426 7ff8a334f823-7ff8a334f82d call 7ff8a340e650 424->426 428 7ff8a334f836-7ff8a334f848 call 7ff8a33a1340 call 7ff8a3350640 425->428 426->428 434 7ff8a334f86a-7ff8a334f872 call 7ff8a340e650 428->434 435 7ff8a334f84a-7ff8a334f851 428->435 438 7ff8a334f877-7ff8a334f88a call 7ff8a3353a40 434->438 436 7ff8a334f858-7ff8a334f85b 435->436 439 7ff8a334f8ad-7ff8a334f8af 436->439 440 7ff8a334f85d 436->440 443 7ff8a334f88f-7ff8a334f897 call 7ff8a3350df0 438->443 439->434 442 7ff8a334f8b1-7ff8a334f8c3 call 7ff8a3395cf0 call 7ff8a3350640 439->442 451 7ff8a334f860 call 7ff8a331f7c0 440->451 452 7ff8a334f860 call 7ff8a3345450 440->452 442->380 450 7ff8a334f8c5 442->450 443->380 445 7ff8a334f862-7ff8a334f868 445->434 445->436 450->438 451->445 452->445
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %s at line %d of [%.10s]$BINARY$NOCASE$RTRIM$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$main$misuse$temp
                                                                                • API String ID: 0-1565820013
                                                                                • Opcode ID: 834bfbbc9041dd718764ea05049c83ae1753654a6b9bf8d298a1ab6f612d3045
                                                                                • Instruction ID: c26efd74a7acc840361bda725302ab920bc23f7a5ceec7240d2bb1b209c33850
                                                                                • Opcode Fuzzy Hash: 834bfbbc9041dd718764ea05049c83ae1753654a6b9bf8d298a1ab6f612d3045
                                                                                • Instruction Fuzzy Hash: 02029B22E0EF82A6EB609F25B84027D67A0EF55BC9F485136DE4DA7795DF3EE4508300
                                                                                Function 00007FF84911E850 Relevance: 4.5, Strings: 3, Instructions: 774COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1091 7ff84911e850-7ff84911e891 1094 7ff84911e893-7ff84911e8a3 1091->1094 1095 7ff84911e8a5-7ff84911e8b0 1091->1095 1094->1095 1096 7ff84911ebf3-7ff84911ebf6 1095->1096 1097 7ff84911e8b6-7ff84911e8ba 1095->1097 1101 7ff84911ebf8-7ff84911ec0a 1096->1101 1102 7ff84911ec0c-7ff84911ec1f 1096->1102 1099 7ff84911e8cb-7ff84911e8d3 1097->1099 1100 7ff84911e8bc-7ff84911e8c1 1097->1100 1103 7ff84911e8d9-7ff84911e8f6 1099->1103 1104 7ff84911ec43-7ff84911ec59 1099->1104 1100->1099 1101->1102 1108 7ff84911e8fc-7ff84911e970 1103->1108 1109 7ff84911ead1-7ff84911eae6 1103->1109 1111 7ff84911ec5b-7ff84911ec62 1104->1111 1112 7ff84911ec63-7ff84911eca8 1104->1112 1144 7ff84911e998 1108->1144 1145 7ff84911e972-7ff84911e973 1108->1145 1113 7ff84911eae8-7ff84911eaee 1109->1113 1114 7ff84911eb63-7ff84911eb6e 1109->1114 1111->1112 1127 7ff84911ecaa-7ff84911ecbf 1112->1127 1128 7ff84911ecc2-7ff84911ecfb 1112->1128 1119 7ff84911eaf0-7ff84911eb00 1113->1119 1120 7ff84911eb02-7ff84911eb06 1113->1120 1117 7ff84911eb7f-7ff84911eb86 1114->1117 1118 7ff84911eb70-7ff84911eb75 1114->1118 1117->1104 1122 7ff84911eb8c-7ff84911ebcc 1117->1122 1118->1117 1119->1120 1126 7ff84911eb0d-7ff84911eb11 1120->1126 1142 7ff84911ebce-7ff84911ebd8 1122->1142 1143 7ff84911ebe2-7ff84911ebf1 1122->1143 1131 7ff84911eb15-7ff84911eb21 1126->1131 1127->1128 1133 7ff84911ed01-7ff84911ed24 1128->1133 1134 7ff84911eeb5-7ff84911eedd 1128->1134 1131->1097 1135 7ff84911eb27 1131->1135 1155 7ff84911ed2a-7ff84911ed48 1133->1155 1156 7ff84911ee94-7ff84911eeaf 1133->1156 1151 7ff84911eedf-7ff84911ef32 1134->1151 1152 7ff84911ef51-7ff84911ef5f 1134->1152 1135->1096 1142->1143 1143->1096 1149 7ff84911e99a-7ff84911e9b3 1144->1149 1147 7ff84911e977-7ff84911e987 1145->1147 1153 7ff84911e989-7ff84911e990 1147->1153 1154 7ff84911e996 1147->1154 1159 7ff84911e9d5-7ff84911e9d8 1149->1159 1160 7ff84911e9b5-7ff84911e9ce 1149->1160 1151->1152 1186 7ff84911ef34-7ff84911ef4f 1151->1186 1153->1147 1158 7ff84911e992-7ff84911e994 1153->1158 1154->1149 1155->1156 1176 7ff84911ed4e-7ff84911edb9 1155->1176 1156->1133 1156->1134 1158->1154 1164 7ff84911e9da-7ff84911e9eb 1159->1164 1165 7ff84911ea53-7ff84911ea5b 1159->1165 1160->1159 1164->1165 1167 7ff84911ea69-7ff84911ea7a 1165->1167 1168 7ff84911ea5d-7ff84911ea67 call 7ff8491188a8 1165->1168 1178 7ff84911eaaa-7ff84911eab1 1167->1178 1179 7ff84911ea7c-7ff84911ea96 1167->1179 1168->1167 1177 7ff84911eac0-7ff84911eacd 1168->1177 1198 7ff84911edbb-7ff84911edf4 1176->1198 1199 7ff84911edf6-7ff84911ee04 1176->1199 1177->1131 1189 7ff84911eacf-7ff84911eb5e 1177->1189 1185 7ff84911eab8-7ff84911eabc 1178->1185 1183 7ff84911eb2c-7ff84911eb31 1179->1183 1184 7ff84911ea9c-7ff84911eaa8 1179->1184 1183->1096 1184->1177 1185->1177 1186->1152 1189->1096 1198->1199 1202 7ff84911ee4f-7ff84911ee63 1199->1202 1203 7ff84911ee06-7ff84911ee39 1199->1203 1211 7ff84911ee71-7ff84911ee89 1202->1211 1212 7ff84911ee65-7ff84911ee6a 1202->1212 1209 7ff84911ee8b-7ff84911ee93 call 7ff84911ef60 1203->1209 1210 7ff84911ee3b-7ff84911ee4c 1203->1210 1209->1156 1210->1202 1211->1209 1211->1210 1212->1211
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Q#_L$R#_H$k
                                                                                • API String ID: 0-1515351878
                                                                                • Opcode ID: 0456c68a814e6b4204b15b02f27f8042691de11d5e323ebebaae4d32ae7c9389
                                                                                • Instruction ID: 95cc68edd80a2c2ce372229b45e19fa5ee127adf9fbcab3c43d622eac42f306c
                                                                                • Opcode Fuzzy Hash: 0456c68a814e6b4204b15b02f27f8042691de11d5e323ebebaae4d32ae7c9389
                                                                                • Instruction Fuzzy Hash: 8E329330A1CA4A9FEBA4EF6CD499A7977E1FF98740F0401B9D44DC7296DE28EC418B41
                                                                                Function 00007FF8A33FE950 Relevance: 4.2, Strings: 3, Instructions: 491COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: -journal$immutable$nolock
                                                                                • API String ID: 0-4201244970
                                                                                • Opcode ID: 687ba92128faf1aaf32e8ef352ac4f6a4a970d17f16b32fef6ca51b85dcf2d3e
                                                                                • Instruction ID: 32393d20e98dd320f9d164458a29cef58d73bc745836bbaf19d91b88a157f13f
                                                                                • Opcode Fuzzy Hash: 687ba92128faf1aaf32e8ef352ac4f6a4a970d17f16b32fef6ca51b85dcf2d3e
                                                                                • Instruction Fuzzy Hash: C912D032A0EB8156EB618F28A40036A7A91FF41BE8F484235DEAD6B7D5DF7ED445C700
                                                                                Function 00007FF848E62D58 Relevance: 4.1, Strings: 2, Instructions: 1620COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: H$\
                                                                                • API String ID: 0-318634259
                                                                                • Opcode ID: 43980b3c0231572a5588b626fce1ad661a7f96caf7cd95ccd29abae462cbf282
                                                                                • Instruction ID: fd09c696c7d4a4839e18c3fb5fde8e2a39366bdcf4b99acd60ca5cd904576239
                                                                                • Opcode Fuzzy Hash: 43980b3c0231572a5588b626fce1ad661a7f96caf7cd95ccd29abae462cbf282
                                                                                • Instruction Fuzzy Hash: 83B24530F1CA4A4FE358EB288445679B7E1FF89340F9445BED48EC7296DE39B8428385
                                                                                Function 00007FF8A33F5100 Relevance: 1.8, Strings: 1, Instructions: 537COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: :memory:
                                                                                • API String ID: 0-2920599690
                                                                                • Opcode ID: 92b24442245477a5d4f0a5e0ef12652629cb799da2b9761ccbb83c799fd4607a
                                                                                • Instruction ID: 5630f5abda8a2eaaeb2d23650aee0cd0617dc94653d8651471a963616274fd9d
                                                                                • Opcode Fuzzy Hash: 92b24442245477a5d4f0a5e0ef12652629cb799da2b9761ccbb83c799fd4607a
                                                                                • Instruction Fuzzy Hash: 9232AD22A0FF42A6FA648B16A65033967A1FF55BC5F844035CA4E6BB90DFBFE454C700
                                                                                Function 00007FF848E7433B Relevance: .9, Instructions: 943COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef13435bfde9a972186d3ffae949d01ec26cc3390b3767bc608c1caec8629970
                                                                                • Instruction ID: d551a40e33eb5692b5d0bb4ccfd71d22ad0ddc971466b067b2783a669b20141c
                                                                                • Opcode Fuzzy Hash: ef13435bfde9a972186d3ffae949d01ec26cc3390b3767bc608c1caec8629970
                                                                                • Instruction Fuzzy Hash: 8F52E420E0DA895FE755F738881A5BA77E1FF86790F4541B9E44EC72A3DE38A8038345
                                                                                Function 00007FF848E56B26 Relevance: .6, Instructions: 560COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4af8f1e412966a9608efd35a20b0ee64aabaa14fe3a90f46abc26f35c3634907
                                                                                • Instruction ID: 1b061139b291b268462df6618b21c68e84605d2c21fb3ff9c296502ea261fa9a
                                                                                • Opcode Fuzzy Hash: 4af8f1e412966a9608efd35a20b0ee64aabaa14fe3a90f46abc26f35c3634907
                                                                                • Instruction Fuzzy Hash: 87129F7091CA8D8FEBA8EF68C855BE977E1FF55350F00427AE80DC7291CB34A9458B85
                                                                                Function 00007FF848E578D2 Relevance: .5, Instructions: 538COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6e2eb153c4d087095d29dd2fb0882cc791d5891018e641bd35812857af642750
                                                                                • Instruction ID: 2a7479ef09c14b0388615b8a81c151c573be4ef97171960f26dfe7730799836f
                                                                                • Opcode Fuzzy Hash: 6e2eb153c4d087095d29dd2fb0882cc791d5891018e641bd35812857af642750
                                                                                • Instruction Fuzzy Hash: 7C028E7090CA8E8FEBA8EF68C8557F977A1FB54350F00423AD80DC6291DB38A9558B85
                                                                                Function 00007FF848E63A51 Relevance: .5, Instructions: 484COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 764422642d068488c78f63fae9e40593f3ccd76833af1357d162fd234a4eadf1
                                                                                • Instruction ID: 1309f417af0cbeebe72bdd1325f4329427b1984cd19aacad1d460f2b75eab1be
                                                                                • Opcode Fuzzy Hash: 764422642d068488c78f63fae9e40593f3ccd76833af1357d162fd234a4eadf1
                                                                                • Instruction Fuzzy Hash: A8E12B2160FAC91FD706ABBC98561BA7FE1DF47660B4804EED889CB2E3CD196807C345
                                                                                Function 00007FF848E51465 Relevance: .4, Instructions: 400COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 341bbeec3d72dc598fa702d59e8f7e66c66f6bd91c5c0117195af01830a615c4
                                                                                • Instruction ID: 94eb8e9e603e50d5e55aa978bbcef259e944025513c92d060169ca241d37c4fb
                                                                                • Opcode Fuzzy Hash: 341bbeec3d72dc598fa702d59e8f7e66c66f6bd91c5c0117195af01830a615c4
                                                                                • Instruction Fuzzy Hash: 58C1036054FAC96FD706EBBC846A5AABFB0EF5B250B4805EAC489CF1E3C9186417C345
                                                                                Function 00007FF848E60D6D Relevance: .3, Instructions: 255COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82e3fa25f7fed5ecb9d57e38a9cc536e4153bb61e4843f9960aae6a2ecda872c
                                                                                • Instruction ID: d54146d73964148fb1803a899448006127a249c90b3fced168195ae6b13297a9
                                                                                • Opcode Fuzzy Hash: 82e3fa25f7fed5ecb9d57e38a9cc536e4153bb61e4843f9960aae6a2ecda872c
                                                                                • Instruction Fuzzy Hash: AE81C461D4E6D64FDB83BB7858215B63FE4EF97254F0800EBE0C8E7193DA282846C346
                                                                                Function 00007FF848E51E11 Relevance: .2, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e5225df45de301fcd9722093887ecc6d6249caea52aca471cce7e2c44cb0dd9b
                                                                                • Instruction ID: b3637e2ce14adcbc620b5ffb549bcc8df6cb1f72f1aee4a867d494800c1bbf99
                                                                                • Opcode Fuzzy Hash: e5225df45de301fcd9722093887ecc6d6249caea52aca471cce7e2c44cb0dd9b
                                                                                • Instruction Fuzzy Hash: 9861D25054FAC55FE706ABB884666EEBFF0EF5B610F8804EED0899B1E3CA186413C751
                                                                                Function 00007FF848E6881A Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: N_^h$N_^j$N_^}
                                                                                • API String ID: 0-1857900802
                                                                                • Opcode ID: a7c4f46d9db4bff6348e595a2751e3a3e4ad189f8dea91605de158cf6fc3e9a7
                                                                                • Instruction ID: 4c8a7f4c773d866158a8dc4f53e1c3fb2e271046352c4d3fb01557c5eb24823c
                                                                                • Opcode Fuzzy Hash: a7c4f46d9db4bff6348e595a2751e3a3e4ad189f8dea91605de158cf6fc3e9a7
                                                                                • Instruction Fuzzy Hash: 99718831A0D9561FE7A9BA2CE8452B577C1FF85360F8401BAD44DCB183DF38B8428385
                                                                                Function 00007FF849114C68 Relevance: 3.0, Strings: 2, Instructions: 496COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: d$o$_H
                                                                                • API String ID: 0-264496251
                                                                                • Opcode ID: e80c9658d6e16a4f98ccdb34b926fd2bd9e1ace14c5cb69fda03ac1f3518a882
                                                                                • Instruction ID: 3e008981af790a20175373bd342d49f49d071016188f2eaa07f505b01c6babd7
                                                                                • Opcode Fuzzy Hash: e80c9658d6e16a4f98ccdb34b926fd2bd9e1ace14c5cb69fda03ac1f3518a882
                                                                                • Instruction Fuzzy Hash: 2BF18F3091CB498FE768EF18D485A75B3E1FF94354F14466DC08E87696DA39F882CB81
                                                                                Function 00007FF84911F1A0 Relevance: 2.9, Strings: 2, Instructions: 372COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: H#_H$k
                                                                                • API String ID: 0-1067173212
                                                                                • Opcode ID: d1c3763f807d6d7e2b830217c334e3dc040428010197f93e90ae2aa82cbaa10c
                                                                                • Instruction ID: f900266654d18a894f7936cd3e63a8c3313a2e06ba9c29ebde097d4ff968b629
                                                                                • Opcode Fuzzy Hash: d1c3763f807d6d7e2b830217c334e3dc040428010197f93e90ae2aa82cbaa10c
                                                                                • Instruction Fuzzy Hash: DCB18B30B1C9499FD7A5FF2C9499B7977E1FF98350B1400BAD04DCB2A6EE299C418B81
                                                                                Function 00007FF848E5EFFA Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TO_^$[J
                                                                                • API String ID: 0-3705338274
                                                                                • Opcode ID: 3cc68160c99946b3aaaa23895b1b5bca3abff677e8975595e12e802f923ee6a7
                                                                                • Instruction ID: 6ca7ec31cb1bdde75d5df0682ae69baf419ae5fb98244e1882ce0bff014e5522
                                                                                • Opcode Fuzzy Hash: 3cc68160c99946b3aaaa23895b1b5bca3abff677e8975595e12e802f923ee6a7
                                                                                • Instruction Fuzzy Hash: D2B1F8A051EAC51FE345F7B8446B5BEBBE1EF86640F4804FDD4C9CB1A3DD28A4428745
                                                                                Function 00007FF848E5D2C8 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: _$pO_^
                                                                                • API String ID: 0-3646080332
                                                                                • Opcode ID: 733bf7f773a12269e680095c643421c2de0f5d08d267a962dd5e01053c0204aa
                                                                                • Instruction ID: 8ac104a9c2e6f3bf59a21e7c8f71e52d041aed66c65ab93a918404d6e08c3d18
                                                                                • Opcode Fuzzy Hash: 733bf7f773a12269e680095c643421c2de0f5d08d267a962dd5e01053c0204aa
                                                                                • Instruction Fuzzy Hash: ED512993A0E9D65FE31AB77DA8551F67F60FF832A5B0C01F7D188CF0A3D918640A8265
                                                                                Function 00007FF848E58411 Relevance: 2.1, Strings: 1, Instructions: 871COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 7P_L
                                                                                • API String ID: 0-1649245588
                                                                                • Opcode ID: 6f616dbb64266b6fcd9dfc2035c450e00135f8453bc2239c223923e2ffef384d
                                                                                • Instruction ID: 9a20d0f3b5f73393b67f6fa9f571f2cd211d8735d5530a9e22b1a7069607c65d
                                                                                • Opcode Fuzzy Hash: 6f616dbb64266b6fcd9dfc2035c450e00135f8453bc2239c223923e2ffef384d
                                                                                • Instruction Fuzzy Hash: AE424A61A0EED65FD35AAB78541A1AABFE1FF47640B0844FED0898B1E3DE285807C341
                                                                                Function 00007FF848E6C9C0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_H
                                                                                • API String ID: 0-372873180
                                                                                • Opcode ID: 780f856e1dc1687d4ba436b8737e686824889e8024a76589427ef6ca9528833f
                                                                                • Instruction ID: 806d54e27fa80d8d0c50c88b53562852d03ee0cb65ad4002aa041c3bfc532922
                                                                                • Opcode Fuzzy Hash: 780f856e1dc1687d4ba436b8737e686824889e8024a76589427ef6ca9528833f
                                                                                • Instruction Fuzzy Hash: 7A022521A0D7C60FF396A63C98651B57FE1FF52250F4A41FBC089CB1E7DA2C684A8356
                                                                                Function 00007FF848E71C3A Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !N_H
                                                                                • API String ID: 0-116015028
                                                                                • Opcode ID: 9c4cf05ce9c7fb1b2544ca415a8d8db76d01b3cc08213eec83bc175206c1bc99
                                                                                • Instruction ID: 03571aa6f99ce6f7d9b3823d8e024ddb0a86fd33c9eb6d5e1be6a0e312e0cbb1
                                                                                • Opcode Fuzzy Hash: 9c4cf05ce9c7fb1b2544ca415a8d8db76d01b3cc08213eec83bc175206c1bc99
                                                                                • Instruction Fuzzy Hash: 00C16531E0CA895FE788EB6CC4946B9BFF1EF6A250F1041FAC088DB296CA351847C741
                                                                                Function 00007FF8491E02F0 Relevance: 1.6, Instructions: 1585COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120055295.00007FF8491E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491E0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8491e0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53d9cb04e37dba769d32b1f1a439d8469db539a49f123d5a41886958798f61f7
                                                                                • Instruction ID: 5a82f6b5749ea25abe818ca088fb7f096ee262233d39fa7e629148dd130410b9
                                                                                • Opcode Fuzzy Hash: 53d9cb04e37dba769d32b1f1a439d8469db539a49f123d5a41886958798f61f7
                                                                                • Instruction Fuzzy Hash: 92F16821A0DAC54FEBA6EB3C68555717FE1EF96260B0804FBD08CCB5A3D90D9C46C781
                                                                                Function 00007FF8A3307170 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcess
                                                                                • String ID:
                                                                                • API String ID: 2050909247-0
                                                                                • Opcode ID: 42db744b89b208bf987aefbca52a5a02fb1adf7d03ece94a1a804761e09be3f4
                                                                                • Instruction ID: bb3d2f10166e4b7ee6f1f77f50aa959f4588d83ecd5fc037fb72bbaf53ea992b
                                                                                • Opcode Fuzzy Hash: 42db744b89b208bf987aefbca52a5a02fb1adf7d03ece94a1a804761e09be3f4
                                                                                • Instruction Fuzzy Hash: C2116531B0EE5292E7258B86FC4127AA261FB85BD1F544031EF8C57B95DE3DD8438340
                                                                                Function 00007FF84911151D Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $_H
                                                                                • API String ID: 0-2840486340
                                                                                • Opcode ID: 583c870e808f3993ae19d382220c8c79d96f4adb6e1188375e3b4392b7b7ce76
                                                                                • Instruction ID: d23888d9ada127202c7c5fb50c9ab56072e363c334a08db48ec04e78f14b3b69
                                                                                • Opcode Fuzzy Hash: 583c870e808f3993ae19d382220c8c79d96f4adb6e1188375e3b4392b7b7ce76
                                                                                • Instruction Fuzzy Hash: 54814620D0EACA6FD796AB7884675B9BFF1FF5A250F4801F9C049CB193E91C5842C741
                                                                                Function 00007FF848E5FB7D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: [J
                                                                                • API String ID: 0-729266317
                                                                                • Opcode ID: 893839f417139c6458c66535bd6f29755bde8db9af41ce35dd7bd7ae2a9174a1
                                                                                • Instruction ID: 1496539cefb810aed87d84d2e5ec6ea0577f5fa971ff39c94ce4e007905c4be8
                                                                                • Opcode Fuzzy Hash: 893839f417139c6458c66535bd6f29755bde8db9af41ce35dd7bd7ae2a9174a1
                                                                                • Instruction Fuzzy Hash: 88312E70A0DA894FD748FF7C846A1B9BBE1EF56700B5400BDD849CB2A3DD25A8428744
                                                                                Function 00007FF848E69D23 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: VH
                                                                                • API String ID: 0-1750036458
                                                                                • Opcode ID: 699e724796f68c8ebc296165b6f91c17572d975f704f6419e4efa918afbc9ec1
                                                                                • Instruction ID: ab19197557fdfa3d7570fc0cb1504fda79a026e5bb572879acf0f5c23a904d70
                                                                                • Opcode Fuzzy Hash: 699e724796f68c8ebc296165b6f91c17572d975f704f6419e4efa918afbc9ec1
                                                                                • Instruction Fuzzy Hash: 4B21C461E1EAC95FE746FB7C442E2687FE1FF56605B4844FDD08ACB1A3D9296805C700
                                                                                Function 00007FF848E72874 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: H
                                                                                • API String ID: 0-2852464175
                                                                                • Opcode ID: 2756f1b3799eda3915f3ba98344083de416ce2d81bfd16c89eb22a8f918af34c
                                                                                • Instruction ID: f101061c401d361906c9ff9a822ddc0662e322cd83bc6b5d0f3ed317303ba32d
                                                                                • Opcode Fuzzy Hash: 2756f1b3799eda3915f3ba98344083de416ce2d81bfd16c89eb22a8f918af34c
                                                                                • Instruction Fuzzy Hash: 3C21D62180EBC91FF766A67448293657FF0EF57650F0D41EBC089DB1A7DA690C0AC352
                                                                                Function 00007FF848E6A9B5 Relevance: .8, Instructions: 769COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: df6a9e7e463161f08071cf627c87943e01509e69aaf14d65f884301d7ad0b94c
                                                                                • Instruction ID: ed22db0e4dc5cd8a8d05c8993b31f7ebb80ac180027569dc9c1aecfbfbde71aa
                                                                                • Opcode Fuzzy Hash: df6a9e7e463161f08071cf627c87943e01509e69aaf14d65f884301d7ad0b94c
                                                                                • Instruction Fuzzy Hash: 91427330A1894A8FDB88EF28C494ABA77E1FF98340F5445A9D41AD7296DF35FC52CB40
                                                                                Function 00007FF848E68D0D Relevance: .5, Instructions: 504COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e609fea8c85e50b0cb6fc3d86328d8fe987d18af5ee360b98e5e21fda6c3c860
                                                                                • Instruction ID: 6152e2e355faa943baa914c93acb245391c10d828aecafda151d970a6fd9aa12
                                                                                • Opcode Fuzzy Hash: e609fea8c85e50b0cb6fc3d86328d8fe987d18af5ee360b98e5e21fda6c3c860
                                                                                • Instruction Fuzzy Hash: 2AE12130A1CA094FDB49FB6C88552B9B7E2FF99310F5442BEC44AD7296DE34B8438785
                                                                                Function 00007FF848E56629 Relevance: .5, Instructions: 495COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e868f7c09b43085860a89b1d0cbc997d1ee8603c014dcc141c6927e51f559646
                                                                                • Instruction ID: 34d362f828cc932ec7b6a02e59b70f5a6838d234e9d17f6e31f6e4696dd726cd
                                                                                • Opcode Fuzzy Hash: e868f7c09b43085860a89b1d0cbc997d1ee8603c014dcc141c6927e51f559646
                                                                                • Instruction Fuzzy Hash: 4FF1B47091CA8D8FEBA8EF28C8557E977E1FF55380F04413AE84DC6292DB74A9458B81
                                                                                Function 00007FF849115CA8 Relevance: .5, Instructions: 475COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc21d06027d022d4efcf5620c3ba99e6ab2c3d5a40bd2daa16451db2b403d0f5
                                                                                • Instruction ID: 8ba73278e9287ad8effaec1ecfa075cb0cf267de987928f6012709e0bea68d93
                                                                                • Opcode Fuzzy Hash: dc21d06027d022d4efcf5620c3ba99e6ab2c3d5a40bd2daa16451db2b403d0f5
                                                                                • Instruction Fuzzy Hash: 87E1F23090CB868FE769EF28D441572B7E1FF96340B1445BDD09AC7697EA29F842CB81
                                                                                Function 00007FF848E64EB8 Relevance: .5, Instructions: 463COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 21eff5b62f6d2bd952510811ab39c27dc18fe9782ec89354b6f03adccc139b5f
                                                                                • Instruction ID: 57c6ef509d61d7547f89b2f67a12bdc0e8a14379edb2bb495cd40537f855163b
                                                                                • Opcode Fuzzy Hash: 21eff5b62f6d2bd952510811ab39c27dc18fe9782ec89354b6f03adccc139b5f
                                                                                • Instruction Fuzzy Hash: 0DD12521E0DA865FD75AB73C98652B53BE1FF86390F4841FAD089CB193DF286C468345
                                                                                Function 00007FF848E5D308 Relevance: .4, Instructions: 444COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c4e2c6fe6dab74a3b7149e9dd2f13f837d451df602b143b8544735e101c3f54
                                                                                • Instruction ID: 48c43c9f645f322eccc29e3af54a3444fc8d2c2ecde7d098ad697d2f870d243a
                                                                                • Opcode Fuzzy Hash: 8c4e2c6fe6dab74a3b7149e9dd2f13f837d451df602b143b8544735e101c3f54
                                                                                • Instruction Fuzzy Hash: 70D1B430A1CA1E4FDB59FA5C94456B9B3E2FB98310F608239D54ED3296DE34B8428BC5
                                                                                Function 00007FF849115C98 Relevance: .4, Instructions: 433COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6362b2d9a6ecbb5a5623212232b89227847f2fae53892424bac8b4ed176ae3e6
                                                                                • Instruction ID: 0133cc8766c0c9ff3eb932a84f0765d75d498bf9235b126693c34042d0ff7318
                                                                                • Opcode Fuzzy Hash: 6362b2d9a6ecbb5a5623212232b89227847f2fae53892424bac8b4ed176ae3e6
                                                                                • Instruction Fuzzy Hash: 39D1F13091CB8A4FE779FF28C8455B2B3E0FF95340F14457DD49AC7696EA29B8428B81
                                                                                Function 00007FF848E607E5 Relevance: .4, Instructions: 426COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 88842cf0e58107e4e9010fd6fb01cbb34d1734780a949534deab1eed092e9b86
                                                                                • Instruction ID: 07725c282cddede995e2a8097194142ce84e79bbce228e15fb566993bd58c75c
                                                                                • Opcode Fuzzy Hash: 88842cf0e58107e4e9010fd6fb01cbb34d1734780a949534deab1eed092e9b86
                                                                                • Instruction Fuzzy Hash: 6BC1B131E1DD598FEB88FB2894556BC77E2FFA9744F4400B9D40EE3296DE38A8028745
                                                                                Function 00007FF848E6BB71 Relevance: .4, Instructions: 423COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c45a3cc9aed6184df93a56f4ba8ba3db9939e34579a8ff85d4c252a4885b10ac
                                                                                • Instruction ID: a8f94afe0b78b38798cb2d9b475d342dfecd4d857406c0539198ccf6593c74e1
                                                                                • Opcode Fuzzy Hash: c45a3cc9aed6184df93a56f4ba8ba3db9939e34579a8ff85d4c252a4885b10ac
                                                                                • Instruction Fuzzy Hash: B3D10120E1CA464EE769B62848912B977D1FFC5390FA5457AC08FE71C3CE3C78828399
                                                                                Function 00007FF848E55BF8 Relevance: .4, Instructions: 422COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e58d4e3b1ab13d5ea869cc8debfcec949e9a0eea4867c3830065f204a091b32
                                                                                • Instruction ID: d047ab93044a96f54431f6173793a814f5f4bd8e29e65746aeec79a645c01342
                                                                                • Opcode Fuzzy Hash: 8e58d4e3b1ab13d5ea869cc8debfcec949e9a0eea4867c3830065f204a091b32
                                                                                • Instruction Fuzzy Hash: B3C1C131E1DD598FEB88FB2894556BD77E2FF98784F4400B9D40EE3296DE38A8028745
                                                                                Function 00007FF848E73BC4 Relevance: .4, Instructions: 403COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48d201679b524788f3b7778e8416175d61fad061c473b80bd86ea9c6d2e57f8a
                                                                                • Instruction ID: c3e9e005921f12d8938a6e3b13d057429b43cf5ea91bb4a7f6e7b979051a42fa
                                                                                • Opcode Fuzzy Hash: 48d201679b524788f3b7778e8416175d61fad061c473b80bd86ea9c6d2e57f8a
                                                                                • Instruction Fuzzy Hash: 5AC1233190CA5A4FE7A8EA2CC8416F577E1FF85350F5442BAC44ECB196DF39AC468B84
                                                                                Function 00007FF848E574E6 Relevance: .4, Instructions: 394COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 501992d6b91353331e59c79764cd5144f4f56220f854a3603815f37ff700bc4d
                                                                                • Instruction ID: c3141bd066d7253be32aada8bd82ee18d2e32c57cb3a52d1554e8508450355e0
                                                                                • Opcode Fuzzy Hash: 501992d6b91353331e59c79764cd5144f4f56220f854a3603815f37ff700bc4d
                                                                                • Instruction Fuzzy Hash: 67D1C07090CA8D8FEB68EF2898557E97BE1FF55350F00416AE84DC7292CB34A945CB86
                                                                                Function 00007FF84911059D Relevance: .4, Instructions: 372COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a655371f4b4fe20845dfb37750a43a6b804505c2738e54a808247e431c54859
                                                                                • Instruction ID: be6ca4b2cb9f77b8ba4c1306e3b3481d83c33cbc71869785a8c7c62b20366468
                                                                                • Opcode Fuzzy Hash: 4a655371f4b4fe20845dfb37750a43a6b804505c2738e54a808247e431c54859
                                                                                • Instruction Fuzzy Hash: 2FC1957091CBC65FE7B4AF1894496BAB7E1FF99750F14067EC48DC3291DE38A8428B81
                                                                                Function 00007FF848E68E3A Relevance: .4, Instructions: 370COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46b08be7462c70fabd86ac5e1333dcb0263e6578e09607b2df84ea6664f9b7aa
                                                                                • Instruction ID: 973d5bab8d411a8191559277b473a51aeb6741ec77a460aef7ce5aa1e91a31e4
                                                                                • Opcode Fuzzy Hash: 46b08be7462c70fabd86ac5e1333dcb0263e6578e09607b2df84ea6664f9b7aa
                                                                                • Instruction Fuzzy Hash: 92B1F230A1CA1D4FDB49FB5C88456B9B7E2FB99300F54427EC44ED7296DE34B8428B85
                                                                                Function 00007FF849114C80 Relevance: .4, Instructions: 369COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 78f0b0bc5322b0729808746a5ae65be085cb7286d057449ed22d017e3e04c6e1
                                                                                • Instruction ID: 216ffeccc9ec831dd4a47bb9fb30ad9442f78a941a37da83ecde96eac9a6206b
                                                                                • Opcode Fuzzy Hash: 78f0b0bc5322b0729808746a5ae65be085cb7286d057449ed22d017e3e04c6e1
                                                                                • Instruction Fuzzy Hash: D9B10930A1CB894FE758FE1C94855B6B7D1FB95350F14057EE48AC3296EE39F8428B41
                                                                                Function 00007FF848E65608 Relevance: .4, Instructions: 365COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6ec55f8accb64bcb8ad91d10077b15672c2b6c0320bde8c1ed23032bcb2ce859
                                                                                • Instruction ID: 0dd898a8578598c3be4d19937100f614ec6b4cca442965300858473d7476b0d4
                                                                                • Opcode Fuzzy Hash: 6ec55f8accb64bcb8ad91d10077b15672c2b6c0320bde8c1ed23032bcb2ce859
                                                                                • Instruction Fuzzy Hash: 0DB1D031E1D91E5FEB98EA6898556FDB7E1FF98791F14023AD00ED3292DF3868028744
                                                                                Function 00007FF848E5E270 Relevance: .4, Instructions: 364COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f20ee7013afd4fc3b5c0a5da8cd7e1f153427331fcdcc23e39eafd83acc83be
                                                                                • Instruction ID: a42dbbfad21d0b374a30068160749013b61567c5cdc39c18e20bf3bc7fc89b94
                                                                                • Opcode Fuzzy Hash: 7f20ee7013afd4fc3b5c0a5da8cd7e1f153427331fcdcc23e39eafd83acc83be
                                                                                • Instruction Fuzzy Hash: 00A12B97F0D9925EE31876BDB8141F97B50FFC26B5F0801BBD288CB097EA14684A83D5
                                                                                Function 00007FF848E52019 Relevance: .4, Instructions: 353COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fe4cbbf09b555e6b992a8f5ca7b6ce74d2542abd58e066059f3505018ad9628c
                                                                                • Instruction ID: 241505f1b6c1ba32039efc8bcbd61a73a867e9860e9dc883ec55dc657b83ab4c
                                                                                • Opcode Fuzzy Hash: fe4cbbf09b555e6b992a8f5ca7b6ce74d2542abd58e066059f3505018ad9628c
                                                                                • Instruction Fuzzy Hash: 24B107A6C0EAC15FE30AA6B868561BAFFF0FF03650B4840FFD0898B5D7C9185846C756
                                                                                Function 00007FF848E6CCE0 Relevance: .3, Instructions: 344COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c27bcbc6b41ee3505f3afc298d9eb7865e48fd8f1ba711d804639cd3b8babae
                                                                                • Instruction ID: feec8b5d55617182cf0811080500b9ee2723cae0a375673a1f8a43e60eb9b39a
                                                                                • Opcode Fuzzy Hash: 6c27bcbc6b41ee3505f3afc298d9eb7865e48fd8f1ba711d804639cd3b8babae
                                                                                • Instruction Fuzzy Hash: 5FA14872D0DA915FE369B63DA4541F57BE0FF423A4F4841BBD08DCB0A3CA2978468399
                                                                                Function 00007FF848E6797E Relevance: .3, Instructions: 329COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5368dd07a30e67de4e1cb11abc9501fd4e77637a641f8e4b1667f1bd1c104864
                                                                                • Instruction ID: 7ef6cac605f75659e9a876ca6da7f25151c1b2f8f8f655489f4227477ca6b613
                                                                                • Opcode Fuzzy Hash: 5368dd07a30e67de4e1cb11abc9501fd4e77637a641f8e4b1667f1bd1c104864
                                                                                • Instruction Fuzzy Hash: FDB1E63090D9894FD755EB78C8566FABBB1FF46340F4846A9C48A9B297CF38B802C744
                                                                                Function 00007FF848E6DD1B Relevance: .3, Instructions: 326COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ca67d704086243f98a688db2bf2db3cdeb32fddd52c1aba2cae1bb5e154193fe
                                                                                • Instruction ID: d926f42292a3de4e60b73e8e79184cbead2c40bdde0c31984fe64e2f3b53a226
                                                                                • Opcode Fuzzy Hash: ca67d704086243f98a688db2bf2db3cdeb32fddd52c1aba2cae1bb5e154193fe
                                                                                • Instruction Fuzzy Hash: A5B1A130A1C6428FE32CAB18D491679B7E0FF55340FA4847DE49FD3692CB39B846875A
                                                                                Function 00007FF8491111F4 Relevance: .3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c1a6e83793afffb4a2d1f2206d63c58ac7c496be3646d17133dfc4855cedc60
                                                                                • Instruction ID: 359187d99bf64f3b54f6654700072ac8564d7e22f2e41a957a6b504cf0e9d35b
                                                                                • Opcode Fuzzy Hash: 9c1a6e83793afffb4a2d1f2206d63c58ac7c496be3646d17133dfc4855cedc60
                                                                                • Instruction Fuzzy Hash: C7A17031A28E459FDB98FF18D0919A573E1FFA8340B1445ADE04AC36A6DF35F842CB85
                                                                                Function 00007FF848E5D318 Relevance: .3, Instructions: 294COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: def63d03d5b621087dbb7618a5aff88e183c0665df6be91a9a683da74bffe788
                                                                                • Instruction ID: ee919786a354fbeaffc7972ce39ac6b30da6ef2eb0eabde0595d827ce4db7b5e
                                                                                • Opcode Fuzzy Hash: def63d03d5b621087dbb7618a5aff88e183c0665df6be91a9a683da74bffe788
                                                                                • Instruction Fuzzy Hash: 6A91E130A2CA098FEB18EA28D4555B9B3E1FF49740F54467CE09EC3296DF39B802CB45
                                                                                Function 00007FF848E6F650 Relevance: .3, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5c4b4c451c326ca47e7481953a74c4c583c4eed7cc668297e2635284609304cc
                                                                                • Instruction ID: a21612c8fccd21a6d515565c1218b9ce7b149941d4d8884eced66fc748974022
                                                                                • Opcode Fuzzy Hash: 5c4b4c451c326ca47e7481953a74c4c583c4eed7cc668297e2635284609304cc
                                                                                • Instruction Fuzzy Hash: 0C715825A2C5670EF31C7A2855451B832D4FFA139DF6851B9D8CBC60D6EF3CE4834299
                                                                                Function 00007FF848E615F8 Relevance: .3, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 25d8ab09de9ad4ed9e607b6099597cc55a3d41e107be181fd481ddbf25d0c92d
                                                                                • Instruction ID: a8515b3934706fddbbd190756fbea3e4931120658f02f9aad4342755bfcdad4e
                                                                                • Opcode Fuzzy Hash: 25d8ab09de9ad4ed9e607b6099597cc55a3d41e107be181fd481ddbf25d0c92d
                                                                                • Instruction Fuzzy Hash: 2661F072E2CD5A5FF3A8A66CA4492B967D1FB98B94F04027AD80EC32C7DF646C434245
                                                                                Function 00007FF848E6AB1A Relevance: .3, Instructions: 270COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d47bc2d3dc8c7b0831b280b706606e276de7aad8a3d2d06e4e0fe47efc4d7a82
                                                                                • Instruction ID: e7856f821e8eafab294b13ce1edd1c6cdb6c2b3382d5c01b02a7f9d1e4a89b72
                                                                                • Opcode Fuzzy Hash: d47bc2d3dc8c7b0831b280b706606e276de7aad8a3d2d06e4e0fe47efc4d7a82
                                                                                • Instruction Fuzzy Hash: 2B915F74A1894A8FDB88EF1CC494AAA73E1FFA8340F5445A8D41DD7296DB35FC92CB40
                                                                                Function 00007FF848E761FA Relevance: .3, Instructions: 269COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ef8d5b9c738f22cde5922ff4f99be6fd68fe2facd4ff0e4557f8731a33cb575
                                                                                • Instruction ID: cf4d5b6769feda448f1b48e4b671bedd487fc928825c5b1698d8067894614135
                                                                                • Opcode Fuzzy Hash: 9ef8d5b9c738f22cde5922ff4f99be6fd68fe2facd4ff0e4557f8731a33cb575
                                                                                • Instruction Fuzzy Hash: 3371282160EA891FE749FB7898561F97BE1DF87260F0800EED48ACB1E3DD196843C345
                                                                                Function 00007FF849117A01 Relevance: .3, Instructions: 263COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b8124756d343f83d46e4eb0492b6d13ae34c55a95053daa8c3427d22bc586aca
                                                                                • Instruction ID: 4a1253b38146ad5a6a1be595fc227be4840a959d78bc4c2637ae66c66cdf79bb
                                                                                • Opcode Fuzzy Hash: b8124756d343f83d46e4eb0492b6d13ae34c55a95053daa8c3427d22bc586aca
                                                                                • Instruction Fuzzy Hash: 9581F361A0DBC55FE767AB3858661B03FE1EFAB250B0901FBD089CB2D3ED186C068751
                                                                                Function 00007FF848E6A4B8 Relevance: .3, Instructions: 261COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f3621b05ba4780350948e45cc1742fb705cc1bb444315a8ef55389770c69ce8e
                                                                                • Instruction ID: 42a86577f5bc3c0fd40295953129922c7dd8664409b1314f9de91773d3419186
                                                                                • Opcode Fuzzy Hash: f3621b05ba4780350948e45cc1742fb705cc1bb444315a8ef55389770c69ce8e
                                                                                • Instruction Fuzzy Hash: 5981113091CB854FE768FB28C4966BAB7E1FF95340F5445BED48AC7292DE34B8028785
                                                                                Function 00007FF849110608 Relevance: .3, Instructions: 255COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d9ddd687b598980c6aa98966dc2024f538aff63bbfdede68ab412d5d026e0703
                                                                                • Instruction ID: 6b883d77e099a8073e7467e6408dbda63bcd11226b167c6b79ed956a2a2c2fa6
                                                                                • Opcode Fuzzy Hash: d9ddd687b598980c6aa98966dc2024f538aff63bbfdede68ab412d5d026e0703
                                                                                • Instruction Fuzzy Hash: B5713AA2D4D9566EF72DBA68F0421F83391FF443A4F08517AD04D8A1D3DE1DB8828A95
                                                                                Function 00007FF8491182E1 Relevance: .3, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82e5f58fa55768b9cfce061958eef4fca976f3c402065254520ac26a98256a7e
                                                                                • Instruction ID: 03ab3605f605fd420bdfc294011094ba4249adc456ff11ec5d667dd386254f15
                                                                                • Opcode Fuzzy Hash: 82e5f58fa55768b9cfce061958eef4fca976f3c402065254520ac26a98256a7e
                                                                                • Instruction Fuzzy Hash: 7B710730A1CA896FE359EE28984657577E1EF9A750B0441FDD48EC3593EE2CE803CB45
                                                                                Function 00007FF848E6A5A8 Relevance: .3, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3ec7eb892307c7fab53a620f022e616ffce3f4306944c5d4dcf7131c3c82523
                                                                                • Instruction ID: b1b623fa2fa11b221f13966132245318c51802895108a58bf8f7a87d88ab50ca
                                                                                • Opcode Fuzzy Hash: b3ec7eb892307c7fab53a620f022e616ffce3f4306944c5d4dcf7131c3c82523
                                                                                • Instruction Fuzzy Hash: DB710B21E0EA828FE759B63848165757FE0FF47291F4845FAD489CB1E3DE2C640A8396
                                                                                Function 00007FF8491188B0 Relevance: .2, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e458b2dad87fd91c793da4c4f0e57fb114b539cdc53fd1f2c323f68fab6a494b
                                                                                • Instruction ID: 8247aa10df409c23d5a5c1ee0c05549fc1e0725b202b51ea521f7672f206746a
                                                                                • Opcode Fuzzy Hash: e458b2dad87fd91c793da4c4f0e57fb114b539cdc53fd1f2c323f68fab6a494b
                                                                                • Instruction Fuzzy Hash: 93617D30B188494FEAE4FB2CD498B7977D2FF98751B0400B6D50DD72A6EE28DC428B40
                                                                                Function 00007FF848E72125 Relevance: .2, Instructions: 248COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 86475419372844f05380a395094628d61aae3dcbeed538e1fcb1630df790deae
                                                                                • Instruction ID: 6ede3a4735c4cfd43c96c1b9f0bdea8a57fbec31be5db3eb9958021ca1e0f09a
                                                                                • Opcode Fuzzy Hash: 86475419372844f05380a395094628d61aae3dcbeed538e1fcb1630df790deae
                                                                                • Instruction Fuzzy Hash: 49714630A0CA894FE759EB2C9855AB677E1FF96350F0440BED48EC3297DE35E8428785
                                                                                Function 00007FF848E5E7AD Relevance: .2, Instructions: 246COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e54be9b174d04ac92261f0cb5f3635e1ede0275cde2eb53ca5b5ad7d920f7558
                                                                                • Instruction ID: 81b44fb4f2f618bd42a1ce902ca18c08ac3b0b40090c36804534452ab98dde9d
                                                                                • Opcode Fuzzy Hash: e54be9b174d04ac92261f0cb5f3635e1ede0275cde2eb53ca5b5ad7d920f7558
                                                                                • Instruction Fuzzy Hash: 1C714A60A1DAC95FE759E7B888563BAFFE1EF4A750F1440BED08AC7283CD285806C751
                                                                                Function 00007FF848E6B289 Relevance: .2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cf118796546979aacae60e1c9fcce9d60bca4669ac8304e4620aa5fa66dd7573
                                                                                • Instruction ID: 485e04a2dfd8ff4c76b7819ff6959b226ba969dadaccef2c13211a457901199a
                                                                                • Opcode Fuzzy Hash: cf118796546979aacae60e1c9fcce9d60bca4669ac8304e4620aa5fa66dd7573
                                                                                • Instruction Fuzzy Hash: 72613911A4EAC60FD397977C58642A13FE1EF8B660B4901FBD088CB197D95D6C0BC352
                                                                                Function 00007FF848E5F374 Relevance: .2, Instructions: 235COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3471f13de1342438d92d4c66e7c654422e16cf724dfb3078c6f481263225b923
                                                                                • Instruction ID: ce5c3608b011026f3b20f6ffa61455a343c5f724a64b5c64ed74fa6369a6798b
                                                                                • Opcode Fuzzy Hash: 3471f13de1342438d92d4c66e7c654422e16cf724dfb3078c6f481263225b923
                                                                                • Instruction Fuzzy Hash: 3771D77190E6C91FE752A7B888251E9BFB0EF47250F4841EAD8C8DB1A3DA19580BC752
                                                                                Function 00007FF848E530FA Relevance: .2, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bc73ae38e82d59d0ce8c06587a99b8b83d7fdbfcf1d45f85d5e00ef108f7785
                                                                                • Instruction ID: 9e3899cff82398fb80a5398cf8ed206075fdfc600088e218e1dee1a053fd339c
                                                                                • Opcode Fuzzy Hash: 0bc73ae38e82d59d0ce8c06587a99b8b83d7fdbfcf1d45f85d5e00ef108f7785
                                                                                • Instruction Fuzzy Hash: 406138B6D0DA965FE746FBBC98591F9BBA0FF43690F8800BBD048CB193DA2458068355
                                                                                Function 00007FF848E6A5D0 Relevance: .2, Instructions: 225COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6612bab8d31c95d7fbe2e2005486e7f241623fb4e4644eadb4b3a1670262dc97
                                                                                • Instruction ID: 059feb790bfc06e125131d430f83bc0ca7b3f1a2308988f543b25d132cf555f2
                                                                                • Opcode Fuzzy Hash: 6612bab8d31c95d7fbe2e2005486e7f241623fb4e4644eadb4b3a1670262dc97
                                                                                • Instruction Fuzzy Hash: CB710421A0C74A8FF778BA2894902B977A1FF46380F4441BAC49E871C7DF3E6845935A
                                                                                Function 00007FF848E65C62 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eea28a80573803b89cf78b85ca98625dd5b1ec29204d787a4256f9d528c5404f
                                                                                • Instruction ID: fdb420435ada3d255464be509424cf708072ed087e67f282be6649ede5942dbc
                                                                                • Opcode Fuzzy Hash: eea28a80573803b89cf78b85ca98625dd5b1ec29204d787a4256f9d528c5404f
                                                                                • Instruction Fuzzy Hash: E451383190D6DA1EE766673458191F67FE0FF93260F4901FBD088DB0D3DA28280AC392
                                                                                Function 00007FF849110F25 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 977a1bfaf71907719c059bc7ad1b76856869adc665a4adae762120936fb3517c
                                                                                • Instruction ID: 5efc6a51d9e5cfb9ed4323661af2527223d5933604869e9ff88a5b1d07aabd76
                                                                                • Opcode Fuzzy Hash: 977a1bfaf71907719c059bc7ad1b76856869adc665a4adae762120936fb3517c
                                                                                • Instruction Fuzzy Hash: C2517BE3D4D9963EE6297A7CB4464F86780EF593B0F0C5677D08D8A0C3ED08284289A8
                                                                                Function 00007FF848E66690 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8bd15cf005fbfd7b10441ca67877188bce714b8721b1c0523d52e74f09507314
                                                                                • Instruction ID: dda06520d576d6f33009b3c014868d7f0d67135f496a45e14b5297d5c5bb999b
                                                                                • Opcode Fuzzy Hash: 8bd15cf005fbfd7b10441ca67877188bce714b8721b1c0523d52e74f09507314
                                                                                • Instruction Fuzzy Hash: C551593093CA498FE71CAE2894C11B9B7E1FF61361F54067CD8DB93593EA34B8038684
                                                                                Function 00007FF848E5A348 Relevance: .2, Instructions: 213COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7564ee296cf3fd6c99a7bba477cffb21cc617acac53419e42aec277771a9b5b4
                                                                                • Instruction ID: 32484aab5807ff73eb31aefbe81ae2d7b3205846a23cfb2b3f98018dbcc5841f
                                                                                • Opcode Fuzzy Hash: 7564ee296cf3fd6c99a7bba477cffb21cc617acac53419e42aec277771a9b5b4
                                                                                • Instruction Fuzzy Hash: 49613A71E1ED895FEB58EBB8A4455BDBBE2FF54690F0401BDC009D728BCE3868468784
                                                                                Function 00007FF848E61518 Relevance: .2, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bdcfdd83c8c0cf10fd92bc6b5c7d61a39f86d824cc65e369879466997b30190
                                                                                • Instruction ID: 6bbbf7dc9b4dfe25df533aafb723cb0a18d6887183660b958d2b12b77f7290a2
                                                                                • Opcode Fuzzy Hash: 0bdcfdd83c8c0cf10fd92bc6b5c7d61a39f86d824cc65e369879466997b30190
                                                                                • Instruction Fuzzy Hash: B5712931C0E6855FE76AFB2884555A97BA0FF41390F4801FAD048DB1A3DB3AB849C795
                                                                                Function 00007FF848E68760 Relevance: .2, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0a0fde556fa37258b565a080f11716bce7f6f90d68a87cb46ea90eab5a2c137d
                                                                                • Instruction ID: c445c04bc40acab13e79d7bb53a3758d8a9bec7dda302ae4b87c67f287507dc2
                                                                                • Opcode Fuzzy Hash: 0a0fde556fa37258b565a080f11716bce7f6f90d68a87cb46ea90eab5a2c137d
                                                                                • Instruction Fuzzy Hash: 91613830A0CA864FDB99EB2CC4446B1BBE2FF95350F5446BAD48ACB196DB35F841C780
                                                                                Function 00007FF848E64ED3 Relevance: .2, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2b27eaf33f377471f26ab456cf6b576fce1fd741647e0da316d3f1bf828cc422
                                                                                • Instruction ID: 42b6b04a606631c0422cb488217e14aef619fbfaa37412142a876ab90d41ef24
                                                                                • Opcode Fuzzy Hash: 2b27eaf33f377471f26ab456cf6b576fce1fd741647e0da316d3f1bf828cc422
                                                                                • Instruction Fuzzy Hash: C541F0A7F4D9362ED2197AFDB8111E8BB00EF812F6B485277D748CA093DA05104A87F9
                                                                                Function 00007FF848E622A8 Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6683fc29dbe0df0d93ee51432ac9474a57540dbb1a51037017169e544781588e
                                                                                • Instruction ID: 93a7fae1fb13773b62d2d4dfe510b6116ae4bddade83d9fa4b52ca6fc0bac552
                                                                                • Opcode Fuzzy Hash: 6683fc29dbe0df0d93ee51432ac9474a57540dbb1a51037017169e544781588e
                                                                                • Instruction Fuzzy Hash: E3511531D0C64A8FEB64EA28D8805E97BA0FF95390F4401BAD448EB1D7DF39B846C385
                                                                                Function 00007FF848E65630 Relevance: .2, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ae596dcd7b8b0432cd3bdab304d1495059148c20f9b63f3a76cc8627c5b56d66
                                                                                • Instruction ID: d90820fb1fa88ec1fd0038aba965cc0f22bacb4e0a9d47d915f08166a66d983d
                                                                                • Opcode Fuzzy Hash: ae596dcd7b8b0432cd3bdab304d1495059148c20f9b63f3a76cc8627c5b56d66
                                                                                • Instruction Fuzzy Hash: 9B517071E0CA4A8FEB48FF6898555BDBBE1FF98384F14017AD409E3296DF3858018755
                                                                                Function 00007FF848E668A1 Relevance: .2, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 517ea2ece283bc093b1df44b0b21ba88297d1f6668b4a1649f85b8b00f53ec53
                                                                                • Instruction ID: 2dae34860b3c7b06727844524bcbf8abf164e23c170282b84e76738fc1f18d2f
                                                                                • Opcode Fuzzy Hash: 517ea2ece283bc093b1df44b0b21ba88297d1f6668b4a1649f85b8b00f53ec53
                                                                                • Instruction Fuzzy Hash: 46512A2191E6D98FE792B33458155F57FA0FF43390F4901FAD88CDB0A3DA29790A8396
                                                                                Function 00007FF848E6A4D8 Relevance: .2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4dcadc98395a7e5e3568cc1d1a47b3b44623b4320d549ee0177ffda17a08a5cb
                                                                                • Instruction ID: e4fdef02651795c1672d2189f6c279ed1065ad02c35437c9bea01a341d836f96
                                                                                • Opcode Fuzzy Hash: 4dcadc98395a7e5e3568cc1d1a47b3b44623b4320d549ee0177ffda17a08a5cb
                                                                                • Instruction Fuzzy Hash: AC51DE30A0CE468FE768AA3A885157AB3D2FF94380F94853ED49ED3285DF34F8028345
                                                                                Function 00007FF848E5400C Relevance: .2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2673baf544c015e6cb6e2d8727cb556b33829ed9abb68ce2b60569114a6ac64
                                                                                • Instruction ID: 4cdad4b790d249a90546240e6c159bc5ba1707a3fe4ad639015fb793b8e264b5
                                                                                • Opcode Fuzzy Hash: e2673baf544c015e6cb6e2d8727cb556b33829ed9abb68ce2b60569114a6ac64
                                                                                • Instruction Fuzzy Hash: 77518F70908A1C8FDB58EB58D845BE9BBF1FB59310F1082AAD44DD3252DF34A9858F82
                                                                                Function 00007FF848E5D198 Relevance: .2, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f7abe6c25459c0eae936568002ed6186542581c4f22cf7bc3e1bbbea769aca7
                                                                                • Instruction ID: ef7062aa1f1974f408722684e00d7e5bae4e68356abad55ccbe279054e7a77da
                                                                                • Opcode Fuzzy Hash: 2f7abe6c25459c0eae936568002ed6186542581c4f22cf7bc3e1bbbea769aca7
                                                                                • Instruction Fuzzy Hash: 7E51573190C94E8FEB64EA28D4405E9BBA0FF95390F4802BAD409EB1D7DF34B946C785
                                                                                Function 00007FF848E672B9 Relevance: .2, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 54e3af99b26ae177ca61a86225d3f04c88d24b3bbae595a6fe01716c45e4821e
                                                                                • Instruction ID: 48e76ee01cfe81a538fd3f19e8d7b0492114168a8ce18c17442d9a842853b9fe
                                                                                • Opcode Fuzzy Hash: 54e3af99b26ae177ca61a86225d3f04c88d24b3bbae595a6fe01716c45e4821e
                                                                                • Instruction Fuzzy Hash: 4951F53090CA8A8FEB85EF28C8517A977A1FF5A340F5406A9D459DB2D2CF35B812CB41
                                                                                Function 00007FF848E5D298 Relevance: .2, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9a649fd0fc16eca48334243d7569cc423998d1ed9d2204b913230b435c3aa60f
                                                                                • Instruction ID: 2a47d5399698253cec8960e7a79adabed775cf7e851ddba10a3b28d21a2ee018
                                                                                • Opcode Fuzzy Hash: 9a649fd0fc16eca48334243d7569cc423998d1ed9d2204b913230b435c3aa60f
                                                                                • Instruction Fuzzy Hash: 7E51273190D6D90FF776B6B458155FA7BA0FF423A0F4902BBD499C70E3DE28250A8786
                                                                                Function 00007FF849110808 Relevance: .2, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 201424f9ff484b573ac392a61c5c12a2d24e169f106c11acee67e4e58e5220c8
                                                                                • Instruction ID: d47f11d3f5e540a6f9f98390c02af187376f034a8e8b7ccac26443566e205826
                                                                                • Opcode Fuzzy Hash: 201424f9ff484b573ac392a61c5c12a2d24e169f106c11acee67e4e58e5220c8
                                                                                • Instruction Fuzzy Hash: 36518521E0C9865FFBB8AE28949467567E1FFA9744F1441BAD00EC7286DE29DC46CB40
                                                                                Function 00007FF848E5E84D Relevance: .2, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c01f265783e27b5ef751e8b5b68cc34743d90b0269ce4fb31dace2dc4f44156d
                                                                                • Instruction ID: 8c9be0eafdbb601541cb7ea9c6f6e74e533a499a8e02742d490db61f0336b670
                                                                                • Opcode Fuzzy Hash: c01f265783e27b5ef751e8b5b68cc34743d90b0269ce4fb31dace2dc4f44156d
                                                                                • Instruction Fuzzy Hash: 4A512660A1DA895FE749E7B894563BEFBE1EF49740F2440BDC44AC7287CD2868028785
                                                                                Function 00007FF848E5E550 Relevance: .2, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d9a319612fef041b162628c6b9d26de6cf7137ef06df8020a597939319ce3d99
                                                                                • Instruction ID: 7d3f8e12c4dff2f000aa9bdd25f1f645e57d30e362f583acdf23851d4db5c0bb
                                                                                • Opcode Fuzzy Hash: d9a319612fef041b162628c6b9d26de6cf7137ef06df8020a597939319ce3d99
                                                                                • Instruction Fuzzy Hash: 3041D031A0CA194FE758B66C94162F9B7E1FF89360F4405BAD44ED7292DE38A8424385
                                                                                Function 00007FF848E64115 Relevance: .2, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 56aa5f431159a6a10c78fe31c1075a860e6a256dcb47681515bb182991013dc9
                                                                                • Instruction ID: 303901c16e75aa7d081c9a7377eb20e2d68c05aff5b2f9e62ea4a560ff83e936
                                                                                • Opcode Fuzzy Hash: 56aa5f431159a6a10c78fe31c1075a860e6a256dcb47681515bb182991013dc9
                                                                                • Instruction Fuzzy Hash: 90511530A0DA8A4FE796F7B498566FA7BE0FF16354F9401BAD009D71A2CF2D6842C345
                                                                                Function 00007FF848E6F9CF Relevance: .2, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 156a8b9835f25afe75bf595169b2eff17cca02ab8f08af4fe6f0ec40d9575a67
                                                                                • Instruction ID: a0b88222c0642c0b657488d6d2666f29541f908f7a8d98cfca84126378669aef
                                                                                • Opcode Fuzzy Hash: 156a8b9835f25afe75bf595169b2eff17cca02ab8f08af4fe6f0ec40d9575a67
                                                                                • Instruction Fuzzy Hash: 2541D131B2CE4A4FEB98BA2C645567972D1FF98340F5401BAD44AC3296DF34EC428786
                                                                                Function 00007FF848E61E5E Relevance: .2, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48f371b239a3ec9e11417bbf17b879722ec389cdfbfbfc5758bc8f5e1f894997
                                                                                • Instruction ID: b5760475272a7e3dfda58355d8314cd9d7ca0ce141a22ef05c015792aa6e7aa7
                                                                                • Opcode Fuzzy Hash: 48f371b239a3ec9e11417bbf17b879722ec389cdfbfbfc5758bc8f5e1f894997
                                                                                • Instruction Fuzzy Hash: E8512831C0C6894FE766EA68C4555E87BE0FF55350F4402BAD45DEB2E2DF3AB8068784
                                                                                Function 00007FF848E649A0 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5245a3062fc49766be7527495dcd70ebbc2273e7382c1015843c50024015eb2a
                                                                                • Instruction ID: e4eaa559baa3b86a327f6a20262e7bb30cddd737f475e53ec319e83bb678670d
                                                                                • Opcode Fuzzy Hash: 5245a3062fc49766be7527495dcd70ebbc2273e7382c1015843c50024015eb2a
                                                                                • Instruction Fuzzy Hash: 8D412631F1DD0A4FE7ACE62C644A17933D1FF99261B5400BED40EC32E6EE25BC428285
                                                                                Function 00007FF848E5D290 Relevance: .2, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fcb412820754a1be4cdebb66be4b4f182dff66181e9445bb45a9f90a9e152b21
                                                                                • Instruction ID: 84755cf7b8c450126537b37e3b2e50eca009c128c7b35d56c968a9c37e9ab444
                                                                                • Opcode Fuzzy Hash: fcb412820754a1be4cdebb66be4b4f182dff66181e9445bb45a9f90a9e152b21
                                                                                • Instruction Fuzzy Hash: 2741157190CA094FE751FA68D4496FEB7E1FF88361F44057AE04DD71A1DE34A8468781
                                                                                Function 00007FF848E6ED45 Relevance: .2, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b72039c7ce5d7fb3a29a569e9af8b4632a8df3222f03249af4e700f467cfa0ac
                                                                                • Instruction ID: ae60a033e442630bd669517c3e104abe417eef871358923c8baefff445b500a7
                                                                                • Opcode Fuzzy Hash: b72039c7ce5d7fb3a29a569e9af8b4632a8df3222f03249af4e700f467cfa0ac
                                                                                • Instruction Fuzzy Hash: 4E41D421E0EAC68FE756A73848651787FF0EF57250B1D01EBD489CB1E3D928AC06C756
                                                                                Function 00007FF848E64AFF Relevance: .2, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2b473829f414f233fe8a6d3a5821d8ab792b171f6d7d3681a480b6da1c38cd2
                                                                                • Instruction ID: b431834c9f21fa8b92e5614dc65659685148597b5921c9c54f364723fe39dd53
                                                                                • Opcode Fuzzy Hash: a2b473829f414f233fe8a6d3a5821d8ab792b171f6d7d3681a480b6da1c38cd2
                                                                                • Instruction Fuzzy Hash: 0D514831D0CA8A4FD759EB6CA4551F9BBF0FF19350F8801BAD449DB293DA34A8068789
                                                                                Function 00007FF848E6D63D Relevance: .2, Instructions: 161COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35f4703370499e72da8f601cd8dfcf4d6849511d0cab74c6d9047164d76e5a58
                                                                                • Instruction ID: 7f518cfc9d7b7810b4db0384793506ee55458e86b532917fca2fc19148032ff3
                                                                                • Opcode Fuzzy Hash: 35f4703370499e72da8f601cd8dfcf4d6849511d0cab74c6d9047164d76e5a58
                                                                                • Instruction Fuzzy Hash: 9051FC30A0CA498FE71AAB2884486A177E1FF55340F9444BEC49AC7292DF3AB842C795
                                                                                Function 00007FF848E5B025 Relevance: .2, Instructions: 161COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cb9c2bb01acc2256d65a071b22f2500ac9735080070dbdafdfcdd83906b3e62b
                                                                                • Instruction ID: 95f0657373c8ce53852877a6dbae8c16eeb5dd55aa8cc48c11353b5a234970e2
                                                                                • Opcode Fuzzy Hash: cb9c2bb01acc2256d65a071b22f2500ac9735080070dbdafdfcdd83906b3e62b
                                                                                • Instruction Fuzzy Hash: 4F414E7051EE854FD356EF78445A0B6BFE0EF5A660B4400FDD4898B1A3CA196807C345
                                                                                Function 00007FF848E68059 Relevance: .2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc65626a288cc2ed2c5fae4308276d2df37a9f16217b397ef14ad7f8bb1d98bf
                                                                                • Instruction ID: bd4fc28efd3cc4417f5926cff380d7eb39f11cb16a69fb32bd789d68142570c1
                                                                                • Opcode Fuzzy Hash: cc65626a288cc2ed2c5fae4308276d2df37a9f16217b397ef14ad7f8bb1d98bf
                                                                                • Instruction Fuzzy Hash: 52410A3150EA895FD756EB7884965AA7FF1EF47250F4805EDD489CB2E3CA28A807C341
                                                                                Function 00007FF848E70285 Relevance: .2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 688f8ddb0d84c420fdf5055a79b4db216673c57bd3671be9a04b58bb4724b3cf
                                                                                • Instruction ID: d40bad65b0596d79d8c83d0bbc143983d13db90a88a91d62e8fdcdea2ca1d1c4
                                                                                • Opcode Fuzzy Hash: 688f8ddb0d84c420fdf5055a79b4db216673c57bd3671be9a04b58bb4724b3cf
                                                                                • Instruction Fuzzy Hash: 3E310471D0CE0D8FDB98EB5894096BAB7E1FF68711F10017ED44AD3252DE34A8428785
                                                                                Function 00007FF848E5F6A0 Relevance: .2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c6d36b0aaf9996bc804247aabdfdb26adb657bd3b4b50bffb2629e523cb2507c
                                                                                • Instruction ID: ba7d8d6b0ae1256c1385eab0dc1ed1fdd58559b82a38a2c4714cda376cf78955
                                                                                • Opcode Fuzzy Hash: c6d36b0aaf9996bc804247aabdfdb26adb657bd3b4b50bffb2629e523cb2507c
                                                                                • Instruction Fuzzy Hash: FB415471E1C91A4FDB48FB98E452AA9F3E1FF98350F105179E50EC7297CE34E8828685
                                                                                Function 00007FF849110FFA Relevance: .2, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6804dd785a36f2fad5dd59008d6d0ac358a79b65211da0cea59fa42897d5cabf
                                                                                • Instruction ID: ed6239df543d25a6da523d5fe8fd3eb131627925e2ca3c94ee5e9585e83410aa
                                                                                • Opcode Fuzzy Hash: 6804dd785a36f2fad5dd59008d6d0ac358a79b65211da0cea59fa42897d5cabf
                                                                                • Instruction Fuzzy Hash: 3D414693D4D9D63EE26D753CB4465F8A780EF996B4F0C52B7C04D860C3ED0C684685A5
                                                                                Function 00007FF848E68243 Relevance: .2, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6e328220d86a5e7252d30314e882f203a0d1fb94babc21a2936b0207302f75e0
                                                                                • Instruction ID: 01634316d4441f4173c74cd784981948b23528b5cd88cb1a089bf7a03724681e
                                                                                • Opcode Fuzzy Hash: 6e328220d86a5e7252d30314e882f203a0d1fb94babc21a2936b0207302f75e0
                                                                                • Instruction Fuzzy Hash: 42412221B1CD5A0FEA88B72C54562BCB3C2FF99791F5402B9D84ED3297DE28BC034285
                                                                                Function 00007FF848E6C130 Relevance: .2, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f14876f661b323a69f157d5ea87c85035aea154b043889b07ef2c1cc0fcfc488
                                                                                • Instruction ID: 76fceb0c4e250682f0d23cb394f5f739b6a12a97f9fd6e7f97cb6bb8670c52ce
                                                                                • Opcode Fuzzy Hash: f14876f661b323a69f157d5ea87c85035aea154b043889b07ef2c1cc0fcfc488
                                                                                • Instruction Fuzzy Hash: 7D412F30A1CE468FE769E6399895AB173E1FF94340F84457DC88EC3296DF39B8828344
                                                                                Function 00007FF848E5D190 Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6f551bbb3eb2579dfabb613ab90c1d7d5660ecc2112fc2444fdaa99a6dff9b8f
                                                                                • Instruction ID: 8d398145ffe0fbbce4e5b187c24462da294ccd0b855d0f604f3382f7e7a5827a
                                                                                • Opcode Fuzzy Hash: 6f551bbb3eb2579dfabb613ab90c1d7d5660ecc2112fc2444fdaa99a6dff9b8f
                                                                                • Instruction Fuzzy Hash: D041F43190C64D8FDB55FB64D4055E9BBA0FF55354F4002BED40EEB1A2DF3AA8098B80
                                                                                Function 00007FF848E5AAB0 Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 319862388086477859cc43220b96f61023843378b548a62f0f953cb4529ce225
                                                                                • Instruction ID: 07a12696dea1fac1a50c447fb2f4c4645b5512643c76219ffda37a46247ae9ba
                                                                                • Opcode Fuzzy Hash: 319862388086477859cc43220b96f61023843378b548a62f0f953cb4529ce225
                                                                                • Instruction Fuzzy Hash: C441DB91E0FDC60FE656B3B8141117DAFA1FF46A90F4401BBD049C71D7CA285986A399
                                                                                Function 00007FF848E5A1FB Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bdd49182f2b738c1982feccc5f62d0eb32ae54ab927a2d280c1d2ed3fbf46ff0
                                                                                • Instruction ID: 41cb4dfc1a76e061376482349a0c1c46c1ca7fffae832a48c127f56bfd5c6c50
                                                                                • Opcode Fuzzy Hash: bdd49182f2b738c1982feccc5f62d0eb32ae54ab927a2d280c1d2ed3fbf46ff0
                                                                                • Instruction Fuzzy Hash: 0641E47580F7C55FE31797749C5A9A57FA0EF032A0F0802EBD095CB0E3EA696846D362
                                                                                Function 00007FF848E58B1F Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 446d16031e27d890a1ba73e8fdc83bd71fe91b394fdeaf9c85b12cb25038c216
                                                                                • Instruction ID: 1d765d317fad0e951fff48c6307591d7a721c92c1251111078c70f0309cd989f
                                                                                • Opcode Fuzzy Hash: 446d16031e27d890a1ba73e8fdc83bd71fe91b394fdeaf9c85b12cb25038c216
                                                                                • Instruction Fuzzy Hash: 5F412B80A0DE8A5FE799B7B844172BAFBD0EF01280F5845BDD449876D3CE2868078709
                                                                                Function 00007FF848E6C800 Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fe45ab1ee77e36e064416aa9a40f8ec36fa11642bcd68f4430ca72b68e5b75d
                                                                                • Instruction ID: 9c4bc0d42f74a496df6c0ca391915e8090f3f17a838de297338ecd5d653447fc
                                                                                • Opcode Fuzzy Hash: 2fe45ab1ee77e36e064416aa9a40f8ec36fa11642bcd68f4430ca72b68e5b75d
                                                                                • Instruction Fuzzy Hash: C4413631A0CA464FD368EA6C98952B6B7E1FF85354F0845BED44DC7296DB34AC428784
                                                                                Function 00007FF848E5A55D Relevance: .1, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66e0c16464b14625a290290cc3d1def295aea03b58d4612e9a14920442a1587e
                                                                                • Instruction ID: 0b4be589e9e3394995dd5c4ee81a3ee486927f59fc8ac6f01e40cc15a310fca8
                                                                                • Opcode Fuzzy Hash: 66e0c16464b14625a290290cc3d1def295aea03b58d4612e9a14920442a1587e
                                                                                • Instruction Fuzzy Hash: 0841E16084FBCA1FD717EBB448254A97FB1DF03280B4844EED8858F1E3CA19545AD316
                                                                                Function 00007FF848E5D170 Relevance: .1, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e99b4b0e2edcf6bee0e1ce4ac3c143e199af3b9045e4ff37a28b4825179d4666
                                                                                • Instruction ID: 373610da1e2a4d1b7315e569d8ff1853c211f0f560857035d42ed543a9318b08
                                                                                • Opcode Fuzzy Hash: e99b4b0e2edcf6bee0e1ce4ac3c143e199af3b9045e4ff37a28b4825179d4666
                                                                                • Instruction Fuzzy Hash: 4A41033090C6894EDB29EA3894019EDBBE1FF063A4F5402BDD84AAB5D3DF25B5068745
                                                                                Function 00007FF849110525 Relevance: .1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0ac8fca7ce2daa77e23c2e18e5a0129e0b55f5392d29b93793ca11ebfc63919
                                                                                • Instruction ID: e053c6e620a2a8128f244666284472a6c742cd190676038dbc794e0a97a5c119
                                                                                • Opcode Fuzzy Hash: a0ac8fca7ce2daa77e23c2e18e5a0129e0b55f5392d29b93793ca11ebfc63919
                                                                                • Instruction Fuzzy Hash: C5316E62D1CA951ED71DB62CA0465F977D0EF96360F04947FE08E871D3DE28A8438786
                                                                                Function 00007FF848E68560 Relevance: .1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd712b214bf93cd15410911e298139d7274713622011fbd8a811abc6234a04f8
                                                                                • Instruction ID: 4053b0f2aec0f40c0ff529fa92529059107498d7bc6a147d9278db379d1504f9
                                                                                • Opcode Fuzzy Hash: cd712b214bf93cd15410911e298139d7274713622011fbd8a811abc6234a04f8
                                                                                • Instruction Fuzzy Hash: 4841F12180D6D94EE763B73458255F57FA0FF43390F8901F6D588D7093DA2D390A8396
                                                                                Function 00007FF848E65338 Relevance: .1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6ef7631df50f23aa537f1068416a06ec36de180e1c767289c7628ccc1d55af0a
                                                                                • Instruction ID: 541299c5a221b4ee514eeab42309d6a7dce22bc42dc09610bb7423fdbcabb716
                                                                                • Opcode Fuzzy Hash: 6ef7631df50f23aa537f1068416a06ec36de180e1c767289c7628ccc1d55af0a
                                                                                • Instruction Fuzzy Hash: 0D314822E0DD8A4FD3A9A73C98266A577D0FF86790F4A41FAD489C7197DE2C6C028341
                                                                                Function 00007FF848E62E50 Relevance: .1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d10a67753f2e4bc2b74d84055278ee1740b25df2730bdafb3f73d2ef88fd5665
                                                                                • Instruction ID: 96789861f1e4512e55137239617d635557219a8f25bd87ed742eb617eca83b5c
                                                                                • Opcode Fuzzy Hash: d10a67753f2e4bc2b74d84055278ee1740b25df2730bdafb3f73d2ef88fd5665
                                                                                • Instruction Fuzzy Hash: 9A411831A1EB8A5FE395AB3C94651B97BE0FF55360F0402BBD049C72D6DF2498068386
                                                                                Function 00007FF849110520 Relevance: .1, Instructions: 136COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a7ffb64dfb9c99e0bd74d4b70ae97b54e8871aa3ea3adb5a7f34088d59bdf94d
                                                                                • Instruction ID: ba27479da210881d3ed4490ae3d3dcff93cca21ecc10a0454b9ba9a0b49db2bf
                                                                                • Opcode Fuzzy Hash: a7ffb64dfb9c99e0bd74d4b70ae97b54e8871aa3ea3adb5a7f34088d59bdf94d
                                                                                • Instruction Fuzzy Hash: D6419530A1CA865FF6B4AE28945267677E5FF49B95F40017ED48EC3181EE29F8028B81
                                                                                Function 00007FF849113B09 Relevance: .1, Instructions: 136COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3fdad0d7f5d7ffa43f3308237e36a50d12ab77d02177020fb2861627f341994b
                                                                                • Instruction ID: 3aee492c6bf7c36a5004fec741f735af1207d1e812fba1de6e59e1366d2c2a4d
                                                                                • Opcode Fuzzy Hash: 3fdad0d7f5d7ffa43f3308237e36a50d12ab77d02177020fb2861627f341994b
                                                                                • Instruction Fuzzy Hash: 2D31A231B0D98A5FE6B4FA5CA4906B473E1EF49390F54417BD44DC7296DE2DEC828B80
                                                                                Function 00007FF8491163DD Relevance: .1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d59291135613c7edd949486ec60243e0363f6e5f617e9ffa36ea32b2437c2c7c
                                                                                • Instruction ID: 9144e363088adc4745cc300c5511d5b9dcd52688b58ba5424e63cb9cff31c41a
                                                                                • Opcode Fuzzy Hash: d59291135613c7edd949486ec60243e0363f6e5f617e9ffa36ea32b2437c2c7c
                                                                                • Instruction Fuzzy Hash: 3C41192180DAC56FD727AF3494621F57FB0EF5B290B0801FAD4C98B497EA0D6856C742
                                                                                Function 00007FF848E5DB45 Relevance: .1, Instructions: 131COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1639cd69c7fdc2dbfa98b28ea8e96d10567a7b9b470aee07fea6535b6d52c6c4
                                                                                • Instruction ID: 7b66176a828538c4f7f861cdb1dc5d50b878c064cfbb346a9132bac2cdde6db9
                                                                                • Opcode Fuzzy Hash: 1639cd69c7fdc2dbfa98b28ea8e96d10567a7b9b470aee07fea6535b6d52c6c4
                                                                                • Instruction Fuzzy Hash: 0B313B7160EA851FD346BBB85C665FA7FE5EF8B25070801FAE089C71A3CD185C138351
                                                                                Function 00007FF849114C60 Relevance: .1, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5fe71df00d5022f11d87e1ef1b9cbcb7b1b12b6644da2ed1746bc81dab1d844
                                                                                • Instruction ID: 5ec328be1b8cd8195a0f6bb4ae4f5a73f9dbb084cf2a92e97805762436fc3261
                                                                                • Opcode Fuzzy Hash: c5fe71df00d5022f11d87e1ef1b9cbcb7b1b12b6644da2ed1746bc81dab1d844
                                                                                • Instruction Fuzzy Hash: B831F531A1CD8A4FD7A4FF689455A72B7D1FF94354B5446B9C04DC7186EA3CEC428B80
                                                                                Function 00007FF84911414D Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fff4c0397a7db00a7110a43adc072e2fff58ea16d0b44759d37946f242e82c7f
                                                                                • Instruction ID: a8d2866c32140ac7d4e1bfaff7623ad6c1698b83953af4d9e6bb7f6d7c08b58a
                                                                                • Opcode Fuzzy Hash: fff4c0397a7db00a7110a43adc072e2fff58ea16d0b44759d37946f242e82c7f
                                                                                • Instruction Fuzzy Hash: D0318621A2DE861FD36DAE2CA8564B277E1EF6921070401BFD04FC35D3EE19BC0A8385
                                                                                Function 00007FF848E6A6D0 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7ea5582321777577c79c1ba77191b638806748d006d362055237bcf499423d0a
                                                                                • Instruction ID: 84af8cd35ac9cc4ff076384238c76606e60e038bf9ff72d25c086399a79ba1f0
                                                                                • Opcode Fuzzy Hash: 7ea5582321777577c79c1ba77191b638806748d006d362055237bcf499423d0a
                                                                                • Instruction Fuzzy Hash: C031E321E0D9591FE794FB6C58592F97BE1FF59260F8401BBD80CE72D2CE282C968384
                                                                                Function 00007FF848E70810 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8913fd481aca86bcfcfa9bddf20c44f471ec82037a732886875e4b397e29c93
                                                                                • Instruction ID: ab3521878b478bdc252ce075462b80c21a434d73a341c3bdf95d390d8780fdab
                                                                                • Opcode Fuzzy Hash: d8913fd481aca86bcfcfa9bddf20c44f471ec82037a732886875e4b397e29c93
                                                                                • Instruction Fuzzy Hash: D931277290EA992FE349B768A4511F67F90FF45370F0802BBE08CCA1A7CE249941C795
                                                                                Function 00007FF848E5F979 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7cfdfa7e6bb1b9c6ab5c8d9dd64fee25ad845c3d60a1fcb45d45841a56c3b84a
                                                                                • Instruction ID: 2aed2cbcfebeda75237ada187f02a56911405a68cb3bda4e0a1a96f7e7b2baa8
                                                                                • Opcode Fuzzy Hash: 7cfdfa7e6bb1b9c6ab5c8d9dd64fee25ad845c3d60a1fcb45d45841a56c3b84a
                                                                                • Instruction Fuzzy Hash: B731E97010DB995FDB55DF78C4661FA3FA1EF4B220F4405ADD886CB2A2CA256817C781
                                                                                Function 00007FF849130B80 Relevance: .1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3150c4f08bff8f68c8b1a1d361bf94e9c6953e4474387c3f8f7d94cdf849c455
                                                                                • Instruction ID: 37d6fab2b9d3f61dc2ca52faae842cc4c45b57ee989dc387c8dd8a0973b3b650
                                                                                • Opcode Fuzzy Hash: 3150c4f08bff8f68c8b1a1d361bf94e9c6953e4474387c3f8f7d94cdf849c455
                                                                                • Instruction Fuzzy Hash: 2541A331A1CB569FFBB8EE298494A72B3E5FF58350B44057ED48EC3691DA28F841CB40
                                                                                Function 00007FF848E7048D Relevance: .1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2b84d50151070d042c990b79b691bd2c22e81a3e0835147b09c40bb5b1f72f80
                                                                                • Instruction ID: 76e30fd299ddb414219dfdeef5be5132433b6b06c88b822eb0a844ca03c1f941
                                                                                • Opcode Fuzzy Hash: 2b84d50151070d042c990b79b691bd2c22e81a3e0835147b09c40bb5b1f72f80
                                                                                • Instruction Fuzzy Hash: A741E532D0DACA0EF775B67448151F97BD1FF953A0F48027AD059C71E2EF28690A4786
                                                                                Function 00007FF848E5B0C8 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 326e48daae20f8475da4a91a508bd15fea7221e25a2305a6c45564680654c87a
                                                                                • Instruction ID: 0bd58d5d008aeaaad9a06a0a7c8bec5088de291d54e2cb91b5730ca43dba9b6f
                                                                                • Opcode Fuzzy Hash: 326e48daae20f8475da4a91a508bd15fea7221e25a2305a6c45564680654c87a
                                                                                • Instruction Fuzzy Hash: 70315B3070DE814FD75ABFBC44560B97BE1EF8A690B0404FDD48A8B2E3CE1968138344
                                                                                Function 00007FF848E5E00D Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2a2750b84c8de92007dd33508308b711761ec046fe85ce48af20820a6530c5e2
                                                                                • Instruction ID: 5f52661a48b6b8084e47367cb7415274bda83e306ea14f134f5a5754875cc1b9
                                                                                • Opcode Fuzzy Hash: 2a2750b84c8de92007dd33508308b711761ec046fe85ce48af20820a6530c5e2
                                                                                • Instruction Fuzzy Hash: F4315D71E1EA860FE759BB7C58560FABBE1EF97290B4804FED489C7193CE1868178341
                                                                                Function 00007FF848E77B60 Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 44c18816f23fe654c55b18d4738a05fce99601cf43819118f7256e82383eefdf
                                                                                • Instruction ID: 0d5ecbd717b42d13611539107df2f9f9e11478878f4b6641c7b393abad7c9b76
                                                                                • Opcode Fuzzy Hash: 44c18816f23fe654c55b18d4738a05fce99601cf43819118f7256e82383eefdf
                                                                                • Instruction Fuzzy Hash: 53316962E0DA894FD319663C6C051B97BE1FF96660F0403FBE048D3197EF246C068386
                                                                                Function 00007FF848E5E62D Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 04096d7fdb75998fd6d919db45db58cfd863b957fc502ffbac4e702487f1a80d
                                                                                • Instruction ID: 22434455e97e1be693bfe89de1d923b0d07d495b90dfffb10f7bbd2646ee37f1
                                                                                • Opcode Fuzzy Hash: 04096d7fdb75998fd6d919db45db58cfd863b957fc502ffbac4e702487f1a80d
                                                                                • Instruction Fuzzy Hash: B631383190DA861FEB51F7B844562FBBBE1EF8A780F1400F9D84DC7193CA2DA8128350
                                                                                Function 00007FF8491160FB Relevance: .1, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8eace19c6c588ad97eb21a2f35b0a265dbb52709d738200c2bf6bc60ea8aefa
                                                                                • Instruction ID: 73d636d68b46810fb3be64ff43067c9409f82b9b3ca7e8660fa03fb8f661fac6
                                                                                • Opcode Fuzzy Hash: d8eace19c6c588ad97eb21a2f35b0a265dbb52709d738200c2bf6bc60ea8aefa
                                                                                • Instruction Fuzzy Hash: 70310BA7D4DDD67FE25CFA2CE4D25F63750EF952D4B0800B6C04A86083FE0E68064964
                                                                                Function 00007FF848E68449 Relevance: .1, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c52286290322950b60a69811eb2a5740ec3a351e8193dde1e1bbe63a304b0f8f
                                                                                • Instruction ID: 0444f9ca881255beeb4011c03316042d25555fa37623004bdb21ab9b2d61d38d
                                                                                • Opcode Fuzzy Hash: c52286290322950b60a69811eb2a5740ec3a351e8193dde1e1bbe63a304b0f8f
                                                                                • Instruction Fuzzy Hash: 6941AC2190E7C21FE307A778986A2A57FB0AF07254F4940E6C4D8CF1E3DA2C684BC356
                                                                                Function 00007FF848E5D66A Relevance: .1, Instructions: 118COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d69119ab1c6227c29617d8b6346dfb1551f98e38c1ef9a539cbe2c83e82aa64b
                                                                                • Instruction ID: cbeb45bb3f6d3e0e64c647ad8b0885cfed4494f64425ec3f769a66cb1664e3fb
                                                                                • Opcode Fuzzy Hash: d69119ab1c6227c29617d8b6346dfb1551f98e38c1ef9a539cbe2c83e82aa64b
                                                                                • Instruction Fuzzy Hash: B8310A70A0E9891FE745F7BC846A5BDBBE1EF89650F4800F9D849D72A3DD186C438345
                                                                                Function 00007FF848E66D41 Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 330204a95168eb92961b12971fab673d6aa6cbf3de4da7e322263e37982727de
                                                                                • Instruction ID: 138d439963f4cb78f66e56ef6c2ee1b31926ac7ae627e49a452c05a24a61f4ff
                                                                                • Opcode Fuzzy Hash: 330204a95168eb92961b12971fab673d6aa6cbf3de4da7e322263e37982727de
                                                                                • Instruction Fuzzy Hash: BE310431A1CA099FE718EB28D4452B9B3E1FF49360F50427AE05EC31A3DE35B8128681
                                                                                Function 00007FF848E5CF0D Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3a8edf6036bcef3a18333933a5c1b5db5afb93fa6847ff9f9827995f75e778c
                                                                                • Instruction ID: 9d52b4644b165a1249f70f8be9d8c63194426b64434bd27703c31fb417afa796
                                                                                • Opcode Fuzzy Hash: e3a8edf6036bcef3a18333933a5c1b5db5afb93fa6847ff9f9827995f75e778c
                                                                                • Instruction Fuzzy Hash: F5316E71A0E9851FE759FB7C586A0FABBE1EF96250B4400BED449C7193DE246C138341
                                                                                Function 00007FF848E64848 Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 39d64817bdbcf57036b3b17b571c31eaf7d71175863ec32a8f1272df168eabb2
                                                                                • Instruction ID: 93df1991fe221120d6e30d4e912861bc64fc334476aee6f9bc4f15201d7fd252
                                                                                • Opcode Fuzzy Hash: 39d64817bdbcf57036b3b17b571c31eaf7d71175863ec32a8f1272df168eabb2
                                                                                • Instruction Fuzzy Hash: BB313E20E1D9895FE398B73858592BA7FE1FF8A250F8804FBD80DD7193DE2828468305
                                                                                Function 00007FF848E72010 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: beb009eef280f2c7bc8a41dde84e6402a1457a69e5902e87a61327ec9e307319
                                                                                • Instruction ID: ed32d96b44a48e18f339f2dfb18a44e5b831e2d8bd1085f43ce45c441d6cd685
                                                                                • Opcode Fuzzy Hash: beb009eef280f2c7bc8a41dde84e6402a1457a69e5902e87a61327ec9e307319
                                                                                • Instruction Fuzzy Hash: D431E220A2CA564FE764E6289415AF877E1FF81340F4484BAD45EC72DBDB3D688583A4
                                                                                Function 00007FF848E5EA60 Relevance: .1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 919616bf76c941709b742a3b624164a292d158fd2df0b0e9eb4f1827d8991001
                                                                                • Instruction ID: 021a78f40e69464b51842faf8a3fb148557366086ead9600689e15e92c8bf9dd
                                                                                • Opcode Fuzzy Hash: 919616bf76c941709b742a3b624164a292d158fd2df0b0e9eb4f1827d8991001
                                                                                • Instruction Fuzzy Hash: 0D21D221B0D98A0FE395A2BC68592B97BD1EB8A691F4801F6D44DC71A7DD688C868381
                                                                                Function 00007FF848E51B3F Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 73ce44c72a03e505d160004ee778d6c5ff3135fb21533e4b4c58cd9d9cf2d189
                                                                                • Instruction ID: 648dae0b086a3af48672d08ed203030f5d8350b73b7fb962362e1cc436b06dbb
                                                                                • Opcode Fuzzy Hash: 73ce44c72a03e505d160004ee778d6c5ff3135fb21533e4b4c58cd9d9cf2d189
                                                                                • Instruction Fuzzy Hash: 9031DBB2C4DACB9FF39A66B86815075BFE4FF11694F0800BBC458C74D3FA2A58058345
                                                                                Function 00007FF848E64CA5 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 738e2c53ea3322d3fba1574caee5d92fe40f1c464b2616a91767509d922c2031
                                                                                • Instruction ID: 24607cabd81cba19f99db64d543dc29c0ce957d2c8841f878423f7f066a5bd9a
                                                                                • Opcode Fuzzy Hash: 738e2c53ea3322d3fba1574caee5d92fe40f1c464b2616a91767509d922c2031
                                                                                • Instruction Fuzzy Hash: 8B313861A1DAC60FE34AAB7844152E1BBE1FF46344F0880FBD04ECB6D3DE28A8468315
                                                                                Function 00007FF848E665F5 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 96796e58d78fc0a28d9a7cf7cb9b31f3114f1100a0d5e5082806d22e25ac2a80
                                                                                • Instruction ID: c55f1c7c7e31d9b53640cc9d9d5b1bae5014e5dfca03a0b531eafeadb30ca603
                                                                                • Opcode Fuzzy Hash: 96796e58d78fc0a28d9a7cf7cb9b31f3114f1100a0d5e5082806d22e25ac2a80
                                                                                • Instruction Fuzzy Hash: 39215C32C1D7944FD315A6345C661E97FE0FF96260F4902BFD496970A2E62868068392
                                                                                Function 00007FF848E648C5 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 969d42492f37d04c6e780b107a0008a590e81aab1b3bc10f8474b65333b0f943
                                                                                • Instruction ID: 5389ede048a28f8d813460f9b870e68b54240640bae8c9e19505d9817e5f9a4a
                                                                                • Opcode Fuzzy Hash: 969d42492f37d04c6e780b107a0008a590e81aab1b3bc10f8474b65333b0f943
                                                                                • Instruction Fuzzy Hash: 04213762A4D9950FD318BB7CE8596E97BD0EF853A1F0841BBD1CCCB193CA185C4283D6
                                                                                Function 00007FF848E628C5 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57969791a1e5752f6f426dfb5f3af8994d0950d2e61537d5ea185e6c4170fded
                                                                                • Instruction ID: c8faf1a5043df172296193fb3598cbc717269023bfe59071a3ddb921e7226cd3
                                                                                • Opcode Fuzzy Hash: 57969791a1e5752f6f426dfb5f3af8994d0950d2e61537d5ea185e6c4170fded
                                                                                • Instruction Fuzzy Hash: 8131A231D0C54E8EEB64EA14D4516E87BA0FF95394F88027AD409E71D3EF35780A8785
                                                                                Function 00007FF849120000 Relevance: .1, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69deb30424e5d5a8d7a3f41c192c7f24a35c770ff6b2d97c09e8ab3ae84152fe
                                                                                • Instruction ID: 396d683993718b9fcd57ddee1d47007909077bdf943c4c584eed4379f15fb26d
                                                                                • Opcode Fuzzy Hash: 69deb30424e5d5a8d7a3f41c192c7f24a35c770ff6b2d97c09e8ab3ae84152fe
                                                                                • Instruction Fuzzy Hash: 6431D63160CB449FD754FF1CD085AA6B7E1FF99790F00467AE44AD7261DA34E8818B82
                                                                                Function 00007FF848E6D090 Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eb06fc577b7ccdf37f86cbadd55e456ce9a859c372e0fafa75b8f39ed768e4fd
                                                                                • Instruction ID: 0f4e6d2db122d8d59981fab179cca5f6c4a96af15bf5b3c1c1b36086625c96d1
                                                                                • Opcode Fuzzy Hash: eb06fc577b7ccdf37f86cbadd55e456ce9a859c372e0fafa75b8f39ed768e4fd
                                                                                • Instruction Fuzzy Hash: 94212832F0DA464FE7E5567C38641B06FD1FF86660B8901FBC048D7297DA6A9C438386
                                                                                Function 00007FF848E65470 Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8235f8d4ab0a4def1954c75f6e4070ce5c787eb7a851d5af644e494fa4f5c611
                                                                                • Instruction ID: f26be8b362916dbdde529d0a676a12191487aee75ad567dc050deab976481d8c
                                                                                • Opcode Fuzzy Hash: 8235f8d4ab0a4def1954c75f6e4070ce5c787eb7a851d5af644e494fa4f5c611
                                                                                • Instruction Fuzzy Hash: C9314B3191DB984FD349E728D8246BA7BE0FF95350F8806BEE049D3292CF389905C742
                                                                                Function 00007FF848E5DE21 Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2029150082edb2965ac8a8a2bb2ea759e9959d061d27c688f4c9fa261e281832
                                                                                • Instruction ID: 1b27c7fc9f9187a5c3f4427dbfcccb157d655fdd4e831bf1f237db295c4c82da
                                                                                • Opcode Fuzzy Hash: 2029150082edb2965ac8a8a2bb2ea759e9959d061d27c688f4c9fa261e281832
                                                                                • Instruction Fuzzy Hash: 8921D66164EAC51FE303A77868666EA7FE1DF872A0F0C44EAD4C5CF1A3C619545BC341
                                                                                Function 00007FF848E64160 Relevance: .1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1a4a25bf1d615f73b1011f5adb9ac5c9bd227905d2775d7085877e6e6d481d8
                                                                                • Instruction ID: 120f8c2fd1e2ef8418cff7343601d59b2afe5fbccfe4634914b0c20843bae784
                                                                                • Opcode Fuzzy Hash: a1a4a25bf1d615f73b1011f5adb9ac5c9bd227905d2775d7085877e6e6d481d8
                                                                                • Instruction Fuzzy Hash: E731CE30D0DE4D8FE795FBB8944A2AEBAE0FF55354F9401BED00AD3291CF2928418745
                                                                                Function 00007FF849116E59 Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2e4b61daf55890b619b90509254729b0c282f6a9fc0c55b532d8905859826a50
                                                                                • Instruction ID: 35babe72a2264efd40aa423084658efb174d474a51dc97f868454b3cc14caf59
                                                                                • Opcode Fuzzy Hash: 2e4b61daf55890b619b90509254729b0c282f6a9fc0c55b532d8905859826a50
                                                                                • Instruction Fuzzy Hash: 1421341190F6C62FE312AB7898226A27FE1DF8B2C0B4841FAD488CB0E7E90D5816C751
                                                                                Function 00007FF848E5A16B Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 16fbe4aaf6a88a081bf5005fb548ab287e464882fb9e6b45d4189ae991403064
                                                                                • Instruction ID: 9e3755ca7cbab5078d7885022f567d71e1352b1c1e5ecc2a1d1cf06be35de6f8
                                                                                • Opcode Fuzzy Hash: 16fbe4aaf6a88a081bf5005fb548ab287e464882fb9e6b45d4189ae991403064
                                                                                • Instruction Fuzzy Hash: 761106B354D60C5EF758AE48FC469F97394F782370F00027FD54AC2162E63265578B44
                                                                                Function 00007FF848E5E650 Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e041755904aca5fa7a8a064afe2c6e40c8d03fc5d8a47bcfb3974a7efec26d8
                                                                                • Instruction ID: 6491fe6c0c59146e0163bb17ef0a89971f757aea0b27d69aa8298849f42cbf6f
                                                                                • Opcode Fuzzy Hash: 9e041755904aca5fa7a8a064afe2c6e40c8d03fc5d8a47bcfb3974a7efec26d8
                                                                                • Instruction Fuzzy Hash: AE21F66091D9851FEB51FBB844562FBBBE1EF8A780F5404F8CC8D87197DE6EA8128340
                                                                                Function 00007FF8491265C0 Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a97179ec43e4530c07c110f8e951409354fbc75f500abb7e81fec89aa2eb65a4
                                                                                • Instruction ID: ebd4b1e583ed466b90b4055047edd8673ddbffcb048bcebbfa3ba5c8930ca29d
                                                                                • Opcode Fuzzy Hash: a97179ec43e4530c07c110f8e951409354fbc75f500abb7e81fec89aa2eb65a4
                                                                                • Instruction Fuzzy Hash: 5B21F321F1CD9A5FEAB8BE2D5455B7663D1EBA8394F4040BAD04ED36D2ED29FC024780
                                                                                Function 00007FF848E55BF0 Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 22b6f66d3a02dd65088a72e83be38681e295583839b5ee0aa6b5b2a562a43a01
                                                                                • Instruction ID: 50dd52bef98aa2f5776a496bbcaf7923e7f7398dc2f46c06d8669a87e512aa6e
                                                                                • Opcode Fuzzy Hash: 22b6f66d3a02dd65088a72e83be38681e295583839b5ee0aa6b5b2a562a43a01
                                                                                • Instruction Fuzzy Hash: 40214131E0D9994FDF84FF28A8666BD7AE1FF99344F45006AE40DE3292DF3468418745
                                                                                Function 00007FF848E6982D Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5aa4e413c2855269fb5da330520ead101f4047a69800354c387ec9a0088e6b63
                                                                                • Instruction ID: db15016e2353db06d543a8b11a027a3917fc8206e37e847fb1c1f5403729fe21
                                                                                • Opcode Fuzzy Hash: 5aa4e413c2855269fb5da330520ead101f4047a69800354c387ec9a0088e6b63
                                                                                • Instruction Fuzzy Hash: 41219525C1D5DA4DEBA3763858211B97BD4FF46390F8801B6D59CE24C3DE2C391A8345
                                                                                Function 00007FF848E6A470 Relevance: .1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1e95f173dbaf123ff85b38c62a356f295df2305fa305d6266ccdfcce2288bd17
                                                                                • Instruction ID: 154ee5f3d148c0e2d002512f747352725c59c0297b7c1056792ca2f8f92bf7e9
                                                                                • Opcode Fuzzy Hash: 1e95f173dbaf123ff85b38c62a356f295df2305fa305d6266ccdfcce2288bd17
                                                                                • Instruction Fuzzy Hash: 1C214762E0DA854FE39AA73CA8597A13BD0EF55380F9800FED04DD7283DE7968478345
                                                                                Function 00007FF848E5DF47 Relevance: .1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 10c7ad0046c5f70e0d965f3459c50721a6da46ac20afe2c7e81e1a74fed29e86
                                                                                • Instruction ID: f0dbff4c1c4aca68c602c57385182b998e874ec45361b0bf353e9b9ddf15a593
                                                                                • Opcode Fuzzy Hash: 10c7ad0046c5f70e0d965f3459c50721a6da46ac20afe2c7e81e1a74fed29e86
                                                                                • Instruction Fuzzy Hash: 5D21F361B1CA490FE680ABACA4552B6B7D1FF8A260F0445BED44DC7292DE39DC828385
                                                                                Function 00007FF848E66B29 Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da55a06f55dc1df27b6ab014d492ba81965004b706a3946ef0c3c0b16152911f
                                                                                • Instruction ID: 7337ad5a0deef3dd884dc311262597f32b3c4f0e81a378a84e857f7ea4ceb674
                                                                                • Opcode Fuzzy Hash: da55a06f55dc1df27b6ab014d492ba81965004b706a3946ef0c3c0b16152911f
                                                                                • Instruction Fuzzy Hash: F521F83150E7C55FE312AB7858664FA7FB0EF47660B8C01EAD4858B1A3DA186817C392
                                                                                Function 00007FF848E58AFF Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8875370542bc3bfc9a3aa10416ad8860842753b0df363b260c0df6d4de02d282
                                                                                • Instruction ID: 0130288a51bde3fc4df1204a33990a6c1f4b16064f68dba55858748aa22e13ce
                                                                                • Opcode Fuzzy Hash: 8875370542bc3bfc9a3aa10416ad8860842753b0df363b260c0df6d4de02d282
                                                                                • Instruction Fuzzy Hash: E921A290A0EA852FD70DABB894277ABEFE1EF46240F6845FDD44987AD3CD185402C719
                                                                                Function 00007FF848E5B590 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b1ab541da3ed398d94f77c07130d07b90035bfc8d4ddd58814c7db33cd512a3
                                                                                • Instruction ID: ab3d8709ed069447f3b56153c7aedcd14c0c7d81f0e26c5439274fa328453860
                                                                                • Opcode Fuzzy Hash: 0b1ab541da3ed398d94f77c07130d07b90035bfc8d4ddd58814c7db33cd512a3
                                                                                • Instruction Fuzzy Hash: 3821063090D5465FEB59EB38D4859B67BA0FF91310F2842FAD409CB19BDA39EC86C384
                                                                                Function 00007FF848E602A8 Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a5122e9edc96cfecef2f3f6ca715eaea2b6c7ec9f9614e4c726f213ca4bf234a
                                                                                • Instruction ID: 61d473461069733b81cfd0c08619d07f58eca9916a6c6bb6bf7ce69605d4701e
                                                                                • Opcode Fuzzy Hash: a5122e9edc96cfecef2f3f6ca715eaea2b6c7ec9f9614e4c726f213ca4bf234a
                                                                                • Instruction Fuzzy Hash: 5F11E432D0D9991FE755B668581A6FE7BE1FF862A0F4801AAD489EB152DA242C128381
                                                                                Function 00007FF848E75858 Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 77de6e18ae563415c1a3ba4f2be6876272aa78a36533ac000602c019238c78d9
                                                                                • Instruction ID: e1140bcdf1883686e191260b3bef479bc9c26a6aad405ea0e48fa9b26155d008
                                                                                • Opcode Fuzzy Hash: 77de6e18ae563415c1a3ba4f2be6876272aa78a36533ac000602c019238c78d9
                                                                                • Instruction Fuzzy Hash: EA212531A0DB891FE785EB2894901E67BE0FF99360F0403BFE449C7292DB249901C385
                                                                                Function 00007FF848E6C860 Relevance: .1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4795517f995708e92af72af7bd3345af9d90f0a63a8999c1a9689adf0efabca6
                                                                                • Instruction ID: 7c691ffd9baccf51bf32565b3cacbaa3ef34793ba4c032adb02eeb4c68cff4d2
                                                                                • Opcode Fuzzy Hash: 4795517f995708e92af72af7bd3345af9d90f0a63a8999c1a9689adf0efabca6
                                                                                • Instruction Fuzzy Hash: F721E030A0D5068FDB55FB58C4C19A6B7A1FF55314F2482B5D008CB1ABDB38EC86C780
                                                                                Function 00007FF848E6494D Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 432a2612eb927da8fc84650b56c4b1f46a2bbffc154ef0e224d7a85cdf534bf6
                                                                                • Instruction ID: 7fd5f5671fd6730be60fbb465dd2445e2c30367b62b72ac61a002f98394bb823
                                                                                • Opcode Fuzzy Hash: 432a2612eb927da8fc84650b56c4b1f46a2bbffc154ef0e224d7a85cdf534bf6
                                                                                • Instruction Fuzzy Hash: 06110631A0DA854FD355EA3CD8156A97BD0EF853A0F0900BFD08DCB153CA285C868381
                                                                                Function 00007FF848E5D2E0 Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bc439067dd5d8f60ffa31f212198ba7b706b3380b1b4691af29b3d84319ab2cb
                                                                                • Instruction ID: c8f3caed5b2a4fdef4b7d115ebb10ce94a1381d98244d25f147e66fa35825197
                                                                                • Opcode Fuzzy Hash: bc439067dd5d8f60ffa31f212198ba7b706b3380b1b4691af29b3d84319ab2cb
                                                                                • Instruction Fuzzy Hash: EF212260A2DE8A4FE388FB7C80043A5F6D1FF49340F4884BEC00EC3686EE38A8458315
                                                                                Function 00007FF848E5BA5F Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3febfb8c0efe87593639fc1d06e2d1473a224db2a3c37ee7b940c3ad17d8a2ff
                                                                                • Instruction ID: 7be7237d1edbbcc64609c2267dc1192a3162da717c99ccd10c6831566eabe24a
                                                                                • Opcode Fuzzy Hash: 3febfb8c0efe87593639fc1d06e2d1473a224db2a3c37ee7b940c3ad17d8a2ff
                                                                                • Instruction Fuzzy Hash: 70213B3071EE454FD756BB7C14521FDBBE1EF86251B4404BDD48AC7193CE1868138341
                                                                                Function 00007FF848E66653 Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9147a3df733a8b9aa776c54b9187a6c7ea4a57a47dd375ff015eeeeb055007cd
                                                                                • Instruction ID: 1dcef99b4e11b03ca9fa69cf83f1a870d9fa3c949bd4df207b00da7f5b1ad583
                                                                                • Opcode Fuzzy Hash: 9147a3df733a8b9aa776c54b9187a6c7ea4a57a47dd375ff015eeeeb055007cd
                                                                                • Instruction Fuzzy Hash: 0A115E33C1D7585FD315E628AC564F97BA0FF92260F45033FE09BD3092EA24680683D2
                                                                                Function 00007FF848E58030 Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cb4732e7b810fd8b95d90cbcc56e449b0bea64e8ae9c3e9a5f95d6ad1b0b2078
                                                                                • Instruction ID: 25209abadb25230b37c286bf8d2deacf99d98bb855bd243901c672c00c56e40d
                                                                                • Opcode Fuzzy Hash: cb4732e7b810fd8b95d90cbcc56e449b0bea64e8ae9c3e9a5f95d6ad1b0b2078
                                                                                • Instruction Fuzzy Hash: C12138A194EAC51FE357F7B8445A1BABFE1EF47280B4805FED486CB2A3CE1858078305
                                                                                Function 00007FF848E651F8 Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b4329edcbf64e8c9cd4e0999b3548f2f3f723834c16886959fa272e4cdebb153
                                                                                • Instruction ID: dc908460f4769f120a2b15b40113c59df536086db49e09fd4fa271245a0bdef1
                                                                                • Opcode Fuzzy Hash: b4329edcbf64e8c9cd4e0999b3548f2f3f723834c16886959fa272e4cdebb153
                                                                                • Instruction Fuzzy Hash: 12216A3A7489195FC704FB6CF8501FA7760FF91376B0842B7D18CCB1A3CA2594098784
                                                                                Function 00007FF848E5F8D0 Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a417b98eaf6bbcb1cc5857ecc9983fcb25f9789ee9c84e93e156f1bcf4e06ccb
                                                                                • Instruction ID: d30124d0ca373055f7c54410df78519926186d1e49c69eefa7669bd4e3bb8d88
                                                                                • Opcode Fuzzy Hash: a417b98eaf6bbcb1cc5857ecc9983fcb25f9789ee9c84e93e156f1bcf4e06ccb
                                                                                • Instruction Fuzzy Hash: 9F11EB21B0DD091FE794F6BCA4492B9A3D1EF886A1F5401B6D80DC32DADD2D9CC64381
                                                                                Function 00007FF848E6A678 Relevance: .1, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 21e5f0d56f97148f96aa58c19b477d7a1ea1bcbe10411044b99a8290d7fb483b
                                                                                • Instruction ID: 7ebca5250c3680acda60f4d18df024dce7e8ebe3eea167ff351f2f4e731e9504
                                                                                • Opcode Fuzzy Hash: 21e5f0d56f97148f96aa58c19b477d7a1ea1bcbe10411044b99a8290d7fb483b
                                                                                • Instruction Fuzzy Hash: D011E25190EBC50FE36AA77818662B53FE1EF47290F4904FAC089CB2E3DA1A68169301
                                                                                Function 00007FF848E6EA90 Relevance: .1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67e8142f6f7e0d2e8dfdd2b15816491b86d489e53d44773f7c93fca411094a5a
                                                                                • Instruction ID: 50da96a025688948018474b1cb1133efe9a28dece479a9874cbc28bbd50d699a
                                                                                • Opcode Fuzzy Hash: 67e8142f6f7e0d2e8dfdd2b15816491b86d489e53d44773f7c93fca411094a5a
                                                                                • Instruction Fuzzy Hash: 40119D31B1CA098FD69CEB1CA4459B977D2FF98310B5441AEE08EC3696DE24FC428785
                                                                                Function 00007FF848E77080 Relevance: .1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: deddcc4830b23272ff2b2f68d45efeb2ae09a30481551ade6800b2a5fcc5c71e
                                                                                • Instruction ID: 70e2366c482c6d6425b1cca9129ce7f347fc004f9668f34d7d0f36532d60dbde
                                                                                • Opcode Fuzzy Hash: deddcc4830b23272ff2b2f68d45efeb2ae09a30481551ade6800b2a5fcc5c71e
                                                                                • Instruction Fuzzy Hash: B7110872A1CA1C5FD718BA1C9C0A4B977E1FBD8B61F00027BF449D3256DF20B80286C6
                                                                                Function 00007FF848E5DE95 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4da2a5c000ca0a879b4b94c11e0740ec0152bfb637e29886f942da4a88e62c2c
                                                                                • Instruction ID: 4476481119a3e5ed6120f833ff921f9a205ec1e2663041035522fa58e880cf03
                                                                                • Opcode Fuzzy Hash: 4da2a5c000ca0a879b4b94c11e0740ec0152bfb637e29886f942da4a88e62c2c
                                                                                • Instruction Fuzzy Hash: 5401F952A0EEC91FE756A67D281D2767FE4DB971B170801FBD489C72A2DD184C838362
                                                                                Function 00007FF848E5F560 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 73d2b7a5c24efa60dce3a2b23ea39e1a6b8ea1b35e00301c1a91912a50bbc648
                                                                                • Instruction ID: 0b859dfc2d6fdc44b51334ca8263534d82538dd4b390c6216e0461e445b7adc2
                                                                                • Opcode Fuzzy Hash: 73d2b7a5c24efa60dce3a2b23ea39e1a6b8ea1b35e00301c1a91912a50bbc648
                                                                                • Instruction Fuzzy Hash: 4C21D72051EAC55FD345EB7844265A6BFF0AF0B640F0844EED4D5CB2A3DA2C9806C341
                                                                                Function 00007FF849116338 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 565789039f3e13b0de59882a6d0993766ab75fea910448503b92c01fa4523a60
                                                                                • Instruction ID: 90af9e85deb90798fa1f3bf78236e8ead8141e8d0cd9e014c313341ff12fea09
                                                                                • Opcode Fuzzy Hash: 565789039f3e13b0de59882a6d0993766ab75fea910448503b92c01fa4523a60
                                                                                • Instruction Fuzzy Hash: 37110621B2CD895FE758FB3880121B673D2FF9934475444B9C04FC7556DD39E8068740
                                                                                Function 00007FF848E64EC8 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f418b1c9ef2130084b8f94f26419db2fbc28844b393d7d405129a99beaa081d7
                                                                                • Instruction ID: 3e03c89119da8cfa40737235db19b88d2e388a03d3ae22d060c3f6464ee1b3f9
                                                                                • Opcode Fuzzy Hash: f418b1c9ef2130084b8f94f26419db2fbc28844b393d7d405129a99beaa081d7
                                                                                • Instruction Fuzzy Hash: F5114F31E0881D5FEBA0FA5C58896FDA7E1FB9C2A1F400177D80DF3255DE2428964794
                                                                                Function 00007FF8491180B1 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0ee227ff31dec716f72299b2c655dd528250f3621540bf94943ce646cbc599e
                                                                                • Instruction ID: c8ef2c8d2dda5eaa613ff94c0ab3f7dd1fc7d26b05fea06459ce026d33edaae2
                                                                                • Opcode Fuzzy Hash: a0ee227ff31dec716f72299b2c655dd528250f3621540bf94943ce646cbc599e
                                                                                • Instruction Fuzzy Hash: B1115E3191DA892FE759B63898455B17BD0DFA9350B0840BFD44DC31A3DD159846C356
                                                                                Function 00007FF848E6D369 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5dad7e577e183b76831c55a3b5e5d92ad2bcc0e729089904bd34b66706a44293
                                                                                • Instruction ID: d1124b054b814fe12a72b401f58b9bd2e34b3fd334b45b5b5b7bc11382df07ac
                                                                                • Opcode Fuzzy Hash: 5dad7e577e183b76831c55a3b5e5d92ad2bcc0e729089904bd34b66706a44293
                                                                                • Instruction Fuzzy Hash: E011253071DD190FD7A8EB2C9859A6977D1FF49750B4500FBE04DC72A3CA28EC418391
                                                                                Function 00007FF848E5AD03 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 07755f526db52ffe06e2d883db4a98c703c67bc2c5b8d971b3bb9ff0b6e2e669
                                                                                • Instruction ID: fee9bd3bd076d4a8a8618272fb5ea371f9da56604491a2c58b74cab758abdcbe
                                                                                • Opcode Fuzzy Hash: 07755f526db52ffe06e2d883db4a98c703c67bc2c5b8d971b3bb9ff0b6e2e669
                                                                                • Instruction Fuzzy Hash: A211043171ED060FE759BBBC54521BDB7D2EF8A791B4400B9D44EC3297CE28A8134785
                                                                                Function 00007FF848E63E79 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 29f1f9fe2576bcb38ad6838a6268315a93eadb40636fdd8d74dfd38f07b073ec
                                                                                • Instruction ID: 833dccd1b90f9d7d6c8fe6dadfc833df8f2d7d67fbe02d61ef21fa6a2598742c
                                                                                • Opcode Fuzzy Hash: 29f1f9fe2576bcb38ad6838a6268315a93eadb40636fdd8d74dfd38f07b073ec
                                                                                • Instruction Fuzzy Hash: 3921F332D0DA4D4FD795EA2C94141A9BBE1FF48300F8801BBD009E3296DF386C064795
                                                                                Function 00007FF8491180D0 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cb0c42122a6823091cf69da4c6c9f3c3b16fb88dbb602e3e773f67fd6b2ef2f2
                                                                                • Instruction ID: abc985b611370abbf381d4d6c92edeb8dce99c854b2309eab9b2db325c20923b
                                                                                • Opcode Fuzzy Hash: cb0c42122a6823091cf69da4c6c9f3c3b16fb88dbb602e3e773f67fd6b2ef2f2
                                                                                • Instruction Fuzzy Hash: 21014E32A1DD191FA75CF52CA8498F2B3D0DBA93A5B04447FD80DC3192ED26E842C745
                                                                                Function 00007FF848E5C7C3 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 33da954b641d86f2349d3ed1d8b71f589ae699d8ba6a6fc00220efb3306cd4ae
                                                                                • Instruction ID: ad26e7fbae8632b28824ced63ef356d48767a8dd2011b53862ebfd64c8586b39
                                                                                • Opcode Fuzzy Hash: 33da954b641d86f2349d3ed1d8b71f589ae699d8ba6a6fc00220efb3306cd4ae
                                                                                • Instruction Fuzzy Hash: BA11E23171ED060FE799BB7C54521BDB3D2EF8A391B4400B9D44AC3287CE28A8134685
                                                                                Function 00007FF848E76288 Relevance: .1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18961e9db620589ca1eff4a508c012e201c4024e7c0d8df0253a5e644ee1dcd8
                                                                                • Instruction ID: 2a181908f489296648e7b0cb91b2ea1c69726db234c8352c1e9e2e9587634b30
                                                                                • Opcode Fuzzy Hash: 18961e9db620589ca1eff4a508c012e201c4024e7c0d8df0253a5e644ee1dcd8
                                                                                • Instruction Fuzzy Hash: 0811E95154F9C91FE709A6B9986A1F67FA0CF97570B0801EFD4858F6E3D80A14478351
                                                                                Function 00007FF848E6F858 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4da3cccf313e27cbea53f76b6e4465804e0df4d859b74a0feb63f34e07a45a65
                                                                                • Instruction ID: fa15e9f0a49d5e2a94f655229101a466a34d26a4e2205e1f8d867ebf76397749
                                                                                • Opcode Fuzzy Hash: 4da3cccf313e27cbea53f76b6e4465804e0df4d859b74a0feb63f34e07a45a65
                                                                                • Instruction Fuzzy Hash: 05119022D1C9DE0EFBB4B2A848112FA75D0FF88390F840276D45DD2582DF38390A0689
                                                                                Function 00007FF8491161EF Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0f127036e850e908bcde2e3867b8d87b9738fac5d47e16ddb3c345b18f216ad0
                                                                                • Instruction ID: 00f20eb8fdf868f9cc8ac44aed737d2da59c15a0816ccfe53adb723de489127e
                                                                                • Opcode Fuzzy Hash: 0f127036e850e908bcde2e3867b8d87b9738fac5d47e16ddb3c345b18f216ad0
                                                                                • Instruction Fuzzy Hash: 6911C861E5CD876FE798EB2884965B573E1FFA9280B0841B9C00AC3597DE2DB8428741
                                                                                Function 00007FF848E5B2D1 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6594309a7dafe5059199aead269de24420d008ada050555357b446ebccaf751f
                                                                                • Instruction ID: bbbefacc4c5620c95290c5e16719533340d6363257fccf9da1c72897e73476ff
                                                                                • Opcode Fuzzy Hash: 6594309a7dafe5059199aead269de24420d008ada050555357b446ebccaf751f
                                                                                • Instruction Fuzzy Hash: 3E11027171D9460FE759BBBC64520FDB7E2EF89790B4404B9D48AC7187CE2868134285
                                                                                Function 00007FF848E72CDD Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d87b3846b7cc38c172a58efef97ffe87aa50a50b992f82636d5b726ca65a388
                                                                                • Instruction ID: eede84c5cb43ac41b9612c64aff3ef4d9132fc57cb148910b3af9f8e46a4a77b
                                                                                • Opcode Fuzzy Hash: 0d87b3846b7cc38c172a58efef97ffe87aa50a50b992f82636d5b726ca65a388
                                                                                • Instruction Fuzzy Hash: 3611EC3050D6468FD749DFA0C8C19A2B7A1FF9521070982FAC049CB1ABC638EC86C7E0
                                                                                Function 00007FF848E5E520 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2b78c339a400f3b993bd5b0915fec654bc4473c5a1e19b0f83d101627a7b1c0
                                                                                • Instruction ID: bb5a372756868f3f98dd230010313ccd7b7beb36b44fa264fc4200f3b862c7bc
                                                                                • Opcode Fuzzy Hash: e2b78c339a400f3b993bd5b0915fec654bc4473c5a1e19b0f83d101627a7b1c0
                                                                                • Instruction Fuzzy Hash: E601267190DD882FD354EAB8881A3BABBF1EF8A710F0405EAC489DB166C964180283C0
                                                                                Function 00007FF84911492B Relevance: .1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 97bf5c6da6013eecb935602227d2170725f7aa6b347e99b4a3fb9aca7a5c2600
                                                                                • Instruction ID: 94584eed6fd8b33098f11f54500a6ec1e1b8d0d8a56fb6dc2332f004882b47c7
                                                                                • Opcode Fuzzy Hash: 97bf5c6da6013eecb935602227d2170725f7aa6b347e99b4a3fb9aca7a5c2600
                                                                                • Instruction Fuzzy Hash: 27119471E28E8A9FDBACEE25805257673E1EF6D645B04057FC04FD3A92DF29B4018740
                                                                                Function 00007FF848E65165 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a40753205fa87b20e5546b82bd841a3753541a34e401bcf40ac7bb80f39c9a4
                                                                                • Instruction ID: 6f24a506f877aa20071fee180e1ceefcb4ac6108aad0949fafe724c63af855a2
                                                                                • Opcode Fuzzy Hash: 4a40753205fa87b20e5546b82bd841a3753541a34e401bcf40ac7bb80f39c9a4
                                                                                • Instruction Fuzzy Hash: 1911C87190EAC84FD755FF78982A5AA7FF0FF56210F8904EAD045CB1A3DB285806C742
                                                                                Function 00007FF848E5DD69 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1785b3cb085550c242f2485bbf3627d3d62033e2321c0785ecb06bed991d5fa4
                                                                                • Instruction ID: 455c61b6f184a475fd16dc4f78be834e975245cc919e025af85239bb056c6655
                                                                                • Opcode Fuzzy Hash: 1785b3cb085550c242f2485bbf3627d3d62033e2321c0785ecb06bed991d5fa4
                                                                                • Instruction Fuzzy Hash: 5A012631B1ED460FD755BABC64121F9B7D2EF89390B4401B9D58AC7187CE28A8138285
                                                                                Function 00007FF849116291 Relevance: .1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 00be47e37966990c0986944704e8f5506338deb3c55bbed0315092e3abe7cbb1
                                                                                • Instruction ID: 5f72508afa0472c95000d269cac8d3c9fe1ba9ebd1543977899878c4c7c429d7
                                                                                • Opcode Fuzzy Hash: 00be47e37966990c0986944704e8f5506338deb3c55bbed0315092e3abe7cbb1
                                                                                • Instruction Fuzzy Hash: DD110231E1CECAAFE755EE38846666177E0EF59380F4401ADC00A876C3DE2EB842C781
                                                                                Function 00007FF848E5AE8D Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c210e9b059420c9e8e03221b7eea4042dee97805617589f7e28a09128a0c2592
                                                                                • Instruction ID: eba0f8e8aad8c8055b6f3c61185067a2931d9180a400b5af00e3e77643165205
                                                                                • Opcode Fuzzy Hash: c210e9b059420c9e8e03221b7eea4042dee97805617589f7e28a09128a0c2592
                                                                                • Instruction Fuzzy Hash: DC11B67084EAC95FD742DF74886A2EABFF0EF07200F4404EAD458CB193EA24111A8742
                                                                                Function 00007FF848E664C6 Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8fb80c16facf65431b379d2471692045b0b8b7587dd4cad2dc62bfbc108870af
                                                                                • Instruction ID: c6f27088a0c4ddfccdb4f1d7c5fd91642c42ed0a8711d47a21b61d2fc3defa40
                                                                                • Opcode Fuzzy Hash: 8fb80c16facf65431b379d2471692045b0b8b7587dd4cad2dc62bfbc108870af
                                                                                • Instruction Fuzzy Hash: 4511A730A19A4E8FDB89EF64C8967EA77F1FF54300F5445A8D40AD7299CB34E446CB40
                                                                                Function 00007FF848E6A7CA Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9d19a242b6fc15e89e0a921b2aff04131d335e0c329c7cd5f214620b4cfeba5d
                                                                                • Instruction ID: 1ac48e14999a035bbc0bb01cb9d31ce08051772390bef8b052a3bfcafc7e87d4
                                                                                • Opcode Fuzzy Hash: 9d19a242b6fc15e89e0a921b2aff04131d335e0c329c7cd5f214620b4cfeba5d
                                                                                • Instruction Fuzzy Hash: C801F11184EBC61FD387A37818256A13FE1AF83160F8D00EBC489CB193DA5C688BC362
                                                                                Function 00007FF848E64990 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f42f246839d26ceda03858778826fc3e92777af0706dd0cef3763bfe39baea26
                                                                                • Instruction ID: 2ca3bd6189ea1204782fe673ddc5893ee632fcff4bee72075df258f2658b9ed4
                                                                                • Opcode Fuzzy Hash: f42f246839d26ceda03858778826fc3e92777af0706dd0cef3763bfe39baea26
                                                                                • Instruction Fuzzy Hash: 93018730318C1D4FD6A8FA1CE888A2937D1FF8C351B8101FAE40DD72A6CA21EC808780
                                                                                Function 00007FF848E70A55 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f281028ae020ec82dc72bda514fa10d7d610adbff03d8b57634523dd61294698
                                                                                • Instruction ID: b2db8147aed78f2237d56e9ff441ab911d6d9e809070b1f0bd8cae16796856aa
                                                                                • Opcode Fuzzy Hash: f281028ae020ec82dc72bda514fa10d7d610adbff03d8b57634523dd61294698
                                                                                • Instruction Fuzzy Hash: 62019E3160C90A4FCB88EF48C4C58A6B3A1FFA4310B1442E6C4088F19BDA38FC96C7C0
                                                                                Function 00007FF848E70CD2 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e64c5195db2ddcad4f16459c3024d9ed33a13b6f052f0cc1738d7977a66549c
                                                                                • Instruction ID: ad054cb157e39ef65c6d16d3215702305be841ea8522b9eaaaca9b727b95dbd7
                                                                                • Opcode Fuzzy Hash: 8e64c5195db2ddcad4f16459c3024d9ed33a13b6f052f0cc1738d7977a66549c
                                                                                • Instruction Fuzzy Hash: BCF0283260CA440FE708B628C898669B3D6EBD5391F15417AD40ED72A6EEB9BC0282C4
                                                                                Function 00007FF848E63451 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa83e872b92f9198a2549891664945310c9e08fb87d2cece193282293f043178
                                                                                • Instruction ID: 8a4e768358f4155d611ad477af914d0dbf6a8c3f5e9f4299c99f954cb1aaf6ea
                                                                                • Opcode Fuzzy Hash: fa83e872b92f9198a2549891664945310c9e08fb87d2cece193282293f043178
                                                                                • Instruction Fuzzy Hash: 2C01DF2054EAC86FC706EBB884764EABFF0DE9B410B8808DEC4C58F2A3D6052417C384
                                                                                Function 00007FF8491154C3 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c4c0cd474770a8c6d15425e331bb326b0bb67ad998787e387a7eddfed721fd93
                                                                                • Instruction ID: 6ebe21f1c411fa50711c2c10274c60bc59e5bab9f5bf359fca99df71aadf4c55
                                                                                • Opcode Fuzzy Hash: c4c0cd474770a8c6d15425e331bb326b0bb67ad998787e387a7eddfed721fd93
                                                                                • Instruction Fuzzy Hash: 6BF06211B1DE5E1FE6E9BA6C242617861C2EB9C161B5411BBD40FC2186FE6CDC414644
                                                                                Function 00007FF84912A6F0 Relevance: .0, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc4a32f2c76f4f1726d89fa69e6dd243cc19df553b73239da1de7adea0dcb8ff
                                                                                • Instruction ID: c363dd9d33f18ae093f7d5d2c9dcbfe6c7b2cef626a250b534d9e34a5b8ac33c
                                                                                • Opcode Fuzzy Hash: fc4a32f2c76f4f1726d89fa69e6dd243cc19df553b73239da1de7adea0dcb8ff
                                                                                • Instruction Fuzzy Hash: 82F0DA30708C0E8FDAA4FB2CD858A2573E6EF9835175901A6E40DC72A5DE64DC41CB81
                                                                                Function 00007FF849111149 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 976bd0c4770872cc0408d9a8fe3a10cfe66e55dabf5ac13acdab0bea3101e0d2
                                                                                • Instruction ID: 79a1ad22f8a94a85d32b6a69b9996cdf70a83b8817feac70f17cb845be6ea2c6
                                                                                • Opcode Fuzzy Hash: 976bd0c4770872cc0408d9a8fe3a10cfe66e55dabf5ac13acdab0bea3101e0d2
                                                                                • Instruction Fuzzy Hash: DF011430218E489FCA98EB2CD095D6577F2FFAD31035905D9E04ACB3A6CA20FC01CB80
                                                                                Function 00007FF848E66BC7 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66c2eda567727dad116b3dbe60cfffde755847056622bf673ce5161486b78615
                                                                                • Instruction ID: e59b002f9efc3277f327695ab539f86befde7e4f64c8711765d854b7c5623d68
                                                                                • Opcode Fuzzy Hash: 66c2eda567727dad116b3dbe60cfffde755847056622bf673ce5161486b78615
                                                                                • Instruction Fuzzy Hash: 3DF0462120D9811FE301723868170FE7BE0DF86A20B9400F9C8868716BCD1974138380
                                                                                Function 00007FF848E66FB2 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d4ef5465481dd5e12eaec764bcbe23d6d95de2c563d4ff64b484b29e19e4a5b5
                                                                                • Instruction ID: 91ae0842fc1dea82f59b1d4c72af7793d5be4e2708a8980615746d425477a7bd
                                                                                • Opcode Fuzzy Hash: d4ef5465481dd5e12eaec764bcbe23d6d95de2c563d4ff64b484b29e19e4a5b5
                                                                                • Instruction Fuzzy Hash: 23F0AF71A0CA088FDA49FA08E0815BCB3E1FB98310B50113ED08BD35A6CE22B8438B44
                                                                                Function 00007FF848E6967A Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 14ac5d229bf875705d6e004e75240499fbdbaa4462c38987cfb600a5bece0615
                                                                                • Instruction ID: 4ccb47c3ab1c2e54bf3a8688e2cad654291bd77365fca265350b23fbe7013ad8
                                                                                • Opcode Fuzzy Hash: 14ac5d229bf875705d6e004e75240499fbdbaa4462c38987cfb600a5bece0615
                                                                                • Instruction Fuzzy Hash: 4AF0F97290CB490FF325F53498155EA77C1FB912B0F44073ED1A5A71F4EE68714A8686
                                                                                Function 00007FF849110E78 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce001bb81e8af388aa464e013d47530c8793f54e45f2222e815365f322201046
                                                                                • Instruction ID: d05d87d03a6284ee69c767df5f534b8a698d6695d56214b7841daf77732913a3
                                                                                • Opcode Fuzzy Hash: ce001bb81e8af388aa464e013d47530c8793f54e45f2222e815365f322201046
                                                                                • Instruction Fuzzy Hash: C1F08C30A1CE1A4FEBB8BE388044772B2E1FF58340F105A78D05ED2184EE28E8828B40
                                                                                Function 00007FF848E5D88F Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3dc6030bedd66165945a2046f3976d2a18e821e914105f9cfb036906deea4139
                                                                                • Instruction ID: cfebe8b8bb9fbeef06d4781e38ad66c6d6e325c3f25ad7ba6842adc9397dc3b9
                                                                                • Opcode Fuzzy Hash: 3dc6030bedd66165945a2046f3976d2a18e821e914105f9cfb036906deea4139
                                                                                • Instruction Fuzzy Hash: 01014BB111FAC56FD306EBB4852A6AABFF0EF4B14074849EDC8C58F173C92A5456D341
                                                                                Function 00007FF848E6EBFB Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ec7019ccc97d392131a3723eaf41b878a6fa1632ac921f97dd18fc6bca18c8a9
                                                                                • Instruction ID: a761682137d1e05514a65a356e07cfeadcc1793cf094f406e3fabc001b5dd88f
                                                                                • Opcode Fuzzy Hash: ec7019ccc97d392131a3723eaf41b878a6fa1632ac921f97dd18fc6bca18c8a9
                                                                                • Instruction Fuzzy Hash: 7CF03731B1CD6F0FE558AA0C78161BC73C1FB496A0BD001BAD04AD3586DE15BC424289
                                                                                Function 00007FF849114967 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 36eba612f15d8b0e8defde6c56d100e79b30e71f63e0ab7e86dbf6def874f93e
                                                                                • Instruction ID: 1be8a4938abe24a66f1d068985df6624efae4fed96b39ed5c118e47ccaf891e0
                                                                                • Opcode Fuzzy Hash: 36eba612f15d8b0e8defde6c56d100e79b30e71f63e0ab7e86dbf6def874f93e
                                                                                • Instruction Fuzzy Hash: A2F04F31A18E499FDBACEE248051676B3E2FFAC244B04057E808BC3691DF39E4028B00
                                                                                Function 00007FF849115379 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b95a1857959f952909157b045454c5f27d63001916512cdfd74eda8e8c6fc043
                                                                                • Instruction ID: 6fe150180d34cb93d19d8408656aaf90ef626873d0fc5e3ec306b81c64b4f091
                                                                                • Opcode Fuzzy Hash: b95a1857959f952909157b045454c5f27d63001916512cdfd74eda8e8c6fc043
                                                                                • Instruction Fuzzy Hash: 9301817091DBCE4FDB46EF2888181B97FF0FF5A200F0404EBD459C71A2DA7955148741
                                                                                Function 00007FF848E5E5C5 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 644ddf6161f3b02db5b7f09d106f4990b9cc5ab43a72c5f405a0135a34f03ab4
                                                                                • Instruction ID: 9732fa1719925dec45d430f76bd2393439fc657351542f3f7921c5c371b8d92d
                                                                                • Opcode Fuzzy Hash: 644ddf6161f3b02db5b7f09d106f4990b9cc5ab43a72c5f405a0135a34f03ab4
                                                                                • Instruction Fuzzy Hash: C1F0F67250CB880FC3419718D414599BBD1FB94370F4507BFE045D71E1DE6899418382
                                                                                Function 00007FF848E69DF9 Relevance: .0, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b782f3c5c023ebe73c5f374e037363771b3793476000fa377ea87e8b99e10536
                                                                                • Instruction ID: 8bbb1e0ad48fa7ff34a4ff999f181640c0d8771446daf68159418389a592eea6
                                                                                • Opcode Fuzzy Hash: b782f3c5c023ebe73c5f374e037363771b3793476000fa377ea87e8b99e10536
                                                                                • Instruction Fuzzy Hash: 48F0674194EBC64FE723A37C58660A9BFF0AE1B540B4E08EBC5C5CB5A3D908086BD352
                                                                                Function 00007FF8491179A5 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 75bfe650ffcc7c604ac4f24f827003eabf79a6688c20f9ab973a03f70d40d50e
                                                                                • Instruction ID: 88f6217902cfc55a9f9a947017f061c2a57db98a6539db5bee0a67ae1e1561eb
                                                                                • Opcode Fuzzy Hash: 75bfe650ffcc7c604ac4f24f827003eabf79a6688c20f9ab973a03f70d40d50e
                                                                                • Instruction Fuzzy Hash: 4801446691E7C66FDB53EA3848A9198BFB1AF53594B0D40FAC0888B193E95C540EC711
                                                                                Function 00007FF848E61CB4 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2de5dcf9df4cdf2c021136708f97a2b04e419b80b62695ef96b2391dd671b96a
                                                                                • Instruction ID: 6c507c28f5936bc3d4f4ed326a1bb910bffaf4d90070304d864efa6efeb584a5
                                                                                • Opcode Fuzzy Hash: 2de5dcf9df4cdf2c021136708f97a2b04e419b80b62695ef96b2391dd671b96a
                                                                                • Instruction Fuzzy Hash: DDF0BE3290C6088FCF05EF58E8128DCB3B0FF55320B480195C049AF152C231F886CBC0
                                                                                Function 00007FF848E7465D Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1705b026f09a61da2e6fc3190657be8114da34aa2b904e4fe78570dc17b5a52e
                                                                                • Instruction ID: 9071d9ff45f64983f3b1350955445219ea18bb7eaa5cc0d5e30762387ded12ae
                                                                                • Opcode Fuzzy Hash: 1705b026f09a61da2e6fc3190657be8114da34aa2b904e4fe78570dc17b5a52e
                                                                                • Instruction Fuzzy Hash: DDE09236B5D65A4EEB4CA948EC026F87380FB45774F50013FD65BC25C1DA3674278685
                                                                                Function 00007FF848E5AE41 Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e1ffc442d3b7c649c29e8f35436157b91c27626444da656e63d61ea01cfae334
                                                                                • Instruction ID: 71490cc27c048f31c86e5743f893710750a4ef61e6f92f55ad9bf28761031f33
                                                                                • Opcode Fuzzy Hash: e1ffc442d3b7c649c29e8f35436157b91c27626444da656e63d61ea01cfae334
                                                                                • Instruction Fuzzy Hash: ECE0929084E7D50FE31AB7B928660A9BFA0EF17540B8E00EBC086CB1E3D80D09D69346
                                                                                Function 00007FF848E61109 Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0c74b0291007b8a22aa9f9f736acdf7dd2455f262dbaab40bad5c3ddc2f3ac8a
                                                                                • Instruction ID: e27688058dc9e58274e5c0de91888cce20ae1613412edc90470d13f076773c0e
                                                                                • Opcode Fuzzy Hash: 0c74b0291007b8a22aa9f9f736acdf7dd2455f262dbaab40bad5c3ddc2f3ac8a
                                                                                • Instruction Fuzzy Hash: 01F015A6C6C69B4EF7467BE404470E8BB51BF42280F8409B6F51C82083CF7C3208427A
                                                                                Function 00007FF848E5DAB5 Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dffb479a7422616f34846bde233d358b575b2c1e8cea46e34f5a68c9d450c181
                                                                                • Instruction ID: ec068e75c8af4a2068bf187a512a51b5725a4dcafbf0304f07a28c707f9176ce
                                                                                • Opcode Fuzzy Hash: dffb479a7422616f34846bde233d358b575b2c1e8cea46e34f5a68c9d450c181
                                                                                • Instruction Fuzzy Hash: 76E0DF61D0EA8E0EE702B7F019010E9BF20EF422E0F8400B3F058C6093CE6C520883A7
                                                                                Function 00007FF848E58CB2 Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c1937247a41d995601065cb04b13578384ac8b213fdca5dc3d0edd6356d739e4
                                                                                • Instruction ID: b65e8ca4a19ce188246c645eb7ab2c60686323ba15496b72af5a6acfc8a7cca7
                                                                                • Opcode Fuzzy Hash: c1937247a41d995601065cb04b13578384ac8b213fdca5dc3d0edd6356d739e4
                                                                                • Instruction Fuzzy Hash: 34E06D71E1DC1A5EE594E66C44246B992C2FBC86E0F250BB5C01ED33D6DE382C829B45
                                                                                Function 00007FF848E619AD Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bb4ddbc567297f852b22767656fcafb4346b21d1da81a4afef6e4e3cd949645a
                                                                                • Instruction ID: 78903e85d374a60f71e4dec691a752c34019da31709bf59a5199d70cee24946d
                                                                                • Opcode Fuzzy Hash: bb4ddbc567297f852b22767656fcafb4346b21d1da81a4afef6e4e3cd949645a
                                                                                • Instruction Fuzzy Hash: 43F0E939D0C64A8DEB37AA4495022FC77A0FF40390F941179D49D772C1DF36B8168789
                                                                                Function 00007FF848E76910 Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5f73e927f2cce9950e132be6e4f00ab30c670b6775e9c612c0e2aae9ab558508
                                                                                • Instruction ID: dd99d1e5d51f7bf6ccf9df51acd7b5afd1612a56986c075b8af506906921a7b5
                                                                                • Opcode Fuzzy Hash: 5f73e927f2cce9950e132be6e4f00ab30c670b6775e9c612c0e2aae9ab558508
                                                                                • Instruction Fuzzy Hash: 21E0DF7190CA8C8FDF90BA69A804AE97BA4FB89368F04006AE00DC3291CB355846C756
                                                                                Function 00007FF848E5BFDB Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67cdc420e852dd25616493c8b0ab7cf947577cfc0bde9fcfe64689d5e029fafb
                                                                                • Instruction ID: 97f0fdb1bcf30a0de9ccd770b853384ea8f1fb768c0c2ebb1fcc3bac7ff92c46
                                                                                • Opcode Fuzzy Hash: 67cdc420e852dd25616493c8b0ab7cf947577cfc0bde9fcfe64689d5e029fafb
                                                                                • Instruction Fuzzy Hash: F9F0396021F9C52FDB46EBB9843A6AEAFF18F8B50034849DDC8C69F2B3D9195416C340
                                                                                Function 00007FF848E58AB9 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a22f57870637cc0945d162bfdcf0099b835501072986dc45348b38f7729e2d82
                                                                                • Instruction ID: 1403dddbe2b402344ce4ff0858a9c7a944ea8586fcaa1812dedfa65e2a824a30
                                                                                • Opcode Fuzzy Hash: a22f57870637cc0945d162bfdcf0099b835501072986dc45348b38f7729e2d82
                                                                                • Instruction Fuzzy Hash: 08F05CA2C0DA6A4FEBA5A9A418520EAF790FF323A0F040B6DC485A71A1CF356547CB44
                                                                                Function 00007FF848E5FD9E Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ba32264c8491677af1db91f42f1df728b29bb2a10fb95eeff7b6028da0bbfe96
                                                                                • Instruction ID: e7c8844141ac5837320f7d38295cac5d1904bc45c3b8be4ec399040385c89937
                                                                                • Opcode Fuzzy Hash: ba32264c8491677af1db91f42f1df728b29bb2a10fb95eeff7b6028da0bbfe96
                                                                                • Instruction Fuzzy Hash: D5F0656190F9C51FD751EBB8946626ABFF0DF46650F0C41EAC984CF167C51848138341
                                                                                Function 00007FF84912F5C8 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 65def5061897bb232d0bb856b981a9bd66248eb6db53a622386aa12711b3052f
                                                                                • Instruction ID: deb76a9f76c3eb96553a9f8228f9d47aa7c1ec14d8b853413eef1896e8876ce8
                                                                                • Opcode Fuzzy Hash: 65def5061897bb232d0bb856b981a9bd66248eb6db53a622386aa12711b3052f
                                                                                • Instruction Fuzzy Hash: 34E08C10E0CD6A0AF9B479A8341A2B522D0CF497D1F0501B7EC0DE2295ED0EECD60AC5
                                                                                Function 00007FF848E61590 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c9ffb66b29d3defa24968e50c1bef56a24278100348e44d214755ed000843f77
                                                                                • Instruction ID: ac0ff80c140dd400e16feafe8795687491aed321d7de3c2a65f175bf80c35d35
                                                                                • Opcode Fuzzy Hash: c9ffb66b29d3defa24968e50c1bef56a24278100348e44d214755ed000843f77
                                                                                • Instruction Fuzzy Hash: 96E0922191DD185BE780BB34940D1FEB6E0FF98244F040A7AE84DD21A5EE2859804A85
                                                                                Function 00007FF8491164C5 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4e8a02ff468bcf3eaffff0afcd089f30d87fd39479e8c98a4f48b4dce9cfb37c
                                                                                • Instruction ID: af116df29232a5da66839a1fc69d8f659d24c796fdde38bd2473884ce270804b
                                                                                • Opcode Fuzzy Hash: 4e8a02ff468bcf3eaffff0afcd089f30d87fd39479e8c98a4f48b4dce9cfb37c
                                                                                • Instruction Fuzzy Hash: C4E0D82784DAC88FD732BF3488670F97F60FF5A310F4801DAD5984B492E60C542AC741
                                                                                Function 00007FF848E6B659 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6a153fc9339f077cef422c8a5f987ffc84652d1501e00d62de3d6edac8e0754f
                                                                                • Instruction ID: 1df2faec8ee65e291b7a032dd3381c4178b9c236703af185ffa6ec9cf176ab1a
                                                                                • Opcode Fuzzy Hash: 6a153fc9339f077cef422c8a5f987ffc84652d1501e00d62de3d6edac8e0754f
                                                                                • Instruction Fuzzy Hash: FBE04F32B0C50A4FE728FA04D4906F83392FBD5360F94463BD81AD62D5DF79B8919388
                                                                                Function 00007FF848E58C7F Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d1e5daa30fc1daa2e82e6e5e00dde9e1f4f95535a8cce8f473dc7eaf32a88f8f
                                                                                • Instruction ID: 5ed991b59af721077eb5ec6656d2dafe18af4d438e715509130aec9e1c778a52
                                                                                • Opcode Fuzzy Hash: d1e5daa30fc1daa2e82e6e5e00dde9e1f4f95535a8cce8f473dc7eaf32a88f8f
                                                                                • Instruction Fuzzy Hash: C8E08C71E0CC2A4EE5E0E51C14287A892C2EBC86A0F2403B6801DD33D4DE341C839705
                                                                                Function 00007FF848E63E45 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5a29946956e82a6d197ed54e50cd44d8f0c275941fb67e3b5a6697b57eaed938
                                                                                • Instruction ID: 2ff0a0b9fd9f9e8b243a9a6ccf7cf1a637112c895780222b358b8b2986dfa194
                                                                                • Opcode Fuzzy Hash: 5a29946956e82a6d197ed54e50cd44d8f0c275941fb67e3b5a6697b57eaed938
                                                                                • Instruction Fuzzy Hash: 85E04F315069889FDB01EFB890595BA7FB1DF5B20174884DAC889CF2A1C5315467CB40
                                                                                Function 00007FF848E65C2D Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 36b38309271ad98efee3c0b908c3aeefa2d18409d07717e973d7e448262a28da
                                                                                • Instruction ID: 5c8b1d239bf9687d2abdc70e8e31d3c51cd027d031b0522a406b48ec4e9f587d
                                                                                • Opcode Fuzzy Hash: 36b38309271ad98efee3c0b908c3aeefa2d18409d07717e973d7e448262a28da
                                                                                • Instruction Fuzzy Hash: 98D02B3150891C1FCB10FB699C409D73B6CE784378F000337E80CC2051D5319265C791
                                                                                Function 00007FF848E5B608 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3dee8e163129b83103902ae3ff24e9b43f520b6aa70d7cf49b3ec4fee92f0c83
                                                                                • Instruction ID: 54b74c9722512572a97a3df9e9bbafd23e68df12d4d3d8ffd9d6934806572dd0
                                                                                • Opcode Fuzzy Hash: 3dee8e163129b83103902ae3ff24e9b43f520b6aa70d7cf49b3ec4fee92f0c83
                                                                                • Instruction Fuzzy Hash: 41E0D820D0C9024EEA64B2188084A7471D0BF40384F788675E11EC71E3EFBDECC2C308
                                                                                Function 00007FF848E6C8D8 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 20ead693721b61d37651224e650b20352ea384af5464fd64b090ddc24de4639a
                                                                                • Instruction ID: f040de7473a01483929efb4514031c3c4d2ebbfaabe7a268367686de86b017b6
                                                                                • Opcode Fuzzy Hash: 20ead693721b61d37651224e650b20352ea384af5464fd64b090ddc24de4639a
                                                                                • Instruction Fuzzy Hash: 0DE09A20E0D8064EEA64B698848553462C0BF40388FB88674E12DC71E2EB3CFE82CA08
                                                                                Function 00007FF8491211A0 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17548e8380cbe2840cbbbeabd2330f39b4ddf178537faf0053b1c21db1c6e997
                                                                                • Instruction ID: ebf705d2fec0691de9fa6ab0b4c36e34fc513a2d496a7193a1f1c3ae2b84098f
                                                                                • Opcode Fuzzy Hash: 17548e8380cbe2840cbbbeabd2330f39b4ddf178537faf0053b1c21db1c6e997
                                                                                • Instruction Fuzzy Hash: 9FD01220928E594FDAB8FA7850457B671E0FB18310F400A69D01AC3589EF6CA9858785
                                                                                Function 00007FF848E61B78 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 25997c66617f37915d1bc1a490f3e25400befdcc6adf7c8de414289dfc738c00
                                                                                • Instruction ID: 9b78fb5dddf1e7e8854abf2b72096067227e724c7a7de30b5e913f423b8fa8de
                                                                                • Opcode Fuzzy Hash: 25997c66617f37915d1bc1a490f3e25400befdcc6adf7c8de414289dfc738c00
                                                                                • Instruction Fuzzy Hash: 41E0752DC4D54A4EE7537BA804020FD7A14BF502D0FC80975F42DA5093DF7AB5145A6B
                                                                                Function 00007FF848E5D4B4 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa19efe84a7ee1c5046919ad0f81cc9b7e7b099ef70428e499d4c31e82966d74
                                                                                • Instruction ID: 77d10218171d2114b1081175acab678fa71ba7b5ae156d345cdaf9ebfc5520a7
                                                                                • Opcode Fuzzy Hash: fa19efe84a7ee1c5046919ad0f81cc9b7e7b099ef70428e499d4c31e82966d74
                                                                                • Instruction Fuzzy Hash: D6D05E0031E9C81FE3469B748A792B63FF18E9B08035C48EE88C1CF2B3D419941B8300
                                                                                Function 00007FF848E72009 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a4cdf20893ba038fe1f7ee6b4695a7a6f8f7c49e179c62c87f474141ea4fe783
                                                                                • Instruction ID: f6a0a8193c05f4784123290a263358414ffcb56b730b1408415d8be45ed18344
                                                                                • Opcode Fuzzy Hash: a4cdf20893ba038fe1f7ee6b4695a7a6f8f7c49e179c62c87f474141ea4fe783
                                                                                • Instruction Fuzzy Hash: 73D02221D2CDA90DFAB4703834190B46AC0EF11042F0904FACC09E31F3DF8A28854199
                                                                                Function 00007FF848E77240 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c0d0ef322862403b88454a71cddc31245ad2cfb7383d11473e83671e2e3db1b9
                                                                                • Instruction ID: 11b7322c17093ea9a8b549b9dd9e7e45154c4665e768d92f2dd60a58321f7479
                                                                                • Opcode Fuzzy Hash: c0d0ef322862403b88454a71cddc31245ad2cfb7383d11473e83671e2e3db1b9
                                                                                • Instruction Fuzzy Hash: 2DC0122190D82A269528715E7C4149956D4EACC760F554676F41CD2248DB281CD142C9
                                                                                Function 00007FF848E65777 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3f470633aad98cb313f3f8cf472b061f317425945e90778838c4904dbe1a162e
                                                                                • Instruction ID: e8eb5378ceb208f672cc52df50b7233bb4370cefa133f1fd7869c2bc2ae84af9
                                                                                • Opcode Fuzzy Hash: 3f470633aad98cb313f3f8cf472b061f317425945e90778838c4904dbe1a162e
                                                                                • Instruction Fuzzy Hash: 32C08017D5C40FDEE595611878414F57381F7615B0FC01331F41C511C5DD2D79434548
                                                                                Function 00007FF848E5BFBA Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a0f5f46b34a490a9d1bf97014f531d75ea7478e1173d07428e5185ae88bb1b4
                                                                                • Instruction ID: 15090d7190f0af2a1c167a8aa107eb2c5c92a5aae964be390a2a4042197747a6
                                                                                • Opcode Fuzzy Hash: 4a0f5f46b34a490a9d1bf97014f531d75ea7478e1173d07428e5185ae88bb1b4
                                                                                • Instruction Fuzzy Hash: 2BD0C93131AE844FD246AB74852515ABBE1AF8B1057A884EDC089CB263C92A9457C381
                                                                                Function 00007FF849118AEB Relevance: .0, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7396539fde3a365cfe5b670f38be332282e0a6f7576582328f5835b7823f127e
                                                                                • Instruction ID: badf512f5e2ee50320760809e81dcd66fe68b9d6ceee794e5d33995d4f8bf0aa
                                                                                • Opcode Fuzzy Hash: 7396539fde3a365cfe5b670f38be332282e0a6f7576582328f5835b7823f127e
                                                                                • Instruction Fuzzy Hash: D2D0236040D99C1FD745EF38C42566DBBB0DF16100F0000FD804EDB1D3DD251442C715
                                                                                Function 00007FF848E5B3FA Relevance: .0, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8145ce1b099352217902f4137d4d3d63494ba552a154f46a0168c7167dcd7886
                                                                                • Instruction ID: 76c0164a6aa92b615f4a3736a5f10ce94d0df2e33e8e11bc1e2cbeaeb97487dc
                                                                                • Opcode Fuzzy Hash: 8145ce1b099352217902f4137d4d3d63494ba552a154f46a0168c7167dcd7886
                                                                                • Instruction Fuzzy Hash: BED0C930309A854FD24AAB798425296BBE1AF4B20579844ECC089CB262C92A94468345
                                                                                Function 00007FF848E5FABA Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc536569066c62cddaca69c134e0c7970616caf8e4f14d8f1b4bbad60f28865c
                                                                                • Instruction ID: fb682bbdd77739a792b45996ea086d6314127851565b1a5c4646c305be56adfc
                                                                                • Opcode Fuzzy Hash: fc536569066c62cddaca69c134e0c7970616caf8e4f14d8f1b4bbad60f28865c
                                                                                • Instruction Fuzzy Hash: 0FD0125190DAC92FE741EBB5406E1BEAFF1EF4A500B4804F9C88DCB2A3CE2D9802C700
                                                                                Function 00007FF848E5FA9A Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e9b97f908324767419d11ce4d3ef81be5b69d3faf24f0473854fdb6fb68a811c
                                                                                • Instruction ID: 06442ade2b779ae6b991f66980e6e3a03e3f28cb48a27b818a80d7892ac6f2d7
                                                                                • Opcode Fuzzy Hash: e9b97f908324767419d11ce4d3ef81be5b69d3faf24f0473854fdb6fb68a811c
                                                                                • Instruction Fuzzy Hash: FAC0120051DAC96FD241B7B5403B07EABE19F4A504B9408F888858B1A3DC1D94018340
                                                                                Function 00007FF848E5FA7A Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a03a1768bee73856933f81fd592e4e35405c06e637cb921ffcfbb91e40982d5
                                                                                • Instruction ID: 1a480f473de4f1f928ffab55463044e733186cb73dcf7d31a529974d93a0cefb
                                                                                • Opcode Fuzzy Hash: 3a03a1768bee73856933f81fd592e4e35405c06e637cb921ffcfbb91e40982d5
                                                                                • Instruction Fuzzy Hash: 9CC0120191E9C12FE241E775006B07E6FE19F4A540F4404F88C85CB1A3DC1DA4118281
                                                                                Function 00007FF848E5FAFC Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 492d3855d8b1e99fc07c1ba2fe788ca9044a1bce954e888bd9f1c003bf980744
                                                                                • Instruction ID: 91709e3fb371532f6ef0ebd67dfcc79c5ebb972825c01dee17648140a09d34a8
                                                                                • Opcode Fuzzy Hash: 492d3855d8b1e99fc07c1ba2fe788ca9044a1bce954e888bd9f1c003bf980744
                                                                                • Instruction Fuzzy Hash: A6D0125090D9C92FD741EBB5403A1BEAFF1EF4A644B5408FDD889CB1A3CE2D94128740
                                                                                Function 00007FF848E65058 Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e6ec55b77799a3a652ab8d72dc337e8510d23f6349320d8162b733da3eeba4ad
                                                                                • Instruction ID: 06eedd74a0a89c8309d40d2be667724f2ae01b7fdc4233c1e6896afc7c75b29c
                                                                                • Opcode Fuzzy Hash: e6ec55b77799a3a652ab8d72dc337e8510d23f6349320d8162b733da3eeba4ad
                                                                                • Instruction Fuzzy Hash: 95C08C3276088C9B4B50993868110A533C2DB4A2347108721A43EC31D0DF21A8110241
                                                                                Function 00007FF848E62F0E Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41ae397775beda036cd828b6ae356a2ec2b77bd0ff02494bc0d2eb31f26d8f93
                                                                                • Instruction ID: 9548b4ba6d860d0a0d3726239da188323ce5a25c2f8385f4a31f03c68cbe9b0d
                                                                                • Opcode Fuzzy Hash: 41ae397775beda036cd828b6ae356a2ec2b77bd0ff02494bc0d2eb31f26d8f93
                                                                                • Instruction Fuzzy Hash: A2D0CA02C0E88F9EE1117EB840030A82200FF067D0F8C4870E00CBB08BCE283408412A
                                                                                Function 00007FF8491207D0 Relevance: .0, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f858af4c99eae558aa277b728af9d6210e9d0ab4f6e3f28c14c29ec75ca98103
                                                                                • Instruction ID: dfaab9e5200b354793525bc005bb537b1c5dabf63c5926b20cdcc860c3449932
                                                                                • Opcode Fuzzy Hash: f858af4c99eae558aa277b728af9d6210e9d0ab4f6e3f28c14c29ec75ca98103
                                                                                • Instruction Fuzzy Hash: B5B01221A1DCA82A567C753D180EA7F04D5CBDDB51706017FF81CD32D6FC480C5142E9
                                                                                Function 00007FF848E66B0D Relevance: .0, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 521788fd93232a6dcc2be84cb2908b82753a3e390426529a43a706ffeb1cf170
                                                                                • Instruction ID: 6c4bcefb645fff77e7f478fd8bc8e4c82621826b10f83e7dc52e9f06197f9435
                                                                                • Opcode Fuzzy Hash: 521788fd93232a6dcc2be84cb2908b82753a3e390426529a43a706ffeb1cf170
                                                                                • Instruction Fuzzy Hash: 5DC08C06D1D48BCEE1407A2C50120682640BF20BC9FC848F4E00EDB0A3CA28340C0214
                                                                                Function 00007FF848E5B41B Relevance: .0, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 89353b70ad64f7c6405ad3fa35a80f2b72e2cba3605721a7996ee990dfec2130
                                                                                • Instruction ID: 2a54a4fb1a8f8b319b62f9705e40382a39bd8e4d399c6c375e346f1177a5368c
                                                                                • Opcode Fuzzy Hash: 89353b70ad64f7c6405ad3fa35a80f2b72e2cba3605721a7996ee990dfec2130
                                                                                • Instruction Fuzzy Hash: 0CC0921030EAC82FE64B9A7848392AA2FF14F8B40235C48DD88C9EF2B2D409545A8300
                                                                                Function 00007FF848E6652A Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                • Instruction ID: bf89706e155af87a3dd21152b1455d104fdb0094181caf0c2ef4237aa8b23506
                                                                                • Opcode Fuzzy Hash: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                • Instruction Fuzzy Hash: 95A022328A800CCACF30080238030F83300FB80200F880022E80F82000CB3232300280
                                                                                Function 00007FF848E5D30D Relevance: .0, Instructions: 2COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2116888690.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ffa4993ebe37749ed25e0301160465806ab333b5e9d4833cba585c8852dadcb
                                                                                • Instruction ID: afccd49b267ef96d24b038c0a894bc89a6eebc4313fccb3be3bda0175d41ca3c
                                                                                • Opcode Fuzzy Hash: 3ffa4993ebe37749ed25e0301160465806ab333b5e9d4833cba585c8852dadcb
                                                                                • Instruction Fuzzy Hash:

                                                                                Non-executed Functions

                                                                                Function 00007FF8A330ECC0 Relevance: 221.0, APIs: 64, Strings: 62, Instructions: 539memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: DebugOutputString$Heap$ErrorFreeLastProcess
                                                                                • String ID: $.dll$ARM$ARM64$CLR creation not implemented.$CLRCreateInstance$CoreCLR$ICLRRuntimeInfo loadable failure.$ICLRRuntimeInfo not loadable.$LicenseAssemblyPath$LicenseOtherAppDomain$MSCorEE$SdkCallback_%lX_%lX_%lX$System.Data.SQLite.SEE.License$System.Data.SQLite.SQLiteExtra$Verify$VerifyIsLicensed$Win32$assembly path env failure.$assembly path env not found.$assembly path env success.$assembly path found via module.$assembly path found via process.$assembly path is trusted.$assembly path not found via module.$assembly path not found via process.$assembly path not trusted.$bad assembly path env size.$bad callback from setup method.$could not allocate path.$could not create ICLRMetaHost.$could not execute verify method.$could not free strong name buffer.$could not get ICLRRuntimeInfo.$could not get ICLRStrongName.$could not get module file name.$could not get setup method callback.$could not trim module file name.$could not unset setup method callback.$detected .NET Core in process.$eeeSdk1: %s HRESULT 0x%016X$good callback from setup method.$invalid ICLRRuntimeHost.$invalid process heap.$missing CLR function.$missing CLR module in process.$modern strong name check failure.$modern strong name check unverified.$modern strong name check verified.$modern strong name token failure.$no current application domain?$strong name check was not verified.$strong name size and data matched.$strong name token data mismatch.$strong name token data missing.$strong name token size mismatch.$v4.0.30319$verify method returned failure.$verify method returned success.$verify method unreachable.$x64$x86
                                                                                • API String ID: 2299117403-3820284412
                                                                                • Opcode ID: 6cb599f1bcc2a40b04860ea33e157653ccee6fab7d48375881905106e70b4dc5
                                                                                • Instruction ID: 25e863b3faa166801545e9cd86e9ccb8e607efe77061f16dca1b90e810b2c218
                                                                                • Opcode Fuzzy Hash: 6cb599f1bcc2a40b04860ea33e157653ccee6fab7d48375881905106e70b4dc5
                                                                                • Instruction Fuzzy Hash: F7421925A0FE46A2EB51CFA1E8502B97760FF65BC4F904132D94EA36A4DF3EE549C700
                                                                                Function 00007FF8A32D9030 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 171encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$DestroyHash$CreateErrorLast
                                                                                • String ID: CryptCreateHash failed, code=%lu$CryptDecrypt failed, code=%lu$CryptDeriveKey failed, code=%lu$CryptEncrypt failed, code=%lu$CryptHashData failed, code=%lu$missing encryption context
                                                                                • API String ID: 527577405-1659892492
                                                                                • Opcode ID: 0190a59013471d2fbae98ff27862acedfc282f856c074b09db37fba08a7fa995
                                                                                • Instruction ID: 4b4d2ff888ef5c3ea115a466563d37c8d08464d7f61562d1167737403a29158e
                                                                                • Opcode Fuzzy Hash: 0190a59013471d2fbae98ff27862acedfc282f856c074b09db37fba08a7fa995
                                                                                • Instruction Fuzzy Hash: 1D719132A0EA82A1EB609B11F45427A77A0FF95BE5F104231EAAD57AD8DF3ED045C700
                                                                                Function 00007FF8A33AAB10 Relevance: 28.5, Strings: 22, Instructions: 1023COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: UNIQUE$BINARY$CREATE%s INDEX %.*s$INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);$cannot create a TEMP index on non-TEMP table "%s"$conflicting ON CONFLICT clauses specified$corrupt database$expressions prohibited in PRIMARY KEY and UNIQUE constraints$index$index %s already exists$invalid rootpage$name='%q' AND type='index'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$sqlite_temp_master$table %s may not be indexed$there is already a table named %s$too many columns in %s$unknown database %T$views may not be indexed$virtual tables may not be indexed
                                                                                • API String ID: 0-2558424809
                                                                                • Opcode ID: 13c1a48aa9cedf082b3a1e8412e1b6215bc221579c4e9d84ca52fceeab5f88ff
                                                                                • Instruction ID: 9cfeb07516aaa01bb4f185cd3f899b45f5c31b5ba97e9528b226a1e413d5329c
                                                                                • Opcode Fuzzy Hash: 13c1a48aa9cedf082b3a1e8412e1b6215bc221579c4e9d84ca52fceeab5f88ff
                                                                                • Instruction Fuzzy Hash: 1BA2AC22E0EF82A6EB608B15A8447BA67A1FB85BC4F854136DE4D67795DF3FE440C700
                                                                                Function 00007FF8A32D4E20 Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                • API String ID: 281475176-2761157908
                                                                                • Opcode ID: 6589d2dad00f4f1e886b9f272884f7f35237da1ae6b2eaa9298b1097b363d1a1
                                                                                • Instruction ID: 9628b77c1698b76aa2f977f31002460835449b50671e20c3093d9b8e627ca586
                                                                                • Opcode Fuzzy Hash: 6589d2dad00f4f1e886b9f272884f7f35237da1ae6b2eaa9298b1097b363d1a1
                                                                                • Instruction Fuzzy Hash: ABB20872A092829BE7658E69D4407FD37A1FB443CAF605135DA0A77B8CDFBAE5048B40
                                                                                Function 00007FF8A334A910 Relevance: 19.9, Strings: 15, Instructions: 1168COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PRAGMA %Q.page_size$compress$content$error parsing prefix parameter: %s$languageid$matchinfo$missing %s parameter in fts4 constructor$no such column: %s$notindexed$order$prefix$simple$tokenize$uncompress$unrecognized parameter: %s
                                                                                • API String ID: 0-405628426
                                                                                • Opcode ID: bae3b0ca647044978a9bf6d3909d364a3aaf00c0ec257ce44874fd9bdf1a692b
                                                                                • Instruction ID: bd91f66281a43bfbb43207c43eb19cbc7d2078128d376ff2990c127f2c764909
                                                                                • Opcode Fuzzy Hash: bae3b0ca647044978a9bf6d3909d364a3aaf00c0ec257ce44874fd9bdf1a692b
                                                                                • Instruction Fuzzy Hash: D2C26B21A0FF42A6EB148F65A8402B967A0FF55BCAF144135DE8EA7794DF3EE845C700
                                                                                Function 00007FF8A33D2480 Relevance: 19.3, Strings: 15, Instructions: 516COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$foreign key$indexed$invalid$misuse$no such column: "%s"$out of memory$unopened
                                                                                • API String ID: 0-1958129595
                                                                                • Opcode ID: 6bb361fbdd3031a682a4fec6f72d19098130ab26e9e8e3decd6c5138d4703fe8
                                                                                • Instruction ID: b9356cd83014930ed419fc1a2465d503048595a600bdfe2dfc9682ab7def007e
                                                                                • Opcode Fuzzy Hash: 6bb361fbdd3031a682a4fec6f72d19098130ab26e9e8e3decd6c5138d4703fe8
                                                                                • Instruction Fuzzy Hash: 9D32AD32A0EF82A5EBA18B25F4447BA67A4FB45BC4F408535DA4DA3795DF3EE844C300
                                                                                Function 00007FF8A3314300 Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1154COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: = ?$ AND $ IS ?$ SET $ WHERE $UPDATE main.$sqlite_stat1
                                                                                • API String ID: 0-2710509118
                                                                                • Opcode ID: 7eefc8aa35182d1685d4762fa1512b4a994bbdc7a71ab9fe04e2a6510d6bf953
                                                                                • Instruction ID: c2a02c46342214c59bc493d53c6498059862f4e4a4a0cc20c7880e6df443d084
                                                                                • Opcode Fuzzy Hash: 7eefc8aa35182d1685d4762fa1512b4a994bbdc7a71ab9fe04e2a6510d6bf953
                                                                                • Instruction Fuzzy Hash: 1CB2A022F0FE42AAFF528B65E5413B926B1EB55BD8F050235CE1EA77C5DE2EE4118340
                                                                                Function 00007FF8A32C4500 Relevance: 9.2, APIs: 6, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                                                                                • String ID:
                                                                                • API String ID: 1405656091-0
                                                                                • Opcode ID: 50bd3539f60316b72e4977c16b5ec01c2cb82040dddcb917c7a8059d737f4be7
                                                                                • Instruction ID: 98b821c3a004c987e5e5f8b61c8b5e6e02619b0ab8166f32a29f7ed0c5206510
                                                                                • Opcode Fuzzy Hash: 50bd3539f60316b72e4977c16b5ec01c2cb82040dddcb917c7a8059d737f4be7
                                                                                • Instruction Fuzzy Hash: 8181F8B2F052465BEB689F35C9127B92395EB547CAF049135DB0D9AB8DEF3EE4008740
                                                                                Function 00007FF8A32EA970 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: DELETE from$UPDATE$cannot %s contentless fts5 table: %s$delete
                                                                                • API String ID: 0-3461735031
                                                                                • Opcode ID: 8c0d4f2fc3b58a456cb574b00614e179b50d0084db7c0f701bc864a8d684304f
                                                                                • Instruction ID: 9b777fc6b6dd979b6eb1082d7fe24b4859b2bc4d879beb69e8e4ace72d114393
                                                                                • Opcode Fuzzy Hash: 8c0d4f2fc3b58a456cb574b00614e179b50d0084db7c0f701bc864a8d684304f
                                                                                • Instruction Fuzzy Hash: BEB11A21B0E653A1EB609A1A91436792BE0FF55BC6F345036DE4E67799FF2FE4418300
                                                                                Function 00007FF8A32D4950 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: memcpy_s
                                                                                • String ID:
                                                                                • API String ID: 1502251526-0
                                                                                • Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
                                                                                • Instruction ID: 8d26f60a932f6ad261ab4d7c278583d90cbcd75cd2de59199d1ab40f8d3826a7
                                                                                • Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
                                                                                • Instruction Fuzzy Hash: 8BD1BF32B1A68297DB24CF15E1856AAB7A1FB987C5F148134DB4E63B48DF7DE841CB00
                                                                                Function 00007FF8A33F0930 Relevance: 4.3, Strings: 3, Instructions: 558COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
                                                                                • API String ID: 0-2469029621
                                                                                • Opcode ID: b96b9600fee963c7564e31cbcba0345d8e0248c215eb9c0a8fb6e65a16ba6872
                                                                                • Instruction ID: ae93e2485d5b9da8767e4e2753045d6918f65dfe4bc60f72a23db5f4bdba0266
                                                                                • Opcode Fuzzy Hash: b96b9600fee963c7564e31cbcba0345d8e0248c215eb9c0a8fb6e65a16ba6872
                                                                                • Instruction Fuzzy Hash: 5032A232A0EB4296EB548F19E48467AB7A1FB847C4F814031DA4DAB791DFBFE805C700
                                                                                Function 00007FF8A332E370 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 344COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %d %d %d %d
                                                                                • API String ID: 0-2566208650
                                                                                • Opcode ID: 1b70d6d37c73dd4f47961911f815852f688ce88b9f08b3bb47113acbe51c89ab
                                                                                • Instruction ID: b46f663f7665a9e7c6e2e8a87230e68aaff2fb26d455be864ead6ff2fbaf7e32
                                                                                • Opcode Fuzzy Hash: 1b70d6d37c73dd4f47961911f815852f688ce88b9f08b3bb47113acbe51c89ab
                                                                                • Instruction Fuzzy Hash: 57F16B32A0EF4296EB108BA5E4412AEB7A5FF54BC4F104136EA8D67B58DF3DE845C740
                                                                                Function 00007FF8A33027C0 Relevance: 3.1, Strings: 2, Instructions: 620COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %z%.*s$wrong number of arguments to function snippet()
                                                                                • API String ID: 0-3624017242
                                                                                • Opcode ID: cce007e3d7288e2582e9862fa809f8e21d8ee5803548042ba03e770338679a66
                                                                                • Instruction ID: 659f8f9708bfcbf715c3052867774f1252ac4816b01901d2e5df8ca4c1793fe1
                                                                                • Opcode Fuzzy Hash: cce007e3d7288e2582e9862fa809f8e21d8ee5803548042ba03e770338679a66
                                                                                • Instruction Fuzzy Hash: 84524C32A0AB429AEB50CFA5E4402AD77A0FB497D8F108135DE5DA7B98DF3DE545C700
                                                                                Function 00007FF8A33A68E0 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Expression tree is too large (maximum depth %d)$ORDER BY without LIMIT on %s
                                                                                • API String ID: 0-1536153988
                                                                                • Opcode ID: 389cf045989ce095263a87770623b98f9ea5c3682e59870e7c9933304d096024
                                                                                • Instruction ID: 5e30f16becc9bcb2b05113ef5fd4c74b6f28db5bffdfa4e6feb283dfe99b32fd
                                                                                • Opcode Fuzzy Hash: 389cf045989ce095263a87770623b98f9ea5c3682e59870e7c9933304d096024
                                                                                • Instruction Fuzzy Hash: 0A12B072A0AF8196D7A08F26E94026A77E5FB48BD4F144235CF9D67795EF3AE060C340
                                                                                Function 00007FF8A33ACCE0 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • DELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger', xrefs: 00007FF8A33ACE23
                                                                                • DELETE FROM %Q.sqlite_sequence WHERE name=%Q, xrefs: 00007FF8A33ACE0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: DELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger'$DELETE FROM %Q.sqlite_sequence WHERE name=%Q
                                                                                • API String ID: 0-3534416882
                                                                                • Opcode ID: 925f96e86f334d73b829bdd1822c239dab8ec7ab4306d9ac6c8495d5462b846f
                                                                                • Instruction ID: 7ce41d468f83b626b1d5ca131daefbbf3734ee7484bd0597f8e9e7a680509b8f
                                                                                • Opcode Fuzzy Hash: 925f96e86f334d73b829bdd1822c239dab8ec7ab4306d9ac6c8495d5462b846f
                                                                                • Instruction Fuzzy Hash: A9E17962A0AF82A1EB51DF25E8507A937A1FB84FC8F148136DE4D57B99DF3AE451C300
                                                                                Function 00007FF8A33226A0 Relevance: 1.8, Strings: 1, Instructions: 525COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: VUUU
                                                                                • API String ID: 0-2040033107
                                                                                • Opcode ID: 40df0c13ba0b586186ce63d98e403da29dd8000d8e3903ae07e107be1d0c97e5
                                                                                • Instruction ID: 42c5c81fe589047ff05630fefd3e8aa20d684bdc28eeb954a369129edc15ae4e
                                                                                • Opcode Fuzzy Hash: 40df0c13ba0b586186ce63d98e403da29dd8000d8e3903ae07e107be1d0c97e5
                                                                                • Instruction Fuzzy Hash: 8F22B322A0EE8296EB648F65F850279B7A0FF69BC4F048135DA4EA7751DF3EE451C700
                                                                                Function 00007FF849110080 Relevance: 1.7, Strings: 1, Instructions: 415COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: C$_^
                                                                                • API String ID: 0-642907035
                                                                                • Opcode ID: a2202d2fc153318a093ce1c399107385d2697983213d1d2464285ac8e85f88a3
                                                                                • Instruction ID: aab6446ab0f48bf79a807292d6ce978ff6f22bfbff0198e24091823b07986a2e
                                                                                • Opcode Fuzzy Hash: a2202d2fc153318a093ce1c399107385d2697983213d1d2464285ac8e85f88a3
                                                                                • Instruction Fuzzy Hash: 39C10CD399E5667ED6197A7CF4431F52B40EF453B8F0C9576D08C8D093DE1CA4828AE8
                                                                                Function 00007FF8A32E4450 Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: e
                                                                                • API String ID: 0-4024072794
                                                                                • Opcode ID: 35381cdb108a5499e9d22adb210290d818c71d62853a9d36dad2fa88724347cb
                                                                                • Instruction ID: c0d908659638db7daca5adf42a176b7cc288a3be791e1a6420b2cae3119c4129
                                                                                • Opcode Fuzzy Hash: 35381cdb108a5499e9d22adb210290d818c71d62853a9d36dad2fa88724347cb
                                                                                • Instruction Fuzzy Hash: 43E14922A1E6965AF7648F2494437796B90FF617C6F204135DA8EA37C9EF3EE805C700
                                                                                Function 00007FF8A336F050 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RIGHT-JOIN %s
                                                                                • API String ID: 0-3713291301
                                                                                • Opcode ID: e981ad00f3d9b83cd879bb827680363f5052bbd2fcd429ce03cb1336fcaeb5d5
                                                                                • Instruction ID: 8df1c327fc3197517bd4bda8781a385df63ad683ad8b7a9f47ef464b27156312
                                                                                • Opcode Fuzzy Hash: e981ad00f3d9b83cd879bb827680363f5052bbd2fcd429ce03cb1336fcaeb5d5
                                                                                • Instruction Fuzzy Hash: B602EE32A0AB819AEB54DF15E140BAEBBA0FB88BC4F518226DF8D53755DF39D151CB00
                                                                                Function 00007FF8A32D8FF0 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: ContextCryptRelease
                                                                                • String ID:
                                                                                • API String ID: 829835001-0
                                                                                • Opcode ID: 3e589967591414cbd780d7bb88f027c979f6a1a6445de085aae458b8d96443eb
                                                                                • Instruction ID: 2c3cc8657995381e6c88d64881a45bc68b23c88b066bb29276a7a16a04e0673b
                                                                                • Opcode Fuzzy Hash: 3e589967591414cbd780d7bb88f027c979f6a1a6445de085aae458b8d96443eb
                                                                                • Instruction Fuzzy Hash: 34E01225F4760695FF699B61B8513352250DF58BC7F189030DD0DE6285DF7E54858640
                                                                                Function 00007FF8A32C84E8 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: 0
                                                                                • API String ID: 3215553584-4108050209
                                                                                • Opcode ID: 959dcb52e8f92f09f5e9a2cfa367ada6a551d4ec6da270d346320d199f3904db
                                                                                • Instruction ID: 18382e9b0bfcf3bb30c9e7a4875b0d02474ff1259a071d30e53e2bf5fc2ae495
                                                                                • Opcode Fuzzy Hash: 959dcb52e8f92f09f5e9a2cfa367ada6a551d4ec6da270d346320d199f3904db
                                                                                • Instruction Fuzzy Hash: B4711962A0E25266FBE88A2540402BD1390EF417C6F248535DF0CB77DECE7FE8468741
                                                                                Function 00007FF8A32DC9B0 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0123456789abcdef
                                                                                • API String ID: 0-1757737011
                                                                                • Opcode ID: 295e19d7296b6d5ed350da52bf6015e23e27b588f5ddfb407fc76e9475764ada
                                                                                • Instruction ID: 0e75df18f92189799573b1afb8486ba0b8eb106d9e82a7e66a71b3e02f1bbb23
                                                                                • Opcode Fuzzy Hash: 295e19d7296b6d5ed350da52bf6015e23e27b588f5ddfb407fc76e9475764ada
                                                                                • Instruction Fuzzy Hash: 1C511873B1A29157EB28CB2CD8402AD7B61E799BC4F44413ADA8DD734ADE2DDA05CB40
                                                                                Function 00007FF8A32CC450 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: f41ca6032ca40ac30833efab4000289aebcc984fbc43599afd111aabad1020db
                                                                                • Instruction ID: 794ad113f8b82a956cf1cceb64fde3b5a1e3ab0f2f2472412816056f9f4c11e1
                                                                                • Opcode Fuzzy Hash: f41ca6032ca40ac30833efab4000289aebcc984fbc43599afd111aabad1020db
                                                                                • Instruction Fuzzy Hash: 0641E472716A5886EF04CF2AD4142A973A1FB98FD4B49A036DF1DA7758EE3DD442C300
                                                                                Function 00007FF8A330C9F0 Relevance: .7, Instructions: 732COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e243d8a996a4e06531df247d2c9dc36155e2b2a4447b2c97d07469e0453a1c0f
                                                                                • Instruction ID: a2bb4c9c5ebb63ab92f25c2a4183f20b2233f9d2fdbf6d51f9dc57037b26fde1
                                                                                • Opcode Fuzzy Hash: e243d8a996a4e06531df247d2c9dc36155e2b2a4447b2c97d07469e0453a1c0f
                                                                                • Instruction Fuzzy Hash: 8F52F8323112288BE651CF1E995CE6A33F4F75D7C57826216FB8D9B345D62CAC01EBA0
                                                                                Function 00007FF8A32F0BA0 Relevance: .6, Instructions: 561COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48d5e6da25d330b6344994a75842a6f420933d854714a96e3d8d84d95754ae4f
                                                                                • Instruction ID: 513c59f7dcbddd8c3294a7e70156d8b6faa57890943d5bd7f6ecd12e1cd802b1
                                                                                • Opcode Fuzzy Hash: 48d5e6da25d330b6344994a75842a6f420933d854714a96e3d8d84d95754ae4f
                                                                                • Instruction Fuzzy Hash: 8D32DA72A0A681AAEB10CF25D4403BD7BA1FB44BCAF518135DA4E6778DDEBEE451C700
                                                                                Function 00007FF8A340E9D0 Relevance: .4, Instructions: 415COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 19e046169303616922fa56fc4c702e76ca1b0e0df75fcd73fb40612c518f53be
                                                                                • Instruction ID: d7c6184bbfe51543b26200bfa50047d961bab9ddb97bb21d645128b8b06ffcfa
                                                                                • Opcode Fuzzy Hash: 19e046169303616922fa56fc4c702e76ca1b0e0df75fcd73fb40612c518f53be
                                                                                • Instruction Fuzzy Hash: 60E16C63F0FA825AEB754734A0113BD3B62DB733C0F088536C68A967C1D92EE59AD711
                                                                                Function 00007FF8A32E28A0 Relevance: .3, Instructions: 340COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f2484bee64e53bfd171d50bd9386eb827ed36f82897ce8ecb39a4fab617f6afb
                                                                                • Instruction ID: 353c14b9d8970b041e637b3c12411b1692b9fd9d423ba0d98356eb7a3debf612
                                                                                • Opcode Fuzzy Hash: f2484bee64e53bfd171d50bd9386eb827ed36f82897ce8ecb39a4fab617f6afb
                                                                                • Instruction Fuzzy Hash: E2C15953E3E39A5AFB254738A0023B96F11E7263D0F340135D28F57ADAE92EE656C701
                                                                                Function 00007FF8A3342CB0 Relevance: .3, Instructions: 329COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2c01d7c14862e278166bc47f99e381f39ba984b264606ce2299e7899493ff5d2
                                                                                • Instruction ID: 64b6e4a847a193763295defb6bce1b698ba557b72a86df2495d7ad4843e9afe0
                                                                                • Opcode Fuzzy Hash: 2c01d7c14862e278166bc47f99e381f39ba984b264606ce2299e7899493ff5d2
                                                                                • Instruction Fuzzy Hash: 7BE1AD36A0AB41DAEB20CF25E4402BD77A5FB48BD9B144131EE8D67B58CF3AE115C700
                                                                                Function 00007FF8A3338980 Relevance: .3, Instructions: 307COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f33a21cfa2ebf3380d97e18f7ca41c3e704afd913560162294cf1aca73d5d479
                                                                                • Instruction ID: f506e3e75a2e276121b8f00aef7572f7dab41b3af44ff67f67e74fe4c07f631b
                                                                                • Opcode Fuzzy Hash: f33a21cfa2ebf3380d97e18f7ca41c3e704afd913560162294cf1aca73d5d479
                                                                                • Instruction Fuzzy Hash: 70C1EDA2A0FB429AEB508F25A44027867E4FB54BC8F049139CE4DAB759EF7EE445C340
                                                                                Function 00007FF8A330C470 Relevance: .3, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c4fb59197b49d251e1429614465741796fced89be9a03fa05203de06490b65e
                                                                                • Instruction ID: 52350a704caf64ab2a1bbe35d8609dd3e0bda0c0c2d2e6a7ed8779e6b139a8d9
                                                                                • Opcode Fuzzy Hash: 8c4fb59197b49d251e1429614465741796fced89be9a03fa05203de06490b65e
                                                                                • Instruction Fuzzy Hash: 56C14B63A0E6D156E7658B79A0503FD3BA0FB56789F080036EF8E1B687DA3DE540C724
                                                                                Function 00007FF8A33405B0 Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 784546c4abcc928bf2e0d8a10864477b4525827bbf050c9b24e4ca24845e3324
                                                                                • Instruction ID: 7edd1e517deb86b511c84510d22e6819a4fad2a75c2284881b3f9aabff311086
                                                                                • Opcode Fuzzy Hash: 784546c4abcc928bf2e0d8a10864477b4525827bbf050c9b24e4ca24845e3324
                                                                                • Instruction Fuzzy Hash: 68B17D32B0EB42A6EA549F25E59067AE3A0FF85BC6F040135EA4E93754DF3EE441CB40
                                                                                Function 00007FF8A3324AE0 Relevance: .2, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f7ed60604729252431dc328d1f313da4fc14584086b6390a1da34e459d7f0d99
                                                                                • Instruction ID: 367e6fa849201d5309ee259fe7f875361388669a2922c2f61c0b17da2554b839
                                                                                • Opcode Fuzzy Hash: f7ed60604729252431dc328d1f313da4fc14584086b6390a1da34e459d7f0d99
                                                                                • Instruction Fuzzy Hash: 4381A172A0EB46A2DB208F69E441769B7A0FBA9BC4F458231DE8D63754DF3DD541CB00
                                                                                Function 00007FF8A331CAD0 Relevance: .2, Instructions: 183COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f915d7582f38e9487036f485e5c9a5a085bc1cdc66bd288117bb4a63e3d09bd9
                                                                                • Instruction ID: 9d65826b96d92c08739daf2ac461ecdd5ed3e28c521cf3859226b086779eb068
                                                                                • Opcode Fuzzy Hash: f915d7582f38e9487036f485e5c9a5a085bc1cdc66bd288117bb4a63e3d09bd9
                                                                                • Instruction Fuzzy Hash: 2E61CA32D0EE46A1FF668A69B44537A6791FF44BC4F144132DD9EB2690DE2EE8C2D700
                                                                                Function 00007FF8A32E6420 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eae5bf69dc986dbd14f1018e7ce62fa445fadcb0881a559201a5c692d5f809a0
                                                                                • Instruction ID: 28a47f8fe0a3a77bc22b9183165d9e10edcb8f6b449a337e23c81d62aa4ecce5
                                                                                • Opcode Fuzzy Hash: eae5bf69dc986dbd14f1018e7ce62fa445fadcb0881a559201a5c692d5f809a0
                                                                                • Instruction Fuzzy Hash: 3151A572B09B4296EBA08B15D0413BA7BA0FB84BCAF244135DE4E67768EF3DD455CB40
                                                                                Function 00007FF8A330E9E0 Relevance: .1, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82508a295d65b1efd5186027c83cb88d099415ee53633dd913bd9a3476e907b5
                                                                                • Instruction ID: 8e3a2c091070ef6328da68aa192c01f6edd59604d2af42b0aa8e6e39d29f7981
                                                                                • Opcode Fuzzy Hash: 82508a295d65b1efd5186027c83cb88d099415ee53633dd913bd9a3476e907b5
                                                                                • Instruction Fuzzy Hash: 265146B37241658BD798CF2DC468E2D37E0E70E3417669029EA48CBB45CA3BE950CF94
                                                                                Function 00007FF8A32D1074 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                • API String ID: 3215553584-2617248754
                                                                                • Opcode ID: 25ac09140e59b746b7fc92312996be3a4aaa36e54969319e2e59dbbd809b7326
                                                                                • Instruction ID: bd93a21a60ac496110e97b711f15d3ff04700a1ce2831b8dbf9c348fc61b9e96
                                                                                • Opcode Fuzzy Hash: 25ac09140e59b746b7fc92312996be3a4aaa36e54969319e2e59dbbd809b7326
                                                                                • Instruction Fuzzy Hash: A6419D36A0AB85A9E705CB25E8417A933A4FB147C8F404636EE5C67B98DE7ED065C380
                                                                                Function 00007FF8A330EBF0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: DebugOutputString
                                                                                • String ID: VerifyClrCleanup$done with cleanup.$eeeSdk1: %s HRESULT 0x%016X$invalid ICLRRuntimeHost pointer.$invalid ICLRRuntimeHost.
                                                                                • API String ID: 1166629820-803544626
                                                                                • Opcode ID: e8e2ef70cc1839877d3aa637ff7f932edc0b40bf8ca5a30ca92ef6c719cd90dc
                                                                                • Instruction ID: ca9224df730462a7218174635ed506b02826ebc681452c7bd34866e71634676f
                                                                                • Opcode Fuzzy Hash: e8e2ef70cc1839877d3aa637ff7f932edc0b40bf8ca5a30ca92ef6c719cd90dc
                                                                                • Instruction Fuzzy Hash: AC112E25A2FE46A2EB51DB60F8503B97760FF68B84F400136DA4E93654DF3EE5098700
                                                                                Function 00007FF8A32C6AC0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: +$-$f$p
                                                                                • API String ID: 3215553584-588565063
                                                                                • Opcode ID: 18cdb82c33907fb803bb1e5d23cd3fcdbf2b03280e4c7c547309946e042c8b78
                                                                                • Instruction ID: dca4000894b37fa603bba794d51ee538dbbf89c8f9d3138f91c4e172de085b95
                                                                                • Opcode Fuzzy Hash: 18cdb82c33907fb803bb1e5d23cd3fcdbf2b03280e4c7c547309946e042c8b78
                                                                                • Instruction Fuzzy Hash: 1F12D722E0E153A9FB609B18D04467A7662EB507D6FDC4232E7AD276CCDB3FE5408B41
                                                                                Function 00007FF8A32CB0B8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID: "$cosh
                                                                                • API String ID: 1156100317-3800341493
                                                                                • Opcode ID: 8757736c37fc056bad7d9670f00db4da01e1c0003592e8e6b9f462b032a8f728
                                                                                • Instruction ID: 0ff07551743b2a0b5191a9b0c4315e741d4aa644530c0fecaea8a4a0710b6de4
                                                                                • Opcode Fuzzy Hash: 8757736c37fc056bad7d9670f00db4da01e1c0003592e8e6b9f462b032a8f728
                                                                                • Instruction Fuzzy Hash: 6881D821E2AF8599D263CB34A4513B67358FF6A3D5F018333E68F72A55DF2DA1838640
                                                                                Function 00007FF8A32D839C Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 27fbf2b2734d97e4282330a3901d49780c4251a2f1ae339d9b385b6c9733cdfe
                                                                                • Instruction ID: 798459d4c27a0afc1445fc44ecbbb087112ce544317cc610333a8e0f65cb1a00
                                                                                • Opcode Fuzzy Hash: 27fbf2b2734d97e4282330a3901d49780c4251a2f1ae339d9b385b6c9733cdfe
                                                                                • Instruction Fuzzy Hash: 7CA1E262B0A78666FB618F6094003BA66D1FF40BE5F584635DA2D277C9EFBEE4448340
                                                                                Function 00007FF8A32CCBC4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 4fd26bf0d160f0110e20b158216c27a2591328342d34bf1eb5fb4ec7a9b79ec4
                                                                                • Instruction ID: c012c1489ee1369f2998db756185fb52e65d99ece40f5c3deeba55e1f265c9cd
                                                                                • Opcode Fuzzy Hash: 4fd26bf0d160f0110e20b158216c27a2591328342d34bf1eb5fb4ec7a9b79ec4
                                                                                • Instruction Fuzzy Hash: B7110667E4E62321F6585169E5423791041EFD4BF2F048630EB7E226EECE2FAE434100
                                                                                Function 00007FF8A32EC950 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 321COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: __swprintf_l
                                                                                • String ID: $recursively defined fts5 content table
                                                                                • API String ID: 1488884202-3751721463
                                                                                • Opcode ID: 97ca6076488d2f5055a21fe9863848d14c9733657af8777023e86539d8ae259b
                                                                                • Instruction ID: 77ecb72d1c401a82d2f091c547a905fccff2c6fe70465833e60176d16a8b57af
                                                                                • Opcode Fuzzy Hash: 97ca6076488d2f5055a21fe9863848d14c9733657af8777023e86539d8ae259b
                                                                                • Instruction Fuzzy Hash: 4DD13A7290A6919AE731CF65900137A3FA4FB95BD9F244231CE4E53788EB3ED490CB40
                                                                                Function 00007FF8A32C4824 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID: "$sinh
                                                                                • API String ID: 1156100317-1232919748
                                                                                • Opcode ID: 8450cffdf09b73753949fffc0fe109d660e1a31e99fd28917b50a45c42d1ae47
                                                                                • Instruction ID: 5c5b6d04d750c6386e1490b3bf2bd3ddde95c78d3125a7b81e959739ca388523
                                                                                • Opcode Fuzzy Hash: 8450cffdf09b73753949fffc0fe109d660e1a31e99fd28917b50a45c42d1ae47
                                                                                • Instruction Fuzzy Hash: BC91E921E2AF8598D2638B34A4413B67358FF6A3D5F109337E68E72A55DF2DE0838740
                                                                                Function 00007FF8A32D029C Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                • String ID:
                                                                                • API String ID: 4141327611-0
                                                                                • Opcode ID: 5cc1ef7e42a5b7d31ff5898279cf51f1fab0af92e74713b6f4532a0696defd6e
                                                                                • Instruction ID: a9a4cf86d4542e7a2ff2a17f7e4bd6071fbff521285235601bf49bf7319383ec
                                                                                • Opcode Fuzzy Hash: 5cc1ef7e42a5b7d31ff5898279cf51f1fab0af92e74713b6f4532a0696defd6e
                                                                                • Instruction Fuzzy Hash: C3419022A0A64266FBA59A15D1443BDE2A0FF50BD1F248131DA9D26EADCE7EE8418700
                                                                                Function 00007FF8A32D2C8C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8A32CBF97,?,?,?,00007FF8A32CBF52), ref: 00007FF8A32D2CA5
                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8A32CBF97,?,?,?,00007FF8A32CBF52), ref: 00007FF8A32D2D07
                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8A32CBF97,?,?,?,00007FF8A32CBF52), ref: 00007FF8A32D2D41
                                                                                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8A32CBF97,?,?,?,00007FF8A32CBF52), ref: 00007FF8A32D2D6B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                • String ID:
                                                                                • API String ID: 1557788787-0
                                                                                • Opcode ID: 9e23daa85159d19bef0ca58b63067bb985cf293bfe3b22a45f161cea706bfbcc
                                                                                • Instruction ID: 643a8ef7a56519305925b4d59d33d486fd95472148816ad5f8b081b1e3084137
                                                                                • Opcode Fuzzy Hash: 9e23daa85159d19bef0ca58b63067bb985cf293bfe3b22a45f161cea706bfbcc
                                                                                • Instruction Fuzzy Hash: C8216531F1AB9591E6608F12B44012AB6A4FB98FD1B084235DE9E73BACDF7DE4528740
                                                                                Function 00007FF8A32D07E8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: gfffffff
                                                                                • API String ID: 3215553584-1523873471
                                                                                • Opcode ID: b2135e49d60cd569980c9e2dde701408d3b9ac0a2190d54199b28f8b771d54ce
                                                                                • Instruction ID: 08dabe49d516ad1cf6b03d744754bd43eea34969a62b0a5ab0b17a0d0fd191c8
                                                                                • Opcode Fuzzy Hash: b2135e49d60cd569980c9e2dde701408d3b9ac0a2190d54199b28f8b771d54ce
                                                                                • Instruction Fuzzy Hash: 3A913862B0A38A96EB118F25A1403EDAB55EB25BD1F14C131CB8D173A9DE7EE515C301
                                                                                Function 00007FF8A32D0C18 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: e+000$gfff
                                                                                • API String ID: 3215553584-3030954782
                                                                                • Opcode ID: 834eb46729ba5cbca40da0abe856bd7d0ed58afc2f215c449607780fd3512e0e
                                                                                • Instruction ID: aa91951840b0a3a6207ee1c2d4626417704cca14c92e956f8fae1f803b1f3155
                                                                                • Opcode Fuzzy Hash: 834eb46729ba5cbca40da0abe856bd7d0ed58afc2f215c449607780fd3512e0e
                                                                                • Instruction Fuzzy Hash: 44513862B197C156E7658F3598413ADAB91EB81BD1F08C232C79C57BEECE6EE044C700
                                                                                Function 00007FF8A33ACFE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: __swprintf_l
                                                                                • String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
                                                                                • API String ID: 1488884202-3667113883
                                                                                • Opcode ID: cb98bb72cff4c9c94be591be44568ca514b0d2dc5d2fe9acd71ac478794455a9
                                                                                • Instruction ID: 0d4213d7cfd5b48389759da7e1aaba570fd9a0c78104e944d5d1272b6e600864
                                                                                • Opcode Fuzzy Hash: cb98bb72cff4c9c94be591be44568ca514b0d2dc5d2fe9acd71ac478794455a9
                                                                                • Instruction Fuzzy Hash: 1C11CE72B0AB45A1EA009F15F4905A96B20FB88BC4F016132EF4D6735AEE3ED142C700
                                                                                Function 00007FF8A32CAFE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2120135798.00007FF8A32C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8A32C0000, based on PE: true
                                                                                • Associated: 00000002.00000002.2120113093.00007FF8A32C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121511476.00007FF8A3418000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121782566.00007FF8A345B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000002.00000002.2121822987.00007FF8A3461000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff8a32c0000_windows.jbxd
                                                                                Similarity
                                                                                • API ID: _handle_error
                                                                                • String ID: !$sqrt
                                                                                • API String ID: 1757819995-799759792
                                                                                • Opcode ID: 93151d418f2c6ca5b64dffe0a8e3d299c06f154a4f026626afe4ad18a7d2c7f1
                                                                                • Instruction ID: 34f85108f150f3034a065866fbf9a44287e1c88ab44d5a1f1d2071da70e2b85a
                                                                                • Opcode Fuzzy Hash: 93151d418f2c6ca5b64dffe0a8e3d299c06f154a4f026626afe4ad18a7d2c7f1
                                                                                • Instruction Fuzzy Hash: 5B118272D1DB8593DE41CF11A40032A6661FF967E4F104331EA7C2A7C8DF2EE0459B00
                                                                                Function 00007FF84911891A Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2119489290.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff849110000_windows.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #_^$#_^$#_^$#_^
                                                                                • API String ID: 0-1124197438
                                                                                • Opcode ID: 5f464397ed1768beefd5bfe41d0945eae0a8ac1bc022deec2d2fcc08ec347abb
                                                                                • Instruction ID: 5026284fb6ac12c00f6a1db397c6b873ae14ffae569b58b9e08d2360f7f1719e
                                                                                • Opcode Fuzzy Hash: 5f464397ed1768beefd5bfe41d0945eae0a8ac1bc022deec2d2fcc08ec347abb
                                                                                • Instruction Fuzzy Hash: 540196FBD09ACA6FE718991958CB055A7C0FF28348F9860BE89584B183FD1A14478A16